Os logs do Apache no Debian GNU / Linux mostram arquivos executáveis do windows

2

Eu uso o logwatch para assistir meus logs do servidor. Isso mostra isso na seção de log httpd:

19033 Windows executable files (502.53 MB)

Este é um servidor Debian GNU / Linux. Portanto, não deve haver nenhum executável do Windows. Eu não encontrei nenhum dos dois. Isso é algum tipo de confusão ou algo está faltando?

Tudo o que eu encontrei nos registros são estas linhas:

[Sat Dec 11 22:13:00 2010] [error] [client 89.6.249.126] script not found or unable to stat: /usr/lib/cgi-bin/perl.exe
[Sat Dec 11 22:13:01 2010] [error] [client 89.6.249.126] script not found or unable to stat: /usr/lib/cgi-bin/rguest.exe
[Sat Dec 11 22:13:10 2010] [error] [client 89.6.249.126] script not found or unable to stat: /usr/lib/cgi-bin/get32.exe
[Sun May 22 02:25:16 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sun May 22 02:25:16 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\ HTTP/1.0
[Sun May 22 02:25:17 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sun May 22 02:25:18 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\ HTTP/1.0
[Sun May 22 02:25:26 2011] [error] [client 2.119.20.33] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir%20c:\ HTTP/1.0
[Sun May 22 02:25:29 2011] [error] [client 2.119.20.33] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe /c+dir?/c+dir%20c:\ HTTP/1.0
[Sun May 22 02:25:35 2011] [error] [client 2.119.20.33] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sun May 22 02:25:38 2011] [error] [client 2.119.20.33] Invalid URI in request GET /cgi-bin/../../../../winnt/system32/cmd.exe HTTP/1.0
[Sun May 22 02:25:56 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/ceilidh.exe
[Sun May 22 02:25:57 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/Cgitest.exe
[Sun May 22 02:26:02 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/cgimail.exe
[Sun May 22 02:26:09 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/cmd.exe
[Sun May 22 02:26:11 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/dbmlparser.exe
[Sun May 22 02:26:26 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/fpcount.exe
[Sun May 22 02:26:28 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/fpexplorer.exe
[Sun May 22 02:26:29 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/get32.exe
[Sun May 22 02:26:30 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/get32.exe\dir
[Sun May 22 02:26:33 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/htimage.exe
[Sun May 22 02:26:36 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/fpexplore.exe
[Sun May 22 02:26:42 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/imagemap.exe
[Sun May 22 02:26:51 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/mailform.exe
[Sun May 22 02:27:11 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/perl.exe
[Sun May 22 02:27:31 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/ppdscgi.exe
[Sun May 22 02:27:52 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/rguest.exe
[Sun May 22 02:28:26 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/visadmin.exe
[Sun May 22 02:28:27 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/visitor.exe
[Sun May 22 02:29:18 2011] [error] [client 2.119.20.33] File does not exist: /home/gg/www/cmd.exe
[Sun May 22 02:29:46 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/visadmin.exe
[Sun May 22 02:30:12 2011] [error] [client 2.119.20.33] Invalid URI in request GET /msadc/../../../../winnt/system32/cmd.exe?/c+dir%20c:\ HTTP/1.0
[Sun May 22 02:31:00 2011] [error] [client 2.119.20.33] Invalid URI in request GET /scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
    
por Redrain 24.02.2012 / 09:38

1 resposta

4

Simplesmente "alguém" tentou acessar esses arquivos por meio de URL. Na verdade, é provavelmente um script automatizado que procura explorações utilizáveis.

Embora esses pedidos em particular estejam obviamente voltados para sistemas Windows, sugiro que você instale e configure o módulo apache mod_security para capturar e bloquear essas solicitações (e também aquelas voltadas para o sistema linux!).

EDITAR

Na verdade, o que é estranho é que logwatch diz 19033 arquivos, o que parece não corresponder em seus registros.

Além disso, para 404/500 e erros semelhantes devem relatar algo como:

--------------------- httpd Begin ------------------------ 

Requests with error response codes
404 Not Found
   /favicon.ico: 2 Time(s) 
500 Internal Server Error
   /: 1 Time(s)
---------------------- httpd End -------------------------

Talvez logwatch interprete como executáveis do Windows outra extensão e não apenas .exe arquivos.

    
por 24.02.2012 / 09:55