Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dúvida system logs

    Scheduled Pinned Locked Moved Portuguese
    5 Posts 3 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RCCruz
      last edited by

      Boa tarde!

      Tentei encontrar nos fóruns algo semelhante ao que estou procurando, mas não encontrei, caso já tenha algo semelhante peço desculpas.

      Estou usando o pfsense 2.3.1 para uma rede wireless.

      Recentemente o wireless começou à ficar instável, e ao analisar a rede e os logs do pfsense, identifiquei alguns logs de sistema que não consegui interpretar direito, um amigo que tem mais conhecimento me informou que era um ataque que estava sendo feito através de um host infectado.

      Com essa informação em mãos, eu localizei o cliente e bloqueei o acesso. Depois disso, fui aconselhado à instalar o squid e ativar o clamav e icap. Feito isso, a rede normalizou por uns dias, porém outros logs semelhantes continuaram à ocorrer. Para evitar novas quedas e resolver a situação, gostaria de saber se alguém pode me ajudar à identificar à que se referem os logs abaixo:

      Jun 9 10:08:03 pfsense.localdomain nginx: 2016/06/09 10:08:03 [error] 24307#0: 931 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page= HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:08:02 pfsense.localdomain nginx: 2016/06/09 10:08:02 [error] 24307#0: *928 open() "/usr/local/www/redir/cgi-bin/ajaxmail" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /redir/cgi-bin/ajaxmail HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:08:01 pfsense.localdomain nginx: 2016/06/09 10:08:01 [error] 24307#0: *927 open() "/usr/local/www/fcgi-bin/performance.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /fcgi-bin/performance.fcgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:08:01 pfsense.localdomain nginx: 2016/06/09 10:08:01 [error] 24307#0: *926 open() "/usr/local/www/fcgi-bin/dispatch.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /fcgi-bin/dispatch.fcgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:08:00 pfsense.localdomain nginx: 2016/06/09 10:08:00 [error] 24307#0: *925 open() "/usr/local/www/das/cgi-bin/session.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /das/cgi-bin/session.cgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:59 pfsense.localdomain nginx: 2016/06/09 10:07:59 [error] 24307#0: *924 open() "/usr/local/www/cgi-bin/wingame.pl" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/wingame.pl HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:59 pfsense.localdomain nginx: 2016/06/09 10:07:59 [error] 24307#0: *923 open() "/usr/local/www/cgi-bin/webscr" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webscr HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:58 pfsense.localdomain nginx: 2016/06/09 10:07:58 [error] 24207#0: *922 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/webproc HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:57 pfsense.localdomain nginx: 2016/06/09 10:07:57 [error] 24207#0: *921 open() "/usr/local/www/cgi-bin/verify.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/verify.cgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:57 pfsense.localdomain nginx: 2016/06/09 10:07:57 [error] 24207#0: *920 open() "/usr/local/www/cgi-bin/traffic/process.fcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/traffic/process.fcgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:56 pfsense.localdomain nginx: 2016/06/09 10:07:56 [error] 24307#0: *919 open() "/usr/local/www/cgi-bin/top/out" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/top/out HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:55 pfsense.localdomain nginx: 2016/06/09 10:07:55 [error] 24307#0: *918 open() "/usr/local/www/cgi-bin/tjcgi1" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/tjcgi1 HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:55 pfsense.localdomain nginx: 2016/06/09 10:07:55 [error] 24307#0: *917 open() "/usr/local/www/cgi-bin/te/o.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/te/o.cgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:54 pfsense.localdomain nginx: 2016/06/09 10:07:54 [error] 24307#0: *916 open() "/usr/local/www/cgi-bin/start" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/start HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:53 pfsense.localdomain nginx: 2016/06/09 10:07:53 [error] 24307#0: *915 open() "/usr/local/www/cgi-bin/sse.dll" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/sse.dll HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:53 pfsense.localdomain nginx: 2016/06/09 10:07:53 [error] 24307#0: *914 open() "/usr/local/www/cgi-bin/spcnweb" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/spcnweb HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:52 pfsense.localdomain nginx: 2016/06/09 10:07:52 [error] 24207#0: *913 open() "/usr/local/www/cgi-bin/search.cgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/search.cgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:51 pfsense.localdomain nginx: 2016/06/09 10:07:51 [error] 24207#0: *912 open() "/usr/local/www/cgi-bin/rshop.pl" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rshop.pl HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:51 pfsense.localdomain nginx: 2016/06/09 10:07:51 [error] 24207#0: *911 open() "/usr/local/www/cgi-bin/readmsg" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/readmsg HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:50 pfsense.localdomain nginx: 2016/06/09 10:07:50 [error] 24207#0: *910 open() "/usr/local/www/cgi-bin/rbaccess/rbunxcgi" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:49 pfsense.localdomain nginx: 2016/06/09 10:07:49 [error] 24207#0: *909 open() "/usr/local/www/cgi-bin/rbaccess/rbcgi3m01" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1", host: "10.0.0.1"
      Jun 9 10:07:49 pfsense.localdomain nginx: 2016/06/09 10:07:49 [error] 24207#0: *908 open() "/usr/local/www/cgi-bin/passremind" failed (2: No such file or directory), client: 10.0.14.208, server: , request: "GET /cgi-bin/passremind HTTP/1.1", host: "10.0.0.1"

