Dúvida system logs



  • Boa tarde!

    Tentei encontrar nos fóruns algo semelhante ao que estou procurando, mas não encontrei, caso já tenha algo semelhante peço desculpas.

    Estou usando o pfsense 2.3.1 para uma rede wireless.

    Recentemente o wireless começou à ficar instável, e ao analisar a rede e os logs do pfsense, identifiquei alguns logs de sistema que não consegui interpretar direito, um amigo que tem mais conhecimento me informou que era um ataque que estava sendo feito através de um host infectado.

    Com essa informação em mãos, eu localizei o cliente e bloqueei o acesso. Depois disso, fui aconselhado à instalar o squid e ativar o clamav e icap. Feito isso, a rede normalizou por uns dias, porém outros logs semelhantes continuaram à ocorrer. Para evitar novas quedas e resolver a situação, gostaria de saber se alguém pode me ajudar à identificar à que se referem os logs abaixo:

    Jun 9 10:08:03 pfsense.localdomain nginx: 2016/06/09 10:08:03 [error] 24307#0: 931 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page= HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:08:02 pfsense.localdomain nginx: 2016/06/09 10:08:02 [error] 24307#0: *928 open() "/usr/local/www/redir/cgi-bin/ajaxmail" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /redir/cgi-bin/ajaxmail HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:08:01 pfsense.localdomain nginx: 2016/06/09 10:08:01 [error] 24307#0: *927 open() "/usr/local/www/fcgi-bin/performance.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /fcgi-bin/performance.fcgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:08:01 pfsense.localdomain nginx: 2016/06/09 10:08:01 [error] 24307#0: *926 open() "/usr/local/www/fcgi-bin/dispatch.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /fcgi-bin/dispatch.fcgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:08:00 pfsense.localdomain nginx: 2016/06/09 10:08:00 [error] 24307#0: *925 open() "/usr/local/www/das/cgi-bin/session.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /das/cgi-bin/session.cgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:59 pfsense.localdomain nginx: 2016/06/09 10:07:59 [error] 24307#0: *924 open() "/usr/local/www/cgi-bin/wingame.pl" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/wingame.pl HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:59 pfsense.localdomain nginx: 2016/06/09 10:07:59 [error] 24307#0: *923 open() "/usr/local/www/cgi-bin/webscr" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webscr HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:58 pfsense.localdomain nginx: 2016/06/09 10:07:58 [error] 24207#0: *922 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webproc HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:57 pfsense.localdomain nginx: 2016/06/09 10:07:57 [error] 24207#0: *921 open() "/usr/local/www/cgi-bin/verify.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/verify.cgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:57 pfsense.localdomain nginx: 2016/06/09 10:07:57 [error] 24207#0: *920 open() "/usr/local/www/cgi-bin/traffic/process.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/traffic/process.fcgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:56 pfsense.localdomain nginx: 2016/06/09 10:07:56 [error] 24307#0: *919 open() "/usr/local/www/cgi-bin/top/out" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/top/out HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:55 pfsense.localdomain nginx: 2016/06/09 10:07:55 [error] 24307#0: *918 open() "/usr/local/www/cgi-bin/tjcgi1" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/tjcgi1 HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:55 pfsense.localdomain nginx: 2016/06/09 10:07:55 [error] 24307#0: *917 open() "/usr/local/www/cgi-bin/te/o.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/te/o.cgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:54 pfsense.localdomain nginx: 2016/06/09 10:07:54 [error] 24307#0: *916 open() "/usr/local/www/cgi-bin/start" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/start HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:53 pfsense.localdomain nginx: 2016/06/09 10:07:53 [error] 24307#0: *915 open() "/usr/local/www/cgi-bin/sse.dll" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/sse.dll HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:53 pfsense.localdomain nginx: 2016/06/09 10:07:53 [error] 24307#0: *914 open() "/usr/local/www/cgi-bin/spcnweb" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/spcnweb HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:52 pfsense.localdomain nginx: 2016/06/09 10:07:52 [error] 24207#0: *913 open() "/usr/local/www/cgi-bin/search.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/search.cgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:51 pfsense.localdomain nginx: 2016/06/09 10:07:51 [error] 24207#0: *912 open() "/usr/local/www/cgi-bin/rshop.pl" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rshop.pl HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:51 pfsense.localdomain nginx: 2016/06/09 10:07:51 [error] 24207#0: *911 open() "/usr/local/www/cgi-bin/readmsg" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/readmsg HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:50 pfsense.localdomain nginx: 2016/06/09 10:07:50 [error] 24207#0: *910 open() "/usr/local/www/cgi-bin/rbaccess/rbunxcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:49 pfsense.localdomain nginx: 2016/06/09 10:07:49 [error] 24207#0: *909 open() "/usr/local/www/cgi-bin/rbaccess/rbcgi3m01" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1", host: "10.0.0.1"
    Jun 9 10:07:49 pfsense.localdomain nginx: 2016/06/09 10:07:49 [error] 24207#0: *908 open() "/usr/local/www/cgi-bin/passremind" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/passremind HTTP/1.1", host: "10.0.0.1"

