Anomalie #1841
Mis à jour par Christian P. Momon il y a environ 8 ans
Ce matin, sur le canal IRC : <pre> 05:33 <vivivi[6]> [00] drupal6:LOAD is CRITICAL: CRITICAL - load average: 142.48, 98.64, 44.84 05:34 <vivivi[6]> [01] bastion:Check Web libre-et-accessible.org is CRITICAL: CRITICAL - Socket timeout after 10 seconds 05:34 <vivivi[6]> [02] bastion:Check Secure Web libre-et-accessible.org is CRITICAL: CRITICAL - Socket timeout after 10 seconds 05:35 * vivivi[6] s'appelle maintenant vivivi[3] 05:39 * vivivi[3] s'appelle maintenant vivivi[1] 05:39 <vivivi[1]> bastion:Check Web libre-et-accessible.org is OK: HTTP OK: Status line output matched 200 - 5947 bytes in 0.184 second response time 05:39 <vivivi[1]> bastion:Check Secure Web libre-et-accessible.org is OK: HTTP OK: Status line output matched 200 - 5973 bytes in 0.184 second response time 06:03 <vivivi[1]> [03] drupal6:LOAD is WARNING: WARNING - load average: 0.17, 0.65, 8.44 06:13 <vivivi[1]> drupal6:LOAD is OK: OK - load average: 0.10, 0.23, 4.50 </pre> Avec QGull, en regardant les logs nginx pour le site april.org, on voit beaucoup de « /april?page=%2C1&membre= »: <pre> 208.89.210.30 - - [21/Dec/2016:05:33:32 +0100] "GET /april?page=2124&membre=aphxxx /april?page=2124&membre=aphelipot HTTP/1.1" 200 9065 "https://www.april.org/april?page=%2C1&membre=crexxx" "https://www.april.org/april?page=%2C1&membre=crenaudineau" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" 93.127.147.151 - - [21/Dec/2016:05:33:32 +0100] "GET /april?page=99&membre=ctoxxx /april?page=99&membre=ctoularastel HTTP/1.1" 200 10069 "https://www.april.org/april?page=%2C7&membre=scrxxx" "https://www.april.org/april?page=%2C7&membre=scrozat" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" 158.222.6.214 - - [21/Dec/2016:05:33:32 +0100] "GET /april?page=2124&membre=lsaxxx /april?page=2124&membre=lsaiu HTTP/1.1" 200 9059 "http://www.fraifrai.net/index.php?post/2013/11/15/Gravity-%3A-non-mais...-non" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" 66.34.168.45 - - [21/Dec/2016:05:33:32 +0100] "GET /april?page=%2C5&membre=aphxxx /april?page=%2C5&membre=aphelipot HTTP/1.1" 200 9996 "https://www.april.org/april?page=%2C1&membre=ggrxxx" "https://www.april.org/april?page=%2C1&membre=ggravier" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" 104.203.245.104 - - [21/Dec/2016:05:33:33 +0100] "GET /april?page=2124&membre=ctoxxx /april?page=2124&membre=ctoularastel HTTP/1.1" 200 9067 "https://www.april.org/april?page=2124&membre=groxxx" "https://www.april.org/april?page=2124&membre=grouan" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" 66.34.168.45 - - [21/Dec/2016:05:33:33 +0100] "GET /april?page=%2C4&membre=aphxxx /april?page=%2C4&membre=aphelipot HTTP/1.1" 200 10002 "https://www.april.org/april?page=%2C3&membre=fdexxx" "https://www.april.org/april?page=%2C3&membre=fdelahaye" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" </pre> Et les requêtes viennent de plusieurs IP différentes : <pre> root@bastion:~/Cpm# grep "2016:05:3" www.april.org.access_log.1 | grep 'membre=' | cut -f 1 -d ' ' | sort -n -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq -c | sort -n -k 1,1 | tail 190 5.157.15.20 190 66.34.168.45 193 5.157.15.107 200 104.203.245.104 200 208.89.210.30 204 155.94.244.48 204 93.127.147.151 213 199.229.235.82 213 204.44.83.97 227 204.44.83.12 </pre> Difficile de conclure. Un bot visant un site Drupal ? Ticket créé pour laisser une trace et donc fermé de suite.