Назад | Перейти на главную страницу

Журналы Apache в Debian GNU / Linux показывают исполняемые файлы Windows

Я использую logwatch для просмотра журналов сервера. Это показано в разделе журнала httpd:

19033 Windows executable files (502.53 MB)

Это сервер Debian GNU / Linux. Так что никаких исполняемых файлов Windows быть не должно. Я тоже ничего не нашел. Это какая-то путаница или что-то мне не хватает?

Все, что я смог найти в журналах, это следующие строки:

[Sat Dec 11 22:13:00 2010] [error] [client 89.6.249.126] script not found or unable to stat: /usr/lib/cgi-bin/perl.exe
[Sat Dec 11 22:13:01 2010] [error] [client 89.6.249.126] script not found or unable to stat: /usr/lib/cgi-bin/rguest.exe
[Sat Dec 11 22:13:10 2010] [error] [client 89.6.249.126] script not found or unable to stat: /usr/lib/cgi-bin/get32.exe
[Sun May 22 02:25:16 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sun May 22 02:25:16 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sun May 22 02:25:17 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sun May 22 02:25:18 2011] [error] [client 2.119.20.33] Invalid URI in request GET /_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sun May 22 02:25:26 2011] [error] [client 2.119.20.33] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sun May 22 02:25:29 2011] [error] [client 2.119.20.33] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe /c+dir?/c+dir%20c:\\ HTTP/1.0
[Sun May 22 02:25:35 2011] [error] [client 2.119.20.33] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sun May 22 02:25:38 2011] [error] [client 2.119.20.33] Invalid URI in request GET /cgi-bin/../../../../winnt/system32/cmd.exe HTTP/1.0
[Sun May 22 02:25:56 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/ceilidh.exe
[Sun May 22 02:25:57 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/Cgitest.exe
[Sun May 22 02:26:02 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/cgimail.exe
[Sun May 22 02:26:09 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/cmd.exe
[Sun May 22 02:26:11 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/dbmlparser.exe
[Sun May 22 02:26:26 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/fpcount.exe
[Sun May 22 02:26:28 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/fpexplorer.exe
[Sun May 22 02:26:29 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/get32.exe
[Sun May 22 02:26:30 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/get32.exe\\dir
[Sun May 22 02:26:33 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/htimage.exe
[Sun May 22 02:26:36 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/fpexplore.exe
[Sun May 22 02:26:42 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/imagemap.exe
[Sun May 22 02:26:51 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/mailform.exe
[Sun May 22 02:27:11 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/perl.exe
[Sun May 22 02:27:31 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/ppdscgi.exe
[Sun May 22 02:27:52 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/rguest.exe
[Sun May 22 02:28:26 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/visadmin.exe
[Sun May 22 02:28:27 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/visitor.exe
[Sun May 22 02:29:18 2011] [error] [client 2.119.20.33] File does not exist: /home/gg/www/cmd.exe
[Sun May 22 02:29:46 2011] [error] [client 2.119.20.33] script not found or unable to stat: /usr/lib/cgi-bin/visadmin.exe
[Sun May 22 02:30:12 2011] [error] [client 2.119.20.33] Invalid URI in request GET /msadc/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sun May 22 02:31:00 2011] [error] [client 2.119.20.33] Invalid URI in request GET /scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0

Просто «кто-то» пытался получить доступ к этим файлам через URL. На самом деле, вероятно, это автоматизированный скрипт, ищущий полезные эксплойты.

Хотя этот конкретный запрос явно нацелен на системы Windows, я предлагаю вам установить и настроить модуль apache. mod_security чтобы перехватить и заблокировать эти запросы (а также те, которые предназначены для системы Linux!).

РЕДАКТИРОВАТЬ

На самом деле, что странно, logwatch говорит 19033 файлы, которые, похоже, не соответствуют вашим журналам.

Кроме того, для 404/500 и аналогичных ошибок следует сообщать что-то вроде:

--------------------- httpd Begin ------------------------ 

Requests with error response codes
404 Not Found
   /favicon.ico: 2 Time(s) 
500 Internal Server Error
   /: 1 Time(s)
---------------------- httpd End -------------------------

Может быть logwatch интерпретируется как исполняемые файлы Windows другое расширение и не только .exe файлы.