    No log do squidlight temos:

    /cgi-bin/logout 2 7 664 1.8 M 0.3%
    7 / 2 7 608 1.8 M 0.3%
    8 msc.wlxrs.com 3 7 299 1.9 M 0.3%
    9 z0285146.ivps9x.u.avast.com 2 6 363 1.9 M 0.2%
    10 5.45.63.11 1 6 255 1.9 M 0.2%
    11 crl.microsoft.com 18 5 776 1.9 M 0.2%
    12 /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* 1 3 962 1.9 M 0.1%
    13 /cgi-bin/openwebmail/openwebmail-main.pl 1 3 882 1.9 M 0.1%
    14 /cgi-bin/findweather/getForecast 1 3 866 1.9 M 0.1%
    15 /cgi-bin/findweather/hdfForecast 1 3 866 1.9 M 0.1%
    16 /cgi-bin/traffic/process.fcgi 1 3 860 1.9 M 0.1%
    17 /cgi-bin/rbaccess/rbcgi3m01 1 3 856 1.9 M 0.1%
    18 /fcgi-bin/performance.fcgi 1 3 854 1.9 M 0.1%
    19 /cgi-bin/rbaccess/rbunxcgi 1 3 854 1.9 M 0.1%
    20 /cgi-bin/hotspotlogin.cgi 1 3 852 1.9 M 0.1%
    21 /cgi-bin/arr/index.shtml 1 3 850 1.9 M 0.1%
    22 /cgi-bin/bbs/postlist.pl 1 3 850 1.9 M 0.1%
    23 /cgi-bin/bp_revision.cgi 1 3 850 1.9 M 0.1%
    24 /cgi-bin/ib/301_start.pl 1 3 850 1.9 M 0.1%
    25 /das/cgi-bin/session.cgi 1 3 850 1.9 M 0.1%
    26 /cgi-bin/bbs/postshow.pl 1 3 850 1.9 M 0.1%
    27 /fcgi-bin/dispatch.fcgi 1 3 848 1.9 M 0.1%
    28 /redir/cgi-bin/ajaxmail 1 3 848 1.9 M 0.1%
    29 /cgi-bin/mainmenu.cgi 1 3 844 1.9 M 0.1%
    30 /cgi-bin/crtr/out.cgi 1 3 844 1.9 M 0.1%
    31 /cgi-bin/atx/out.cgi 1 3 842 1.9 M 0.1%
    32 /cgi-bin/at3/out.cgi 1 3 842 1.9 M 0.1%
    33 /cgi-bin/atc/out.cgi 1 3 842 2.0 M 0.1%
    34 /cgi-bin/hslogin.cgi 1 3 842 2.0 M 0.1%
    35 /cgi-bin/search.cgi 1 3 840 2.0 M 0.1%
    36 /cgi-bin/a2/out.cgi 1 3 840 2.0 M 0.1%
    37 /cgi-bin/frame_html 1 3 840 2.0 M 0.1%
    38 /cgi-bin/clicks.cgi 1 3 840 2.0 M 0.1%
    39 /cgi-bin/krcgistart 1 3 840 2.0 M 0.1%
    40 /cgi-bin/verify.cgi 1 3 840 2.0 M 0.1%
    41 /cgi-bin/passremind 1 3 840 2.0 M 0.1%
    42 /cgi-bin/wingame.pl 1 3 840 2.0 M 0.1%
    43 /cgi-bin/getattach 1 3 838 2.0 M 0.1%
    44 /cgi-bin/click.cgi 1 3 838 2.0 M 0.1%
    45 /cgi-bin/index.cgi 1 3 838 2.0 M 0.1%
    46 /cgi-bin/login.cgi 1 3 838 2.0 M 0.1%