      No log do squidlight temos:

      /cgi-bin/logout 2 7 664 1.8 M 0.3%
      7 / 2 7 608 1.8 M 0.3%
      8 msc.wlxrs.com 3 7 299 1.9 M 0.3%
      9 z0285146.ivps9x.u.avast.com 2 6 363 1.9 M 0.2%
      10 5.45.63.11 1 6 255 1.9 M 0.2%
      11 crl.microsoft.com 18 5 776 1.9 M 0.2%
      12 /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page=* 1 3 962 1.9 M 0.1%
      13 /cgi-bin/openwebmail/openwebmail-main.pl 1 3 882 1.9 M 0.1%
      14 /cgi-bin/findweather/getForecast 1 3 866 1.9 M 0.1%
      15 /cgi-bin/findweather/hdfForecast 1 3 866 1.9 M 0.1%
      16 /cgi-bin/traffic/process.fcgi 1 3 860 1.9 M 0.1%
      17 /cgi-bin/rbaccess/rbcgi3m01 1 3 856 1.9 M 0.1%
      18 /fcgi-bin/performance.fcgi 1 3 854 1.9 M 0.1%
      19 /cgi-bin/rbaccess/rbunxcgi 1 3 854 1.9 M 0.1%
      20 /cgi-bin/hotspotlogin.cgi 1 3 852 1.9 M 0.1%
      21 /cgi-bin/arr/index.shtml 1 3 850 1.9 M 0.1%
      22 /cgi-bin/bbs/postlist.pl 1 3 850 1.9 M 0.1%
      23 /cgi-bin/bp_revision.cgi 1 3 850 1.9 M 0.1%
      24 /cgi-bin/ib/301_start.pl 1 3 850 1.9 M 0.1%
      25 /das/cgi-bin/session.cgi 1 3 850 1.9 M 0.1%
      26 /cgi-bin/bbs/postshow.pl 1 3 850 1.9 M 0.1%
      27 /fcgi-bin/dispatch.fcgi 1 3 848 1.9 M 0.1%
      28 /redir/cgi-bin/ajaxmail 1 3 848 1.9 M 0.1%
      29 /cgi-bin/mainmenu.cgi 1 3 844 1.9 M 0.1%
      30 /cgi-bin/crtr/out.cgi 1 3 844 1.9 M 0.1%
      31 /cgi-bin/atx/out.cgi 1 3 842 1.9 M 0.1%
      32 /cgi-bin/at3/out.cgi 1 3 842 1.9 M 0.1%
      33 /cgi-bin/atc/out.cgi 1 3 842 2.0 M 0.1%
      34 /cgi-bin/hslogin.cgi 1 3 842 2.0 M 0.1%
      35 /cgi-bin/search.cgi 1 3 840 2.0 M 0.1%
      36 /cgi-bin/a2/out.cgi 1 3 840 2.0 M 0.1%
      37 /cgi-bin/frame_html 1 3 840 2.0 M 0.1%
      38 /cgi-bin/clicks.cgi 1 3 840 2.0 M 0.1%
      39 /cgi-bin/krcgistart 1 3 840 2.0 M 0.1%
      40 /cgi-bin/verify.cgi 1 3 840 2.0 M 0.1%
      41 /cgi-bin/passremind 1 3 840 2.0 M 0.1%
      42 /cgi-bin/wingame.pl 1 3 840 2.0 M 0.1%
      43 /cgi-bin/getattach 1 3 838 2.0 M 0.1%
      44 /cgi-bin/click.cgi 1 3 838 2.0 M 0.1%
      45 /cgi-bin/index.cgi 1 3 838 2.0 M 0.1%
      46 /cgi-bin/login.cgi 1 3 838 2.0 M 0.1%
      47 /cgi-bin/rshop.pl 1 3 836 2.0 M 0.1%
      48 /cgi-bin/te/o.cgi 1 3 836 2.0 M 0.1%
      49 /cgi-bin/mainsrch 1 3 836 2.0 M 0.1%
      50 /cgi-bin/ajaxmail 1 3 836 2.0 M 0.1%
      51 /cgi-bin/out.cgi 1 3 834 2.0 M 0.1%
      52 /cgi-bin/sse.dll 1 3 834 2.0 M 0.1%
      53 /cgi-bin/top/out 1 3 834 2.0 M 0.1%
      54 /cgi-bin/webproc 1 3 834 2.0 M 0.1%
      55 /cgi-bin/spcnweb 1 3 834 2.0 M 0.1%
      56 /cgi-bin/br5.cgi 1 3 834 2.0 M 0.1%
      57 /cgi-bin/readmsg 1 3 834 2.0 M 0.1%
      58 /cgi-bin/msglist 1 3 834 2.0 M 0.1%
      59 /cgi-bin/fg.cgi 1 3 832 2.0 M 0.1%
      60 /cgi-bin/navega 1 3 832 2.1 M 0.1%
      61 /cgi-bin/tjcgi1 1 3 832 2.1 M 0.1%
      62 /cgi-bin/webscr 1 3 832 2.1 M 0.1%
      63 /cgi-bin/login 1 3 830 2.1 M 0.1%
      64 /cgi-bin/krcgi 1 3 830 2.1 M 0.1%
      65 /cgi-bin/index 1 3 830 2.1 M 0.1%
      66 /cgi-bin/start 1 3 830 2.1 M 0.1%
      67 /cgi-bin/link 1 3 828 2.1 M 0.1%
      68 /cgi-bin/auth 1 3 828 2.1 M 0.1%
      69 /HNAP1/ 1 3 816 2.1 M 0.1%
      70 /rom-0 1 3 814 2.1 M 0.1%
      71 w1773713.iavs9x.u.avast.com 2 3 763 2.1 M 0.1%
      72 g.bing.com 10 3 660 2.1 M 0.1%
      73 k1853134.iavs9x.u.avast.com 1 2 996 2.1 M 0.1%
      74 d0782528.ivps9x.u.avast.com 1 2 811 2.1 M 0.1%
      75 vl.ff.avast.com 9 2 772 2.1 M 0.1%
      76 g.live.com

