httpd-*.log 的怪log + 用script+pf動態deny - BBS
By Ethan
at 2005-04-26T03:17
at 2005-04-26T03:17
Table of Contents
各位前輩好 昨天晚上發現的問題 ... ||||
有一台主機的 httpd log 非常怪 =_=
httpd-error.log
[Tue Apr 26 01:48:53 2005] [error] [client 24.136.131.224] File does not exist: /usr/local/www/data/upload/config/LOGIN
[Tue Apr 26 01:49:12 2005] [error] [client 61.190.137.23] File does not exist: /usr/local/www/data/upload/getimage
[Tue Apr 26 01:49:44 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:50:09 2005] [error] [client 65.35.89.119] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:50:58 2005] [error] [client 70.104.115.30] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:51:59 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:53:59 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:54:34 2005] [error] [client 24.136.131.224] File does not exist: /usr/local/www/data/upload/config/LOGIN
httpd-access.log
70.104.115.30 - - [26/Apr/2005:02:08:55 +0800] "GET http://edit.tpe.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.byp
ass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=brave.b-323&passwd=suckit HTTP/1.0" 404 281 "-" "-"
217.225.101.39 - - [26/Apr/2005:02:10:02 +0800] "GET http://login.yahoo.com/config/login?.tries=1&.src=bl&login=that_lonly_guy_over_there&passwd=Y+A+H+O+O&n=1
HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
65.35.89.119 - - [26/Apr/2005:02:10:11 +0800] "GET http://e6.member.ukl.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&
.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=PeeNutLMS&passwd=abc123 HTTP/1.0" 404 281 "-" "-"
24.136.131.224 - - [26/Apr/2005:02:11:06 +0800] "GET http://login.korea.yahoo.com/config/LOGIN?.form=ym%20signup%20more%20info&.intl=au&new=1&passwd=BABY&.don
e=http%3a//jpager.yahoo.com/jpager/pager2.shtml&.src=jpg&.last=&Login=angel420_69&.u=0&.partner=&Login=&= HTTP/1.0" 404 281 "-" "-"
65.35.89.119 - - [26/Apr/2005:02:12:01 +0800] "GET http://p3.movies.scd.yahoo.com/profiles/EVIL_MATRIX_ICE_K1NG HTTP/1.0" 404 298 "-" "-"
217.225.101.39 - - [26/Apr/2005:02:12:05 +0800] "GET http://login.yahoo.com/config/login?.tries=1&.src=bl&login=t0ddy&passwd=:)&n=1 HTTP/1.1" 404 293 "-" "Moz
illa/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
不知道為什麼會這樣 只好寫一個產生動態 deny list 的script (很粗淺的寫法 ^^||)
httpd-error.log 有error 的 and
httpd-access.log 有yahoo 的 ip 全都 > /etc/pf.conf 去
#httpd-error.log
tail -n 2000 /var/log/httpd-error.log |grep error|awk '{print $8}'|cut -d "]" -f 1|sort -u > /etc/pf.conf
#httpd-access.log deny *yahoo*
tail -n 2000 /var/log/httpd-access.log |grep yahoo|awk '{print $1}'|cut -d "]" -f 1|sort -u>> /etc/pf.conf
# tail -n 2000 大概是接近半個月的log
cd /etc/
sed s/^/"block in on vr0 proto tcp from "/ pf.conf > pfreal.conf
cp pfreal.conf pf.conf
sed s/$/" to any queue std_in "/ pf.conf > pfreal.conf
sort -u pfreal.conf > pf.conf
#將只有 ip 加上 block in on vr0 proto tcp from ip to any queue std_in
pfctl -f /etc/pf.conf
# pf 讀入設定檔
其他台主機沒看過這麼怪的log 我打算把全部軟體移掉重裝一次 =_=
(有原因所以不打算重裝)
只能治標不能治本 (因為我也不知道request那裡來 只能來一個檔一個)
不知道有沒有前輩遇到同樣的問題? XD
ps 排版會亂掉 , 把東西貼到
http://t.no-ip.info/wiki/doku.php?id=quest 去 ...
--
昏迷指數 1分值多少? 存活的機率 1%值多少?
