Dúvida system logs

RCCruz

Boa tarde!

Tentei encontrar nos fóruns algo semelhante ao que estou procurando, mas não encontrei, caso já tenha algo semelhante peço desculpas.

Estou usando o pfsense 2.3.1 para uma rede wireless.

Recentemente o wireless começou à ficar instável, e ao analisar a rede e os logs do pfsense, identifiquei alguns logs de sistema que não consegui interpretar direito, um amigo que tem mais conhecimento me informou que era um ataque que estava sendo feito através de um host infectado.

Com essa informação em mãos, eu localizei o cliente e bloqueei o acesso. Depois disso, fui aconselhado à instalar o squid e ativar o clamav e icap. Feito isso, a rede normalizou por uns dias, porém outros logs semelhantes continuaram à ocorrer. Para evitar novas quedas e resolver a situação, gostaria de saber se alguém pode me ajudar à identificar à que se referem os logs abaixo:

Jun 9 10:08:03 pfsense.localdomain nginx: 2016/06/09 10:08:03 [error] 24307#0: 931 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page= HTTP/1.1", host: "10.0.0.1"
Jun 9 10:08:02 pfsense.localdomain nginx: 2016/06/09 10:08:02 [error] 24307#0: *928 open() "/usr/local/www/redir/cgi-bin/ajaxmail" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /redir/cgi-bin/ajaxmail HTTP/1.1", host: "10.0.0.1"
Jun 9 10:08:01 pfsense.localdomain nginx: 2016/06/09 10:08:01 [error] 24307#0: *927 open() "/usr/local/www/fcgi-bin/performance.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /fcgi-bin/performance.fcgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:08:01 pfsense.localdomain nginx: 2016/06/09 10:08:01 [error] 24307#0: *926 open() "/usr/local/www/fcgi-bin/dispatch.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /fcgi-bin/dispatch.fcgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:08:00 pfsense.localdomain nginx: 2016/06/09 10:08:00 [error] 24307#0: *925 open() "/usr/local/www/das/cgi-bin/session.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /das/cgi-bin/session.cgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:59 pfsense.localdomain nginx: 2016/06/09 10:07:59 [error] 24307#0: *924 open() "/usr/local/www/cgi-bin/wingame.pl" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/wingame.pl HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:59 pfsense.localdomain nginx: 2016/06/09 10:07:59 [error] 24307#0: *923 open() "/usr/local/www/cgi-bin/webscr" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webscr HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:58 pfsense.localdomain nginx: 2016/06/09 10:07:58 [error] 24207#0: *922 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webproc HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:57 pfsense.localdomain nginx: 2016/06/09 10:07:57 [error] 24207#0: *921 open() "/usr/local/www/cgi-bin/verify.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/verify.cgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:57 pfsense.localdomain nginx: 2016/06/09 10:07:57 [error] 24207#0: *920 open() "/usr/local/www/cgi-bin/traffic/process.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/traffic/process.fcgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:56 pfsense.localdomain nginx: 2016/06/09 10:07:56 [error] 24307#0: *919 open() "/usr/local/www/cgi-bin/top/out" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/top/out HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:55 pfsense.localdomain nginx: 2016/06/09 10:07:55 [error] 24307#0: *918 open() "/usr/local/www/cgi-bin/tjcgi1" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/tjcgi1 HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:55 pfsense.localdomain nginx: 2016/06/09 10:07:55 [error] 24307#0: *917 open() "/usr/local/www/cgi-bin/te/o.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/te/o.cgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:54 pfsense.localdomain nginx: 2016/06/09 10:07:54 [error] 24307#0: *916 open() "/usr/local/www/cgi-bin/start" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/start HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:53 pfsense.localdomain nginx: 2016/06/09 10:07:53 [error] 24307#0: *915 open() "/usr/local/www/cgi-bin/sse.dll" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/sse.dll HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:53 pfsense.localdomain nginx: 2016/06/09 10:07:53 [error] 24307#0: *914 open() "/usr/local/www/cgi-bin/spcnweb" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/spcnweb HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:52 pfsense.localdomain nginx: 2016/06/09 10:07:52 [error] 24207#0: *913 open() "/usr/local/www/cgi-bin/search.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/search.cgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:51 pfsense.localdomain nginx: 2016/06/09 10:07:51 [error] 24207#0: *912 open() "/usr/local/www/cgi-bin/rshop.pl" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rshop.pl HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:51 pfsense.localdomain nginx: 2016/06/09 10:07:51 [error] 24207#0: *911 open() "/usr/local/www/cgi-bin/readmsg" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/readmsg HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:50 pfsense.localdomain nginx: 2016/06/09 10:07:50 [error] 24207#0: *910 open() "/usr/local/www/cgi-bin/rbaccess/rbunxcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:49 pfsense.localdomain nginx: 2016/06/09 10:07:49 [error] 24207#0: *909 open() "/usr/local/www/cgi-bin/rbaccess/rbcgi3m01" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1", host: "10.0.0.1"
Jun 9 10:07:49 pfsense.localdomain nginx: 2016/06/09 10:07:49 [error] 24207#0: *908 open() "/usr/local/www/cgi-bin/passremind" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/passremind HTTP/1.1", host: "10.0.0.1"

