Hi, recently I got an email with the subject, "Cookie stealer report " I
looked at my apache logs and notice a particular ip scanning my server at
that time using OpenVAS which I had never heard of it before. Doing some
research I found the mailing list for OpenVAS and found out that the program
does. With that said I'm a bit concerned that someone using a scanning
program was able to send an email through my server from the user apache.
Return-Path: <apache@xxx>
X-Original-To: razor@xx
Delivered-To: razor@xx
Received: by mail.xxx (Postfix, from userid 48)
id 0871E4F78001; Tue, 7 Nov 2017 15:51:54 -0500 (EST)
To: razor@xx
Subject:
Message-Id: <[email protected]>
Date: Tue, 7 Nov 2017 15:51:54 -0500 (EST)
From: [email protected] (Reserved for Meganet)
The email was blank with no information.
I looked at the POST/GETS on the logs and I'm not sure how they were able to
send an email since I have no cgi scripts. The apache server on serves
phpadmin and has squirrel mail pages. I have posted the logs before I'm not
sure what the purpose of the scan was, I assume its malicious and if I'm
vulnerable anything and if the server was comprised. In particular I would
like to know how the email was generated and send as well.
Thanks, P
Below is all the POST, there is too many GETs but all the GET seem to be
files I don't have on the server.
178.175.142.131 - - [07/Nov/2017:15:50:05 -0500] "POST /wsman HTTP/1.1" 301
241 "-" "Microsoft WinRM Client OpenVAS"
178.175.142.131 - - [07/Nov/2017:15:50:30 -0500] "POST / HTTP/1.0" 301 236
"-" "OPENVAS::SOAP"
178.175.142.131 - - [07/Nov/2017:15:51:18 -0500] "POST /index.php HTTP/1.1"
301 245 "-" "-"
178.175.142.131 - - [07/Nov/2017:15:51:19 -0500] "POST
/php-inventory/index.php HTTP/1.1" 301 259 "-" "-"
178.175.142.131 - - [07/Nov/2017:15:51:19 -0500] "POST /scripts/index.php
HTTP/1.1" 301 253 "-" "-"
178.175.142.131 - - [07/Nov/2017:15:51:20 -0500] "POST /cgi-bin/index.php
HTTP/1.1" 301 253 "-" "-"
178.175.142.131 - - [07/Nov/2017:15:52:13 -0500] "POST /LoginServlet
HTTP/1.1" 301 248 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:15:54:22 -0500] "POST
/spipe/pkg?Source=Agent_3.0.0 HTTP/1.0" 301 264 "-" "-"
178.175.142.131 - - [07/Nov/2017:15:55:48 -0500] "POST
/netmri/config/userAdmin/login.tdf HTTP/1.1" 301 269 "-" "-"
178.175.142.131 - - [07/Nov/2017:15:57:06 -0500] "POST /cobbler_api
HTTP/1.1" 301 247 "-" "-"
178.175.142.131 - - [07/Nov/2017:15:57:39 -0500] "POST /sendeditfile
HTTP/1.1" 301 248 "http://mail.xxxx.net/editfile=?C:\\WINNT\\win.bat?"; "-"
178.175.142.131 - - [07/Nov/2017:15:58:54 -0500] "POST /LoginPage.do
HTTP/1.1" 301 248 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:15:59:12 -0500] "POST /LoginPage.do
HTTP/1.1" 301 248 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:15:59:57 -0500] "POST
/index.php?console=panel HTTP/1.1" 301 259 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:01:09 -0500] "POST
/fm/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301 277 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:01:10 -0500] "POST
/file/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301 279 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:01:10 -0500] "POST
/filemanager/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301 286 "-"
"-"
178.175.142.131 - - [07/Nov/2017:16:01:10 -0500] "POST
/scripts/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301 282 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:01:12 -0500] "POST
/cgi-bin/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301 282 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:01:12 -0500] "POST
/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301 274 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:01:35 -0500] "POST
/apoll/admin/login.php HTTP/1.0" 301 257
"http://mail.xxxx.net/apoll/admin/login.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:01:36 -0500] "POST /poll/admin/login.php
HTTP/1.0" 301 256 "http://mail.xxxx.net/poll/admin/login.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:01:36 -0500] "POST
/scripts/admin/login.php HTTP/1.0" 301 259
"http://mail.xxxx.net/scripts/admin/login.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:01:37 -0500] "POST
/cgi-bin/admin/login.php HTTP/1.0" 301 259
"http://mail.xxxx.net/cgi-bin/admin/login.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:01:37 -0500] "POST /admin/login.php
HTTP/1.0" 301 251 "http://mail.xxxx.net/admin/login.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:02:03 -0500] "POST
/apoll/admin/lost-pass.php HTTP/1.0" 301 261
"http://mail.xxxx.net/apoll/admin/lost-pass.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:02:04 -0500] "POST
/poll/admin/lost-pass.php HTTP/1.0" 301 260
"http://mail.xxxx.net/poll/admin/lost-pass.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:02:04 -0500] "POST
/scripts/admin/lost-pass.php HTTP/1.0" 301 263
"http://mail.xxxx.net/scripts/admin/lost-pass.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:02:05 -0500] "POST
/cgi-bin/admin/lost-pass.php HTTP/1.0" 301 263
"http://mail.xxxx.net/cgi-bin/admin/lost-pass.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:02:05 -0500] "POST /admin/lost-pass.php
HTTP/1.0" 301 255 "http://mail.xxxx.net/admin/lost-pass.php"; "-"
178.175.142.131 - - [07/Nov/2017:16:02:16 -0500] "POST
/datalife/engine/preview.php HTTP/1.1" 301 263 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:17 -0500] "POST
/scripts/engine/preview.php HTTP/1.1" 301 262 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:17 -0500] "POST
/cgi-bin/engine/preview.php HTTP/1.1" 301 262 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:17 -0500] "POST /engine/preview.php
HTTP/1.1" 301 254 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:21 -0500] "POST
/AAAAAAAAAAAAAAAAAAAAA HTTP/1.1" 301 257 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:36 -0500] "POST
/cms/admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301
294 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:37 -0500] "POST
/scripts/admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.1"
301 298 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:37 -0500] "POST
/cgi-bin/admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.1"
301 298 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:37 -0500] "POST
/admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 301 290
"-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:42 -0500] "POST
/narcissus/backend.php HTTP/1.1" 301 257 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:42 -0500] "POST
/narcissus-master/backend.php HTTP/1.1" 301 264 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:43 -0500] "POST /scripts/backend.php
HTTP/1.1" 301 255 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:43 -0500] "POST /cgi-bin/backend.php
HTTP/1.1" 301 255 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:02:43 -0500] "POST /backend.php
HTTP/1.1" 301 247 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:03 -0500] "POST
/cgi-bin/php?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 301 306 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:04 -0500] "POST
/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6
F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%6
9%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%
5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64
%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6
C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%
5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74
%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 813 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:04 -0500] "POST
/cgi-bin/php5?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 301 307 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:05 -0500] "POST
/cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%
6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%
69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65
%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%6
4%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%
6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65
%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%7
4%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 814 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:05 -0500] "POST
/cgi-bin/php-cgi?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 301 310 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:07 -0500] "POST
/cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%
3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%
73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C
%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%6
5%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%
69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63
%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%6
3%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 817 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:07 -0500] "POST
/cgi-bin/php.cgi?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 301 310 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:07 -0500] "POST
/cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%
3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%
73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C
%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%6
5%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%
69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63
%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%6
3%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 817 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:08 -0500] "POST
/cgi-bin/php4?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 301 307 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:08 -0500] "POST
/cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%
6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%
69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65
%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%6
4%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%
6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65
%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%7
4%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 814 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:09 -0500] "POST
/?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 301
295 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:09 -0500] "POST
/?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64
+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%
69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E
%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6
E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%
68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64
%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%6
1%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 802 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:09 -0500] "POST
/index.php?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 301 304 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:10 -0500] "POST
/index.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%
6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%
6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F
%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%6
9%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%
65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F
%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5
F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 301 811 "-" "-"
178.175.142.131 - - [07/Nov/2017:16:03:21 -0500] "POST / HTTP/1.0" 301 236
"-" "-"
178.175.142.131 - - [07/Nov/2017:16:04:11 -0500] "POST
/chillyCMS/admin/media.site.php HTTP/1.1" 301 266 "-" "Mozilla/5.0 [en]
(X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:04:12 -0500] "POST
/cms/admin/media.site.php HTTP/1.1" 301 260 "-" "Mozilla/5.0 [en] (X11, U;
OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:04:13 -0500] "POST
/scripts/admin/media.site.php HTTP/1.1" 301 264 "-" "Mozilla/5.0 [en] (X11,
U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:04:13 -0500] "POST
/cgi-bin/admin/media.site.php HTTP/1.1" 301 264 "-" "Mozilla/5.0 [en] (X11,
U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:04:14 -0500] "POST /admin/media.site.php
HTTP/1.1" 301 256 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:04:30 -0500] "POST / HTTP/1.1" 301 236
"-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