      Alguém pode me ajudar?

      1 Reply Last reply Reply Quote 0
      • D
        Douglas Araujo
        last edited by

        estranho
        para que não está criado todos os diretorios do squid certo
        se sim

        tente limpar os caches lembrando que quando fizer isso ira apagar os relatórios web caso precisa

        /usr/local/etc/rc.d/squid.sh stop

        rm -rf /var/squid/cache/

        mkdir -p /var/squid/cache/

        chown proxy:proxy /var/squid/cache/

        chmod 750 /var/squid/cache/

        squid -z

        /usr/local/etc/rc.d/squid.sh start

        Network Administrator Linux and Windows

        1 Reply Last reply Reply Quote 0
        • T
          tomaswaldow
          last edited by

          Para limpar cache tem uma opção nativa na WebGUI.

          Tomas @ 2W Consultoria

          1 Reply Last reply Reply Quote 0
          • R
            RCCruz
            last edited by

            Ok, assim que eu executar posto o resultado.

            1 Reply Last reply Reply Quote 0
            • R
              RCCruz
              last edited by

              Ola galera!

              Após parar o serviço do squid, limpar o cache e reiniciar o pfsense, todas as pastas foram criadas da forma correta.

              Vou continuar monitorando para identificar se os logs ocorrem novamente ou não.

              Obrigado!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.