Discussion :

[Netek]

Bonjour à tous,
Ce matin en regardant les logs d'erreur de mon serveur j'ai remarqué ces lignes :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[19-May-2011 03:55:41] PHP Warning:  parse_url(/index.php?req_path=http://xxxxxx./) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:55:46] PHP Warning:  parse_url(/index.php?req_path=http://xxxxxx./) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:55:50] PHP Warning:  parse_url(/index.php?inc=http://xxxxxx./foo) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:55:50] PHP Warning:  parse_url(/index.php?inc=http://xxxxxx./foo) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:24] PHP Warning:  parse_url(/index.php?doc=http://xxxxxx./foo.php) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:24] PHP Warning:  parse_url(/index.php?doc=http://xxxxxx./foo.php) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:38] PHP Warning:  parse_url(/index.php?kietu[url_hit]=http://xxxxxxxx/) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:38] PHP Warning:  parse_url(//index.php?kietu[url_hit]=http://xxxxxxxx/) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:38] PHP Warning:  parse_url(/index.php?kietu[url_hit]=http://xxxxxxxx/) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:38] PHP Warning:  parse_url(//index.php?kietu[url_hit]=http://xxxxxxxx/) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:39] PHP Warning:  parse_url(/index.php?libDir=http://xxxxxxxx) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:57:40] PHP Warning:  parse_url(/index.php?libDir=http://xxxxxxxx) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:58:09] PHP Warning:  parse_url(/index.php?function=custom&amp;custom=http://xxxxxxxx/1) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:58:10] PHP Warning:  parse_url(/index.php?function=custom&amp;custom=http://xxxxxxxx/1) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:58:19] PHP Warning:  parse_url(/index.php?do=ext&amp;page=http://xxxxxxxx/file) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:58:19] PHP Warning:  parse_url(/index.php?do=ext&amp;page=http://xxxxxxxx/file) [<a href='function.parse-url'>function.parse-url</a>]: Unable to parse URL in /usr/local/psa/admin/auto_prepend/auth.php3 on line 30
[19-May-2011 03:58:59] PHP Warning:  File Upload Mime headers garbled in Unknown on line 0
[19-May-2011 03:58:59] PHP Warning:  File Upload Mime headers garbled in Unknown on line 0

Cela ressemble bien a une tentative d'attaque. Avez-vous une idée de ce qu'il a essayé de faire ? Y'a t-il un risque ?

Merci pour vos conseils

[stealth35]

montre ton auth.php3

[Netek]

Ok, voici une copie du début du fichier ( que j'ai copié a partir de vi, connecté en ssh sur le serveur, je ne sais pas comment telecharger un fichier en ssh sur mon pc )

Plutot bizarre :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
<?php
    die("The file {$_SERVER['SCRIPT_FILENAME']} is part of Plesk 9 distribution. It cannot be run outside of Plesk 9 environment.\n");
    __sw_loader_pragma__('P');
?>
&ÃÃ<8a><8a>^V<ê®<86>«^_ø <9d><9d>½¢që;la;^S^H\^B^Rÿ9{þ^U´^S^OÃÂ*X¾½<98>^Enù-Ã¥rH<9e>Ã<96>jJø^X^G2^Z^S<82>û^[£^Köös>¾Q@'*¢ïÂ*Ão<91>ô^G_$<97><91>öy?/R<8d>F^A\8^]^T2¨<8d>Ã
;*ÃplqÃ/¡ºÃ<8a>óe1ÃÃ'úÃó:1<94>,kÃ0ÃÃ^LÃ<9e>ºió<9b><9e>wKâG^Ly<84>H<^?¡<97>ý ¯gÃÃ÷Ã^U^Hç<8a>`Ã,X~Â*¨¿qîÃuhFé8<98>¦ì½¶¾Ã¨vòê<8d>ê<8e>ó<95>C<84>¹  ^Z^Umn:f<9e>ZÃoû<94>¼õaONWôÃ^M|<9e>a<91>Ã

Merci

[stealth35]

prend le via stfp

[Séb.]

Il y a essayé d'exploiter au moins 1 faille de Kietu.
http://osvdb.org/show/osvdb/3763

[Netek]

Ok je l'ai téléchargé, c'est pareil.
Il y a dans le meme dossier un fichier nommé .auth.php3.swp, tout autant illisible.