attaques web
Modérateur: modos Ixus
5 messages
• Page 1 sur 1
par fireman » 01 Juil 2002 20:16
Je viens d'installer un Firewall ipcop dans mon réseau.
<BR>3 cartes réseau.
<BR>Un serveur Web tourne dans le réseau privé (pas dans la DMZ), en ayant activé le port forwarding (port 80).
<BR>Tout marche bien jusqu'au moment où je consulte les logs d'intrusion.
<BR>Pas moins de 25 attaques web en +- 2h détectées par SNORT.
<BR>Question : Quand snort détecte les intrusions, les bloque-t-il ?
<BR>Autre question : j'ai placé le serveur web (apache sous windows 2000) sur le réseau interne car le site web (écrit en php) possède des liens odbc vers access, mais aussi requiert des mappings réseaux vers d'autres serveurs du réseau interne.
<BR>Y aurait-il moyen de le placer dans la DMZ en conservant les liens ODBC et ces mappings ?
<BR>Si qqun a une réponse, je suis toutoui.. hoho
la vérité est ailleurs
-
fireman - Matelot
- Messages: 7
- Inscrit le: 01 Juil 2002 00:00
par fireman » 02 Juil 2002 08:19
Voici les logs des attaques que j'ai eu :
<BR>IPCop IDS snort log
<BR>Date: 1 July
<BR>
<BR>Date: 07/01 12:34:01
<BR>Name: WEB-MISC Compaq Insight directory traversal
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 212.190.147.35:80 -> 192.168.1.2:2301
<BR>Refs:
<BR>
<BR>Date: 07/01 12:34:02
<BR>Name: WEB-MISC Compaq Insight directory traversal
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 212.190.147.35:80 -> 192.168.1.2:2301
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:50
<BR>Name: WEB-IIS CodeRed v2 root.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4861 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:50
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4885 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:50
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4889 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:50
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4894 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:50
<BR>Name: WEB-FRONTPAGE /_vti_bin/ access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.252.122.130:4900 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:50
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4903 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4906 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4913 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4925 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4926 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4929 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4931 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4933 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4944 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 12:55:51
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 193.252.122.130:4945 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 15:17:59
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 212.247.101.22:3506 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 15:51:34
<BR>Name: WEB-MISC sadmind worm access
<BR>Priority: 2
<BR>Type: Attempted Information Leak
<BR>IP Info: 61.240.98.27:38967 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 15:51:38
<BR>Name: WEB-MISC sadmind worm access
<BR>Priority: 2
<BR>Type: Attempted Information Leak
<BR>IP Info: 61.240.98.27:38967 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-IIS _vti_inf access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8110 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-IIS _vti_inf access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8171 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-FRONTPAGE _vti_rpc access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8212 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-FRONTPAGE _vti_rpc access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8214 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-IIS _vti_inf access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8215 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-IIS _vti_inf access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8217 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-FRONTPAGE _vti_rpc access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8218 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:20:55
<BR>Name: WEB-FRONTPAGE _vti_rpc access
<BR>Priority: 2
<BR>Type: access to a potentially vulnerable web application
<BR>IP Info: 193.190.136.62:8219 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 16:30:27
<BR>Name: WEB-MISC readme.eml attempt
<BR>Priority: 1
<BR>Type: Attempted User Privilege Gain
<BR>IP Info: 206.103.225.241:80 -> 192.168.1.2:1891
<BR>Refs:
<BR>
<BR>Date: 07/01 17:54:59
<BR>Name: WEB-IIS cmd.exe access
<BR>Priority: 1
<BR>Type: Web Application Attack
<BR>IP Info: 166.102.22.195:3335 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 19:39:53
<BR>Name: WEB-MISC admin.php access
<BR>Priority: 2
<BR>Type: Attempted Information Leak
<BR>IP Info: 80.200.18.224:1078 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 19:40:01
<BR>Name: WEB-MISC admin.php access
<BR>Priority: 2
<BR>Type: Attempted Information Leak
<BR>IP Info: 80.200.18.224:1080 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 19:40:05
<BR>Name: WEB-MISC admin.php access
<BR>Priority: 2
<BR>Type: Attempted Information Leak
<BR>IP Info: 80.200.18.224:1081 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Date: 07/01 19:40:50
<BR>Name: WEB-MISC admin.php access
<BR>Priority: 2
<BR>Type: Attempted Information Leak
<BR>IP Info: 80.200.18.224:1085 -> 192.168.1.2:80
<BR>Refs:
<BR>
<BR>Est-ce que snort les arrête ou est-ce qu'il les signale simplement ?
la vérité est ailleurs
-
fireman - Matelot
- Messages: 7
- Inscrit le: 01 Juil 2002 00:00
par drlin » 02 Juil 2002 16:41
ca c'est pas un virus/worm... c'est un plaisantain qui utilise un logiciel de recherche de failles de sécurité... c'est courant, j'en ai sur mon serveur plusieurs fois par semaines....
<BR> <IMG SRC="images/smiles/icon_cussing.gif">
A+
Dr Lin (aka Johan Denoyer)
Dr Lin (aka Johan Denoyer)
-
drlin - Lieutenant de vaisseau
- Messages: 211
- Inscrit le: 24 Jan 2002 01:00
- Localisation: FRANCE
5 messages
• Page 1 sur 1
Qui est en ligne ?
Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité