Apache Friends Support Forum

Skip to content

Hilfe Spamangriff

Alles, was den Apache betrifft, kann hier besprochen werden.
Post a reply

Hilfe Spamangriff

Postby Steve-irc » 14. May 2007 20:29

Auf meinem Root sind verdammt viele Spammer unterwegs wo über einen Proxie laufen.

hier mal ein auszug aus meiner error.log vom apache

Code: Select all
[Mon May 14 20:46:58 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/sendeail.php, referer: http://www.blingitonline.net/
[Mon May 14 20:47:03 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/decorations, referer: http://www.yourchristmastips.com/
[Mon May 14 20:47:05 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/news.php, referer: http://www.tarotpro.co.uk/
[Mon May 14 20:47:11 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/contactus.asp, referer: http://www.ecpatusa.org/
[Mon May 14 20:47:14 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/contact.php, referer: http://www.rpm-music.net/
[Mon May 14 20:47:17 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/ViestiMenee.php, referer: http://www.omform.fi/ViestiMenee.php
[Mon May 14 20:47:21 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/offalythanks.asp, referer: http://www.kilsaranpaving.ie/
[Mon May 14 20:47:23 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/offalythanks.asp, referer: http://www.kilsaranpaving.ie/
[Mon May 14 20:47:28 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/seguros_resp.asp, referer: http://www.chevroletnova.com.br/seguros_resp.asp
[Mon May 14 20:47:32 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/order_send.php, referer: http://www.nod32.com.ua/
[Mon May 14 20:47:38 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/formberg.php, referer: http://www.kaelte-berlin.de/
[Mon May 14 20:47:43 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/Tradezone, referer: http://www.softsource.co.uk/Tradezone/shop/catalog/contact_us.php?action=send&osCsid=11f2befd8901f44e8aa5ed12cb446387
[Mon May 14 20:47:45 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/impressum.php, referer: http://www.777partner.com/
[Mon May 14 20:47:50 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/contact_post.asp, referer: http://www.roomforaview.com/contact_post.asp
[Mon May 14 20:47:55 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/formmail.asp, referer: http://www.talk2cheap.com/formmail.asp
[Mon May 14 20:47:58 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/main_x-1-1.php, referer: http://www.beroepsethiek.org/main_x-1-1.php
[Mon May 14 20:48:05 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/main_x-1-1.php, referer: http://www.beroepsethiek.org/
[Mon May 14 20:48:11 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/main_x-1-1.php, referer: http://www.beroepsethiek.org/main_x-1-1.php
[Mon May 14 20:48:14 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/sendmail_contact.php, referer: http://www.sonmicro.com/
[Mon May 14 20:48:16 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/enviarMail.php, referer: http://www.e-punk.com.ar/
[Mon May 14 20:48:23 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/enviarMail.php, referer: http://www.e-punk.com.ar/enviarMail.php
[Mon May 14 20:48:29 2007] [error] [client 66.138.1.253] File does not exist: /usr/local/visas/public_html/m, referer: http://www.hinotori.org/




Weiss einer Rat was ich hier machen kann, da mein Anbieter mich schon daraufhin anschrieb.
Steve-irc
 
Posts: 2
Joined: 14. May 2007 20:26
Top

Postby KingCrunch » 14. May 2007 20:46

Kurze Nebenbemerkung:
Da überall die selbe IP steht, hatte ich die Ahnung, dass es sich vermutlich nicht ein Surfer über Proxy handelt. Ein Traceroute schickte mich dann zu Netcommander, einem ISP in Columbus, OH.
Ob es sich dabei aber um ein Angreifer handelt, oder einfach nur ein Amok-gelaufener (Spider-)Bot oder was auch immer, kann man dadurch nicht eindeutig klären, zumindest sind die Referer für einen "anonymen" Angreifer ungewöhnlich realistisch ^^

Als Lösung fällt mir direkt nur ein, dass du vllt Nutzer von dem Anbieter ausperrst (Deny-Directive), was aber recht unschön ist und auch nicht zwangsläufig zum gewünschten Ergebniss führt.
Nicht jeder Fehler ist ein Bug ...
KingCrunch
 
Posts: 1724
Joined: 26. November 2005 19:25
Top

Postby Steve-irc » 14. May 2007 20:58

1. es handel sich hierbei nur um einen sehr sehr kleine Auszug aus meiner log Datei.

Der Server wurde neu installiert und es waren noch keine Kunden angelegt bzw. auch bei keinem Webkunden wurde eine PHP Version Installiert.

Was mir suspect ist wie er das schafft über meinen Apache Server einen POST zu machen.




Anhang NEU:

Code: Select all
76.111.88.25 - - [14/May/2007:17:45:40 +0200] "POST http://sample.jdconsulting.co.za/enquiry/sanctuarylodges.php HTTP/1.1" 404 1209 "http://sample.jdconsulting.co.za/" "-"
76.111.88.25 - - [14/May/2007:17:45:46 +0200] "POST http://www.j3sg.com/Contact/emailReceived.php HTTP/1.1" 404 1170 "http://www.j3sg.com/" "-"
76.111.88.25 - - [14/May/2007:17:45:52 +0200] "POST http://www.j3sg.com/Contact/emailReceived.php HTTP/1.1" 404 1170 "http://www.j3sg.com/" "-"
76.111.88.25 - - [14/May/2007:17:45:56 +0200] "POST http://www.qeb.com.sa/conform.asp HTTP/1.1" 404 1176 "http://www.qeb.com.sa/" "-"
69.125.166.163 - - [14/May/2007:17:50:11 +0200] "POST http://www.nextstep-designsolutions.com/formtomail.php HTTP/1.1" 404 1258 "http://www.nextstep-designsolutions.com/formtomail.php" "-"
69.125.166.163 - - [14/May/2007:17:50:11 +0200] "POST http://www.e-gymonline.com/contactsend.php HTTP/1.1" 404 1191 "http://www.e-gymonline.com/" "-"
69.125.166.163 - - [14/May/2007:17:50:12 +0200] "POST http://www.pctech.com.pt/classes/usados.php?action=4 HTTP/1.1" 404 1185 "http://www.pctech.com.pt/" "-"
69.125.166.163 - - [14/May/2007:17:50:13 +0200] "POST http://www.sharewarelaboratory.com/contact/ HTTP/1.1" 404 1215 "http://www.sharewarelaboratory.com/" "-"
69.125.166.163 - - [14/May/2007:17:50:13 +0200] "POST http://www.energiselife.com/formmail_feedback.php HTTP/1.1" 404 1194 "http://www.energiselife.com/" "-"
69.125.166.163 - - [14/May/2007:17:50:14 +0200] "POST http://www.energiselife.com/formmail_feedback.php HTTP/1.1" 404 1194 "http://www.energiselife.com/" "-"
69.108.50.148 - - [14/May/2007:17:51:25 +0200] "POST http://www.alirefik.net/tesekkur.php HTTP/1.1" 404 1182 "http://www.alirefik.net/" "-"
69.108.50.148 - - [14/May/2007:17:51:33 +0200] "POST http://www.memsgen.co.uk/enquiry.php HTTP/1.1" 404 1185 "http://www.memsgen.co.uk/" "-"
69.108.50.148 - - [14/May/2007:17:51:37 +0200] "POST http://www.witheringtonfarm.co.uk/contact.asp HTTP/1.1" 404 1212 "http://www.witheringtonfarm.co.uk/" "-"
69.108.50.148 - - [14/May/2007:17:51:41 +0200] "POST http://www.affiliate-review.com/info/contact_thanks.php HTTP/1.1" 404 1206 "http://www.affiliate-review.com/" "-"
69.108.50.148 - - [14/May/2007:17:51:44 +0200] "POST http://www.droege.com.sg/german_publicationssend.asp HTTP/1.1" 404 1185 "http://www.droege.com.sg/" "-"
69.108.50.148 - - [14/May/2007:17:51:48 +0200] "POST http://www.accpol.com/eformworkflow/freer.asp HTTP/1.1" 404 1176 "http://www.accpol.com/" "-"
69.108.50.148 - - [14/May/2007:17:51:53 +0200] "POST http://www.martinato.com//phpFunctions/sendMail.php HTTP/1.1" 404 1185 "http://www.martinato.com/" "-"
69.108.50.148 - - [14/May/2007:17:51:55 +0200] "POST http://www.freshfactory.de/submitted.php HTTP/1.1" 404 1217 "http://www.freshfactory.de/submitted.php" "-"
69.108.50.148 - - [14/May/2007:17:52:00 +0200] "POST http://www.vikingtechnology.co.uk/confirm.asp HTTP/1.1" 404 1234 "http://www.vikingtechnology.co.uk/confirm.asp" "-"
68.196.163.232 - - [14/May/2007:17:56:42 +0200] "POST http://www.europe-hotel.fr/fr/contacts/contacts_redirect.php HTTP/1.1" 404 1257 "http://www.europe-hotel.fr/fr/contacts/contacts_redirect.php" "-"
68.196.163.232 - - [14/May/2007:17:56:44 +0200] "POST http://www.hilla.pl/form.php HTTP/1.1" 404 1170 "http://www.hilla.pl/" "-"
