Attempted attack (FYI)
Posted: Tue Jun 12, 2012 3:52 am
Hello,
I discovered an attempted attack on our nagios XI server today. We added some rules to the iptables and our main firewall to make sure it wont happen again.
As far we can see no damage was done by the software.
Nagios XI logs
Error_log
[Tue Jun 12 09:01:17 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/w00tw00t.at.blackhats.romanian.anti-sec:)
[Tue Jun 12 09:01:18 2012] [error] [client 218.104.48.162] client denied by server configuration: /usr/share/phpmyadmin/scripts/setup.php
[Tue Jun 12 09:01:19 2012] [error] [client 218.104.48.162] client denied by server configuration: /usr/share/phpmyadmin/scripts/setup.php
[Tue Jun 12 09:01:19 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/pma
[Tue Jun 12 09:01:20 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/myadmin
[Tue Jun 12 09:01:21 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/MyAdmin
Access_log
218.104.48.162 - - [12/Jun/2012:09:01:17 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 317 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:18 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 308 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:19 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 308 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:19 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 404 297 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:20 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 301 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:21 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 301 "-" "ZmEu"
Regards,
Roel van Dijk
I discovered an attempted attack on our nagios XI server today. We added some rules to the iptables and our main firewall to make sure it wont happen again.
As far we can see no damage was done by the software.
Nagios XI logs
Error_log
[Tue Jun 12 09:01:17 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/w00tw00t.at.blackhats.romanian.anti-sec:)
[Tue Jun 12 09:01:18 2012] [error] [client 218.104.48.162] client denied by server configuration: /usr/share/phpmyadmin/scripts/setup.php
[Tue Jun 12 09:01:19 2012] [error] [client 218.104.48.162] client denied by server configuration: /usr/share/phpmyadmin/scripts/setup.php
[Tue Jun 12 09:01:19 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/pma
[Tue Jun 12 09:01:20 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/myadmin
[Tue Jun 12 09:01:21 2012] [error] [client 218.104.48.162] File does not exist: /var/www/html/MyAdmin
Access_log
218.104.48.162 - - [12/Jun/2012:09:01:17 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 317 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:18 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 308 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:19 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 308 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:19 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 404 297 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:20 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 301 "-" "ZmEu"
218.104.48.162 - - [12/Jun/2012:09:01:21 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 301 "-" "ZmEu"
Regards,
Roel van Dijk