2014-06-30 13:44

Gründlichkeit

Wenn man einen eigenen Webserver betreibt, gehören Scans nach vertraulichen Inhalten oder angreifbarer Software zum Alltag. Meistens beschränken sich die Scanner aber auf einige wenige URLs und suchen nach Anzeichen für das Vorhandensein bekannter Software, z.B. Wordpress oder phpMyAdmin.

Heute wollte es aber mal jemand ganz genau wissen. (Die IP-Adresse wurde von mir anonymisiert.)

Während sich die meisten URLs auf SSH Konfigurationen, Shell-Dateien oder Cryptowährungen beziehen, ist der Dateiname checknfurl123 rätselhaft. Mein erster Gedanke war, dass ein vom Hersteller dieses Tool kompromittierter Webserver diese Datei anlegt und sich damit als bereits erledigt kennzeichnet. Eine andere Erklärung wird in dieser Diskussion gegeben: die Abfrage dient zur Prüfung, wie der Webserver auf file-not-found Fehler reagiert; damit könnten False Positives erkannt werden.

Vielleicht sollte ich einfach mal ein paar der gewünschten Dateien auf dem Webserver anlegen und kucken, was der Scanner dann macht…

127.127.127.127 - - [30/Jun/2014:05:37:52 +0200] "HEAD /checknfurl123 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:52 +0200] "HEAD /.ssh/id_rsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:52 +0200] "HEAD /.ssh/id_dsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:52 +0200] "HEAD /.ssh/rsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:52 +0200] "HEAD /.ssh/dsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:52 +0200] "HEAD /.ssh/key HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/priv HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/id_rsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/id_dsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/identity HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/authorized_keys HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/authorized_keys2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/known_hosts HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/config HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/config.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/config~ HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_rsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_dsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_rsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_rsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_dsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_dsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_rsa2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_dsa2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_ecdsa_old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_ecdsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_rsa.bak HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_dsa.bak HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.bash_history HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.history HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.sh_history HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.bitcoin/wallet.dat HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.litecoin/wallet.dat HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.psi/profiles/default/config.xml HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.purple/accounts.xml HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.mozilla/firefox/profiles.ini HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /id_ecdsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /id_ecdsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /id_ecdsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_ecdsa_old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_ecdsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /config HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_rsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_dsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /rsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /dsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /key HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /key.priv HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /id_rsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /id_dsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /identity HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /authorized_keys HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /authorized_keys2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /known_hosts HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /id_rsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /id_dsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /.htpasswd HTTP/1.1" 403 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /htpasswd HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /.htpasswd~ HTTP/1.1" 403 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /passwd HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /.passwd HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:53 +0200] "HEAD /.ssh/known_hosts HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/config HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/config.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/config~ HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_rsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_dsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_rsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_rsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:54 +0200] "HEAD /.ssh/id_dsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_dsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_rsa2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_dsa2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:55 +0200] "HEAD /.ssh/id_ecdsa2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_ecdsa_old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_ecdsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_rsa.bak HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.ssh/id_dsa.bak HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.bash_history HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.history HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:56 +0200] "HEAD /.sh_history HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.bitcoin/wallet.dat HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.litecoin/wallet.dat HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.psi/profiles/default/config.xml HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.purple/accounts.xml HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /.mozilla/firefox/profiles.ini HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /id_ecdsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /id_ecdsa.2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:57 +0200] "HEAD /id_ecdsa_2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_ecdsa_old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_ecdsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /config HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_rsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /id_dsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /rsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:58 +0200] "HEAD /dsa HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /key HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /key.priv HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /id_rsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /id_dsa.old HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /identity HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /authorized_keys HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:37:59 +0200] "HEAD /authorized_keys2 HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /known_hosts HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /id_rsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /id_dsa.pub HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /.htpasswd HTTP/1.1" 403 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /htpasswd HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /.htpasswd~ HTTP/1.1" 403 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /passwd HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:00 +0200] "HEAD /.passwd HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:01 +0200] "HEAD /passwords HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:01 +0200] "HEAD /password HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:01 +0200] "HEAD /passwords.txt HTTP/1.1" 404 147 "-" "-"
127.127.127.127 - - [30/Jun/2014:05:38:01 +0200] "HEAD /pass HTTP/1.1" 404 147 "-" "-"

Impressum