No log do squidlight temos:

/cgi-bin/logout 2 7 664 1.8 M 0.3%
7 / 2 7 608 1.8 M 0.3%
8 msc.wlxrs.com 3 7 299 1.9 M 0.3%
9 z0285146.ivps9x.u.avast.com 2 6 363 1.9 M 0.2%
10 5.45.63.11 1 6 255 1.9 M 0.2%
11 crl.microsoft.com 18 5 776 1.9 M 0.2%
12 /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* 1 3 962 1.9 M 0.1%
13 /cgi-bin/openwebmail/openwebmail-main.pl 1 3 882 1.9 M 0.1%
14 /cgi-bin/findweather/getForecast 1 3 866 1.9 M 0.1%
15 /cgi-bin/findweather/hdfForecast 1 3 866 1.9 M 0.1%
16 /cgi-bin/traffic/process.fcgi 1 3 860 1.9 M 0.1%
17 /cgi-bin/rbaccess/rbcgi3m01 1 3 856 1.9 M 0.1%
18 /fcgi-bin/performance.fcgi 1 3 854 1.9 M 0.1%
19 /cgi-bin/rbaccess/rbunxcgi 1 3 854 1.9 M 0.1%
20 /cgi-bin/hotspotlogin.cgi 1 3 852 1.9 M 0.1%
21 /cgi-bin/arr/index.shtml 1 3 850 1.9 M 0.1%
22 /cgi-bin/bbs/postlist.pl 1 3 850 1.9 M 0.1%
23 /cgi-bin/bp_revision.cgi 1 3 850 1.9 M 0.1%
24 /cgi-bin/ib/301_start.pl 1 3 850 1.9 M 0.1%
25 /das/cgi-bin/session.cgi 1 3 850 1.9 M 0.1%
26 /cgi-bin/bbs/postshow.pl 1 3 850 1.9 M 0.1%
27 /fcgi-bin/dispatch.fcgi 1 3 848 1.9 M 0.1%
28 /redir/cgi-bin/ajaxmail 1 3 848 1.9 M 0.1%
29 /cgi-bin/mainmenu.cgi 1 3 844 1.9 M 0.1%
30 /cgi-bin/crtr/out.cgi 1 3 844 1.9 M 0.1%
31 /cgi-bin/atx/out.cgi 1 3 842 1.9 M 0.1%
32 /cgi-bin/at3/out.cgi 1 3 842 1.9 M 0.1%
33 /cgi-bin/atc/out.cgi 1 3 842 2.0 M 0.1%
34 /cgi-bin/hslogin.cgi 1 3 842 2.0 M 0.1%
35 /cgi-bin/search.cgi 1 3 840 2.0 M 0.1%
36 /cgi-bin/a2/out.cgi 1 3 840 2.0 M 0.1%
37 /cgi-bin/frame_html 1 3 840 2.0 M 0.1%
38 /cgi-bin/clicks.cgi 1 3 840 2.0 M 0.1%
39 /cgi-bin/krcgistart 1 3 840 2.0 M 0.1%
40 /cgi-bin/verify.cgi 1 3 840 2.0 M 0.1%
41 /cgi-bin/passremind 1 3 840 2.0 M 0.1%
42 /cgi-bin/wingame.pl 1 3 840 2.0 M 0.1%
43 /cgi-bin/getattach 1 3 838 2.0 M 0.1%
44 /cgi-bin/click.cgi 1 3 838 2.0 M 0.1%
45 /cgi-bin/index.cgi 1 3 838 2.0 M 0.1%
46 /cgi-bin/login.cgi 1 3 838 2.0 M 0.1%
