Honey Pot malgré lui :)

[glibre]

Bonjour,

j'ai un serveur sur lequel je fais tout mes tests divers et varies pour lequel je n'apporte aucune importance en terme de securite.

Interessé par la fonction proxy d'apache, je m'etais il y a quelques temps cree un virtualhost permettant de proxyser un acces sur un site web.

Depuis hier, je m'appercois que certains petits malins utilisent egalement le proxy... à mes depends

C'est tres interessant de voir le resultat des logs Apache:

207.44.158.30 - - [05/Nov/2006:06:26:59 +0100] "GET http://www.afcyhf.com/image-2024614-10371794 HTTP/1.1" 302 78 "http://infohelpauction.com/index.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
207.44.158.30 - - [05/Nov/2006:06:27:00 +0100] "GET http://www.yceml.net/0722/10371794-4.gif HTTP/1.1" 206 300 "http://infohelpauction.com/index.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
66.79.189.10 - - [05/Nov/2006:06:27:04 +0100] "POST http://219.133.51.184/login HTTP/1.1" 200 260 "http://qqshow.qq.com/inc/i_l.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.79.189.8 - - [05/Nov/2006:06:27:14 +0100] "POST http://219.133.40.148/login HTTP/1.1" 200 260 "http://qqshow.qq.com/inc/i_l.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
66.79.189.15 - - [05/Nov/2006:06:27:30 +0100] "GET http://verify.qq.com/getimage?0.31464583269753875 HTTP/1.1" 200 644 "http://qqshow.qq.com/inc/i_l.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Ayant vu cela, j'ai donc desactive le mod_proxy... et voila ce que j'ai dans mon error.log:

[Wed Nov 08 15:16:00 2006] [error] [client 211.167.68.253] File does not exist: /var/www/imp, referer: http://www.divernet.com/index.html
[Wed Nov 08 15:16:01 2006] [error] [client 211.198.225.6] File does not exist: /var/www/imp, referer: http://www.lilgames.com/index.html
[Wed Nov 08 15:16:01 2006] [error] [client 125.240.162.70] File does not exist: /var/www/imp, referer: http%3A%2F%2Fwww.bbwq.com%2Findex.html
[Wed Nov 08 15:16:02 2006] [error] [client 218.56.98.30] File does not exist: /var/www/imp, referer: http://www.fishingworld.com/index.html
[Wed Nov 08 15:16:02 2006] [error] [client 60.194.208.119] File does not exist: /var/www/imp, referer: http://www.fishingworld.com/index.html
[client 125.114.145.150] script '/var/www/prx.php' not found or unable to stat

et dans mon access.log:

61.41.138.131 - - [08/Nov/2006:15:17:01 +0100] "GET http://ad.marketingsector.com/imp?z=0&s=26325&u=http%3A%2F%2Fwww.bbwq.com%2Findex.html&r=1&y=28 HTTP/1.1" 404 201 "http%3A%2F%2Fwww.bbwq.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
218.56.98.30 - - [08/Nov/2006:15:17:01 +0100] "GET http://ad.marketingsector.com/imp?z=0&s=67598&u=http%3A%2F%2Fwww.divernet.com%2Findex.html&r=1&y=30 HTTP/1.1" 404 201 "http://www.divernet.com/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 2.0.40"
211.174.49.138 - - [08/Nov/2006:15:17:01 +0100] "GET http://ad.marketingsector.com/imp?z=0&Z=0x0&s=25422&y=30 HTTP/1.1" 404 201 "http%3A%2F%2Fwww.wawr.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 4.5; Mac_PowerPC)"
125.242.206.132 - - [08/Nov/2006:15:17:02 +0100] "GET http://ad.marketingsector.com/imp?z=0&Z=0x0&s=25325&y=30 HTTP/1.1" 404 201 "http%3A%2F%2Fwww.onlineshoppingchoice.com%2Findex.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 2.0.40"
211.196.52.197 - - [08/Nov/2006:15:17:02 +0100] "GET http://ad.marketingsector.com/imp?z=0&s=96607&u=http%3A%2F%2Fwww.omgn.com%2Findex.html&r=1&y=30 HTTP/1.1" 404 201 "http://www.omgn.com/index.html" "Mozilla/4.0 (compatible; MSIE 4.5; Mac_PowerPC)"

Voyant toujours le vilain http:// ad.marketingsector.com,

je rajoute ca dans mon apache

Redirect permanent /imp http://ad.marketingsector.com

Qu'en pensez-vous ?

Avez vous une explication ou experience similaire?

Modifié 8 Novembre 2006 par glibre

[glibre]

bon en fait, c'est simple, les mecs ont mis mon serveur en proxy

du coup, comme j'ai plus le mod proxy d'activé, ils arrivent sur ma page apache par defaut