你願意花多少錢,留在世上 跟心愛的人再吃一餐飯
我願出一萬買一頂好的安全帽 你呢? by idanny@scumotor
http://tinyurl.com/5gnya
--
有一台主機的 httpd log 非常怪 =_=
httpd-error.log
[Tue Apr 26 01:48:53 2005] [error] [client 24.136.131.224] File does not exist: /usr/local/www/data/upload/config/LOGIN
[Tue Apr 26 01:49:12 2005] [error] [client 61.190.137.23] File does not exist: /usr/local/www/data/upload/getimage
[Tue Apr 26 01:49:44 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:50:09 2005] [error] [client 65.35.89.119] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:50:58 2005] [error] [client 70.104.115.30] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:51:59 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:53:59 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login
[Tue Apr 26 01:54:34 2005] [error] [client 24.136.131.224] File does not exist: /usr/local/www/data/upload/config/LOGIN
httpd-access.log
70.104.115.30 - - [26/Apr/2005:02:08:55 +0800] "GET http://edit.tpe.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.byp
ass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=brave.b-323&passwd=suckit HTTP/1.0" 404 281 "-" "-"
217.225.101.39 - - [26/Apr/2005:02:10:02 +0800] "GET http://login.yahoo.com/config/login?.tries=1&.src=bl&login=that_lonly_guy_over_there&passwd=Y+A+H+O+O&n=1
HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
65.35.89.119 - - [26/Apr/2005:02:10:11 +0800] "GET http://e6.member.ukl.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&
.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=PeeNutLMS&passwd=abc123 HTTP/1.0" 404 281 "-" "-"
24.136.131.224 - - [26/Apr/2005:02:11:06 +0800] "GET http://login.korea.yahoo.com/config/LOGIN?.form=ym%20signup%20more%20info&.intl=au&new=1&passwd=BABY&.don
e=http%3a//jpager.yahoo.com/jpager/pager2.shtml&.src=jpg&.last=&Login=angel420_69&.u=0&.partner=&Login=&= HTTP/1.0" 404 281 "-" "-"
65.35.89.119 - - [26/Apr/2005:02:12:01 +0800] "GET http://p3.movies.scd.yahoo.com/profiles/EVIL_MATRIX_ICE_K1NG HTTP/1.0" 404 298 "-" "-"
217.225.101.39 - - [26/Apr/2005:02:12:05 +0800] "GET http://login.yahoo.com/config/login?.tries=1&.src=bl&login=t0ddy&passwd=:)&n=1 HTTP/1.1" 404 293 "-" "Moz
illa/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
不知道為什麼會這樣 只好寫一個產生動態 deny list 的script (很粗淺的寫法 ^^||)
httpd-error.log 有error 的 and
httpd-access.log 有yahoo 的 ip 全都 > /etc/pf.conf 去
#httpd-error.log
tail -n 2000 /var/log/httpd-error.log |grep error|awk '{print $8}'|cut -d "]" -f 1|sort -u > /etc/pf.conf
#httpd-access.log deny *yahoo*
tail -n 2000 /var/log/httpd-access.log |grep yahoo|awk '{print $1}'|cut -d "]" -f 1|sort -u>> /etc/pf.conf
# tail -n 2000 大概是接近半個月的log
cd /etc/
sed s/^/"block in on vr0 proto tcp from "/ pf.conf > pfreal.conf
cp pfreal.conf pf.conf
sed s/$/" to any queue std_in "/ pf.conf > pfreal.conf
sort -u pfreal.conf > pf.conf
#將只有 ip 加上 block in on vr0 proto tcp from ip to any queue std_in
pfctl -f /etc/pf.conf
# pf 讀入設定檔
其他台主機沒看過這麼怪的log 我打算把全部軟體移掉重裝一次 =_=
(有原因所以不打算重裝)
只能治標不能治本 (因為我也不知道request那裡來 只能來一個檔一個)
不知道有沒有前輩遇到同樣的問題? XD
ps 排版會亂掉 , 把東西貼到
http://t.no-ip.info/wiki/doku.php?id=quest 去 ...
--
昏迷指數 1分值多少? 存活的機率 1%值多少?
你願意花多少錢,留在世上 跟心愛的人再吃一餐飯
我願出一萬買一頂好的安全帽 你呢? by idanny@scumotor
http://tinyurl.com/5gnya
--
Tags:
BBS
All Comments
Related Posts
請問一下 4.11 支援 UTF-8
By Jacob
at 2005-04-25T08:08
at 2005-04-25T08:08
請問要看一些code要到哪個目錄底下去找呢?
By Daph Bay
at 2005-04-24T00:13
at 2005-04-24T00:13
如何解除安裝?
By Rae
at 2005-04-23T14:47
at 2005-04-23T14:47
如何解除安裝?
By Robert
at 2005-04-23T01:38
at 2005-04-23T01:38
流量監控
By Barb Cronin
at 2005-04-22T20:43
at 2005-04-22T20:43