47 /cgi-bin/rshop.pl 1 3 836 2.0 M 0.1%
48 /cgi-bin/te/o.cgi 1 3 836 2.0 M 0.1%
49 /cgi-bin/mainsrch 1 3 836 2.0 M 0.1%
50 /cgi-bin/ajaxmail 1 3 836 2.0 M 0.1%
51 /cgi-bin/out.cgi 1 3 834 2.0 M 0.1%
52 /cgi-bin/sse.dll 1 3 834 2.0 M 0.1%
53 /cgi-bin/top/out 1 3 834 2.0 M 0.1%
54 /cgi-bin/webproc 1 3 834 2.0 M 0.1%
55 /cgi-bin/spcnweb 1 3 834 2.0 M 0.1%
56 /cgi-bin/br5.cgi 1 3 834 2.0 M 0.1%
57 /cgi-bin/readmsg 1 3 834 2.0 M 0.1%
58 /cgi-bin/msglist 1 3 834 2.0 M 0.1%
59 /cgi-bin/fg.cgi 1 3 832 2.0 M 0.1%
60 /cgi-bin/navega 1 3 832 2.1 M 0.1%
61 /cgi-bin/tjcgi1 1 3 832 2.1 M 0.1%
62 /cgi-bin/webscr 1 3 832 2.1 M 0.1%
63 /cgi-bin/login 1 3 830 2.1 M 0.1%
64 /cgi-bin/krcgi 1 3 830 2.1 M 0.1%
65 /cgi-bin/index 1 3 830 2.1 M 0.1%
66 /cgi-bin/start 1 3 830 2.1 M 0.1%
67 /cgi-bin/link 1 3 828 2.1 M 0.1%
68 /cgi-bin/auth 1 3 828 2.1 M 0.1%
69 /HNAP1/ 1 3 816 2.1 M 0.1%
70 /rom-0 1 3 814 2.1 M 0.1%
71 w1773713.iavs9x.u.avast.com 2 3 763 2.1 M 0.1%
72 g.bing.com 10 3 660 2.1 M 0.1%
73 k1853134.iavs9x.u.avast.com 1 2 996 2.1 M 0.1%
74 d0782528.ivps9x.u.avast.com 1 2 811 2.1 M 0.1%
75 vl.ff.avast.com 9 2 772 2.1 M 0.1%
76 g.live.com

Alguém pode me ajudar?

Douglas Araujo

estranho
para que não está criado todos os diretorios do squid certo
se sim

tente limpar os caches lembrando que quando fizer isso ira apagar os relatórios web caso precisa

/usr/local/etc/rc.d/squid.sh stop

rm -rf /var/squid/cache/

mkdir -p /var/squid/cache/

chown proxy:proxy /var/squid/cache/

chmod 750 /var/squid/cache/

squid -z

/usr/local/etc/rc.d/squid.sh start

tomaswaldow

Para limpar cache tem uma opção nativa na WebGUI.

RCCruz

Ok, assim que eu executar posto o resultado.

RCCruz

Ola galera!

Após parar o serviço do squid, limpar o cache e reiniciar o pfsense, todas as pastas foram criadas da forma correta.

Vou continuar monitorando para identificar se os logs ocorrem novamente ou não.

Obrigado!