attaques web

Forum traitant de la distribution sécurisée montante nommée IP cop et basée sur la distribution Smoothwall. C'est à l'heure actuelle le forum le plus actif du site.

Modérateur: modos Ixus

Messagepar fireman » 01 Juil 2002 20:16

Je viens d'installer un Firewall ipcop dans mon réseau. <BR>3 cartes réseau. <BR>Un serveur Web tourne dans le réseau privé (pas dans la DMZ), en ayant activé le port forwarding (port 80). <BR>Tout marche bien jusqu'au moment où je consulte les logs d'intrusion. <BR>Pas moins de 25 attaques web en +- 2h détectées par SNORT. <BR>Question : Quand snort détecte les intrusions, les bloque-t-il ? <BR>Autre question : j'ai placé le serveur web (apache sous windows 2000) sur le réseau interne car le site web (écrit en php) possède des liens odbc vers access, mais aussi requiert des mappings réseaux vers d'autres serveurs du réseau interne. <BR>Y aurait-il moyen de le placer dans la DMZ en conservant les liens ODBC et ces mappings ? <BR>Si qqun a une réponse, je suis toutoui.. hoho
la vérité est ailleurs
Avatar de l’utilisateur
fireman
Matelot
Matelot
 
Messages: 7
Inscrit le: 01 Juil 2002 00:00

Messagepar fireman » 01 Juil 2002 20:34

voila le genre d'attaques que j'ai eu : <BR>WEB-IIS CodeRed v2 root.exe access <BR> <BR>Est-ce grave, docteur ? <BR>Est-ce courant ?
la vérité est ailleurs
Avatar de l’utilisateur
fireman
Matelot
Matelot
 
Messages: 7
Inscrit le: 01 Juil 2002 00:00

Messagepar drlin » 01 Juil 2002 23:33

aucun problemes.... l'attaque est destiné au serveurs Winxx et NT. Donc pas de problèmes pour toi... <IMG SRC="images/smiles/icon_up.gif">
A+

Dr Lin (aka Johan Denoyer)
Avatar de l’utilisateur
drlin
Lieutenant de vaisseau
Lieutenant de vaisseau
 
Messages: 211
Inscrit le: 24 Jan 2002 01:00
Localisation: FRANCE

Messagepar fireman » 02 Juil 2002 08:19

Voici les logs des attaques que j'ai eu : <BR>IPCop IDS snort log <BR>Date: 1 July <BR> <BR>Date: 07/01 12:34:01 <BR>Name: WEB-MISC Compaq Insight directory traversal <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 212.190.147.35:80 -> 192.168.1.2:2301 <BR>Refs: <BR> <BR>Date: 07/01 12:34:02 <BR>Name: WEB-MISC Compaq Insight directory traversal <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 212.190.147.35:80 -> 192.168.1.2:2301 <BR>Refs: <BR> <BR>Date: 07/01 12:55:50 <BR>Name: WEB-IIS CodeRed v2 root.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4861 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:50 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4885 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:50 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4889 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:50 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4894 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:50 <BR>Name: WEB-FRONTPAGE /_vti_bin/ access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.252.122.130:4900 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:50 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4903 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4906 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4913 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4925 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4926 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4929 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4931 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4933 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4944 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 12:55:51 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 193.252.122.130:4945 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 15:17:59 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 212.247.101.22:3506 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 15:51:34 <BR>Name: WEB-MISC sadmind worm access <BR>Priority: 2 <BR>Type: Attempted Information Leak <BR>IP Info: 61.240.98.27:38967 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 15:51:38 <BR>Name: WEB-MISC sadmind worm access <BR>Priority: 2 <BR>Type: Attempted Information Leak <BR>IP Info: 61.240.98.27:38967 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-IIS _vti_inf access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8110 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-IIS _vti_inf access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8171 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-FRONTPAGE _vti_rpc access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8212 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-FRONTPAGE _vti_rpc access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8214 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-IIS _vti_inf access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8215 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-IIS _vti_inf access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8217 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-FRONTPAGE _vti_rpc access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8218 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:20:55 <BR>Name: WEB-FRONTPAGE _vti_rpc access <BR>Priority: 2 <BR>Type: access to a potentially vulnerable web application <BR>IP Info: 193.190.136.62:8219 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 16:30:27 <BR>Name: WEB-MISC readme.eml attempt <BR>Priority: 1 <BR>Type: Attempted User Privilege Gain <BR>IP Info: 206.103.225.241:80 -> 192.168.1.2:1891 <BR>Refs: <BR> <BR>Date: 07/01 17:54:59 <BR>Name: WEB-IIS cmd.exe access <BR>Priority: 1 <BR>Type: Web Application Attack <BR>IP Info: 166.102.22.195:3335 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 19:39:53 <BR>Name: WEB-MISC admin.php access <BR>Priority: 2 <BR>Type: Attempted Information Leak <BR>IP Info: 80.200.18.224:1078 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 19:40:01 <BR>Name: WEB-MISC admin.php access <BR>Priority: 2 <BR>Type: Attempted Information Leak <BR>IP Info: 80.200.18.224:1080 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 19:40:05 <BR>Name: WEB-MISC admin.php access <BR>Priority: 2 <BR>Type: Attempted Information Leak <BR>IP Info: 80.200.18.224:1081 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Date: 07/01 19:40:50 <BR>Name: WEB-MISC admin.php access <BR>Priority: 2 <BR>Type: Attempted Information Leak <BR>IP Info: 80.200.18.224:1085 -> 192.168.1.2:80 <BR>Refs: <BR> <BR>Est-ce que snort les arrête ou est-ce qu'il les signale simplement ?
la vérité est ailleurs
Avatar de l’utilisateur
fireman
Matelot
Matelot
 
Messages: 7
Inscrit le: 01 Juil 2002 00:00

Messagepar drlin » 02 Juil 2002 16:41

ca c'est pas un virus/worm... c'est un plaisantain qui utilise un logiciel de recherche de failles de sécurité... c'est courant, j'en ai sur mon serveur plusieurs fois par semaines.... <BR> <IMG SRC="images/smiles/icon_cussing.gif">
A+

Dr Lin (aka Johan Denoyer)
Avatar de l’utilisateur
drlin
Lieutenant de vaisseau
Lieutenant de vaisseau
 
Messages: 211
Inscrit le: 24 Jan 2002 01:00
Localisation: FRANCE


Retour vers IPCop

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité

cron