68.196.163.232 - - [14/May/2007:17:56:44 +0200] "POST http://www.bigskyconf.com/feedback.asp HTTP/1.1" 404 1212 "http://www.bigskyconf.com/feedback.asp" "-"
68.196.163.232 - - [14/May/2007:17:56:45 +0200] "POST http://www.protecdvs.com/contact.php HTTP/1.1" 404 1185 "http://www.protecdvs.com/" "-"
68.196.163.232 - - [14/May/2007:17:56:46 +0200] "POST http://www.knechtology.com/contact-process2.php HTTP/1.1" 404 1191 "http://www.knechtology.com/" "-"
68.196.163.232 - - [14/May/2007:17:56:48 +0200] "POST http://www.mmibasisschool.be/sendmail.asp HTTP/1.1" 404 1197 "http://www.mmibasisschool.be/" "-"
69.108.50.148 - - [14/May/2007:17:56:41 +0200] "POST http://www.LifetimeCommissions.com/cgi-bin/submit.cgi HTTP/1.1" 403 1050 "http://www.LifetimeCommissions.com/" "-"
69.108.50.148 - - [14/May/2007:17:56:50 +0200] "POST http://www.pezens.fr/article.php3?id_article=1 HTTP/1.1" 404 1173 "http://www.pezens.fr/" "-"
68.196.163.232 - - [14/May/2007:17:56:51 +0200] "POST http://www.mmibasisschool.be/sendmail.asp HTTP/1.1" 404 1221 "http://www.mmibasisschool.be/sendmail.asp" "-"
76.175.52.188 - - [14/May/2007:18:01:56 +0200] "POST http://www.controllerfocus.com/contactus_2.php HTTP/1.1" 404 1203 "http://www.controllerfocus.com/" "-"
76.175.52.188 - - [14/May/2007:18:02:04 +0200] "POST http://www.cvcontrole.com/contact_req.php HTTP/1.1" 404 1188 "http://www.cvcontrole.com/" "-"
76.175.52.188 - - [14/May/2007:18:02:09 +0200] "POST http://www.goodcounselhomes.org/recommsent.php HTTP/1.1" 404 1206 "http://www.goodcounselhomes.org/" "-"
76.175.52.188 - - [14/May/2007:18:02:12 +0200] "POST http://www.goodcounselhomes.org/recommsent.php HTTP/1.1" 404 1234 "http://www.goodcounselhomes.org/recommsent.php" "-"
68.192.118.184 - - [14/May/2007:18:32:42 +0200] "POST http://www.loreleis.com/list.asp HTTP/1.1" 404 1198 "http://www.loreleis.com/list.asp" "-"
68.192.118.184 - - [14/May/2007:18:32:43 +0200] "POST http://www.rlp-info.de/index.php?id=869&tipUrl=http://www.rlp-info.de/index.php?id=1 HTTP/1.1" 404 1309 "http://www.rlp-info.de/index.php?id=869&tipUrl=http://www.rlp-info.de/index.php?id=1" "-"
68.192.118.184 - - [14/May/2007:18:32:44 +0200] "POST http://www.neh2000.com/easy_mailerform.php HTTP/1.1" 404 1217 "http://www.neh2000.com/easy_mailerform.php" "-"
68.192.118.184 - - [14/May/2007:18:32:45 +0200] "POST http://www.rochebellepromo97.com/index.php?page=Contact HTTP/1.1" 404 1257 "http://www.rochebellepromo97.com/index.php?page=Contact" "-"
68.192.118.184 - - [14/May/2007:18:32:46 +0200] "POST http://www.iccproperty.com/index.php?option=com_hotproperty&task=sendenquiry&id=27&Itemid=32 HTTP/1.1" 404 1325 "http://www.iccproperty.com/index.php?option=com_hotproperty&task=sendenquiry&id=27&Itemid=32" "-"
68.192.118.184 - - [14/May/2007:18:32:47 +0200] "POST http://www.rentedelegance.com/aboutus.php HTTP/1.1" 404 1200 "http://www.rentedelegance.com/" "-"
68.192.118.184 - - [14/May/2007:18:32:50 +0200] "POST http://www.guidingrhythms.ca/email3.php HTTP/1.1" 404 1197 "http://www.guidingrhythms.ca/" "-"



Ich bin ratlos und habe erstmal die Maildienste und Webdienste gestoppt.

Über weitere Hilfe würde ich mich freuen.

Steve
Steve-irc
 
Posts: 2
Joined: 14. May 2007 20:26
Top
Post a reply

Return to Apache

Who is online

Users browsing this forum: No registered users and 17 guests

Powered by Bitnami phpBB
Privacy Policy