    47 /cgi-bin/rshop.pl 1 3 836 2.0 M 0.1%
    48 /cgi-bin/te/o.cgi 1 3 836 2.0 M 0.1%
    49 /cgi-bin/mainsrch 1 3 836 2.0 M 0.1%
    50 /cgi-bin/ajaxmail 1 3 836 2.0 M 0.1%
    51 /cgi-bin/out.cgi 1 3 834 2.0 M 0.1%
    52 /cgi-bin/sse.dll 1 3 834 2.0 M 0.1%
    53 /cgi-bin/top/out 1 3 834 2.0 M 0.1%
    54 /cgi-bin/webproc 1 3 834 2.0 M 0.1%
    55 /cgi-bin/spcnweb 1 3 834 2.0 M 0.1%
    56 /cgi-bin/br5.cgi 1 3 834 2.0 M 0.1%
    57 /cgi-bin/readmsg 1 3 834 2.0 M 0.1%
    58 /cgi-bin/msglist 1 3 834 2.0 M 0.1%
    59 /cgi-bin/fg.cgi 1 3 832 2.0 M 0.1%
    60 /cgi-bin/navega 1 3 832 2.1 M 0.1%
    61 /cgi-bin/tjcgi1 1 3 832 2.1 M 0.1%
    62 /cgi-bin/webscr 1 3 832 2.1 M 0.1%
    63 /cgi-bin/login 1 3 830 2.1 M 0.1%
    64 /cgi-bin/krcgi 1 3 830 2.1 M 0.1%
    65 /cgi-bin/index 1 3 830 2.1 M 0.1%
    66 /cgi-bin/start 1 3 830 2.1 M 0.1%
    67 /cgi-bin/link 1 3 828 2.1 M 0.1%
    68 /cgi-bin/auth 1 3 828 2.1 M 0.1%
    69 /HNAP1/ 1 3 816 2.1 M 0.1%
    70 /rom-0 1 3 814 2.1 M 0.1%
    71 w1773713.iavs9x.u.avast.com 2 3 763 2.1 M 0.1%
    72 g.bing.com 10 3 660 2.1 M 0.1%
    73 k1853134.iavs9x.u.avast.com 1 2 996 2.1 M 0.1%
    74 d0782528.ivps9x.u.avast.com 1 2 811 2.1 M 0.1%
    75 vl.ff.avast.com 9 2 772 2.1 M 0.1%
    76 g.live.com

    Alguém pode me ajudar?



  • estranho
    para que não está criado todos os diretorios do squid certo
    se sim

    tente limpar os caches lembrando que quando fizer isso ira apagar os relatórios web caso precisa

    /usr/local/etc/rc.d/squid.sh stop

    rm -rf /var/squid/cache/

    mkdir -p /var/squid/cache/

    chown proxy:proxy /var/squid/cache/

    chmod 750 /var/squid/cache/

    squid -z

    /usr/local/etc/rc.d/squid.sh start



  • Para limpar cache tem uma opção nativa na WebGUI.



  • Ok, assim que eu executar posto o resultado.



  • Ola galera!

    Após parar o serviço do squid, limpar o cache e reiniciar o pfsense, todas as pastas foram criadas da forma correta.

    Vou continuar monitorando para identificar se os logs ocorrem novamente ou não.

    Obrigado!


Log in to reply