Ik heb het volgende overzicht:
14-3-2012 11:18:20 - disp=Allow, src_ip=x.x.x.135, dst_ip=66.199.232.98, dst_port=80, rcvd_bytes=246, sent_bytes=634, op=GET, dstname=mops63jger . info, arg=/i.php
14-3-2012 11:18:21 - disp=Allow, src_ip=x.x.x.135, dst_ip=66.199.232.98, dst_port=80, rcvd_bytes=23648, sent_bytes=633, op=GET, dstname=mops63jger . info, arg=/1O9K
14-3-2012 11:18:27 - disp=Deny, src_ip=x.x.x.135, dst_ip=66.199.232.98, dst_port=80, rcvd_bytes=0, sent_bytes=269, op=GET, dstname=mops63jger . info, arg=/01O9Kss (deny vanwege contenttype application/java-archive)
14-3-2012 11:18:28 - disp=Deny, src_ip=x.x.x.135, dst_ip=66.199.232.98, dst_port=80, rcvd_bytes=0, sent_bytes=195, op=GET, dstname=mops63jger . info, arg=/Applet.class (deny vanwege *.class)
14-3-2012 11:18:28 - disp=Deny, src_ip=x.x.x.135, dst_ip=66.199.232.98, dst_port=80, rcvd_bytes=0, sent_bytes=195, op=GET, dstname=mops63jger . info, arg=/Applet/class.class (deny vanwege *.class)
14-3-2012 11:20:05 - disp=Allow, src_ip=x.x.x.98, dst_ip=66.199.232.98, dst_port=80, rcvd_bytes=246, sent_bytes=634, op=GET, dstname=mops63jger . info, arg=/i.php
14-3-2012 11:20:06 - disp=Allow, src_ip=x.x.x.98, dst_ip=66.199.232.98, dst_port=80, rcvd_bytes=242, sent_bytes=633, op=GET, dstname=mops63jger . info, arg=/1O9K
- Geen link meer op nu.nl naar exploit site. Veel nu.nl bezoeken maar geen links naar evil websites
14-3-2012 11:36:31 - disp=Allow, src_ip=x.x.x.147, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=13324, sent_bytes=667, op=GET, dstname=accent6 . in, arg=/index.php?0acb5dbb36f93141b027d416261af42e (sophos op client detecteerd Mal/ExpJS-N)
14-3-2012 11:40:04 - disp=Allow, src_ip=x.x.x.100, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=13424, sent_bytes=640, op=GET, dstname=accent6 . in, arg=/index.php?0acb5dbb36f93141b027d416261af42e (sophos op client detecteerd Mal/ExpJS-N)
14-3-2012 11:47:15 - disp=Allow, src_ip=x.x.x.94, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=13257, sent_bytes=667, op=GET, dstname=accent6 . in, arg=/index.php?0acb5dbb36f93141b027d416261af42e (sophos op client detecteerd Mal/ExpJS-N)
- aanvallers veranderen de code om te detecteren welke plug-in aan te vallen continu want Sophos vind niks meer maar aanval gaat door.
14-3-2012 11:49:42 - disp=Allow, src_ip=x.x.x.65, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=13385, sent_bytes=667, op=GET, dstname=accent6 . in, arg=/index.php?0acb5dbb36f93141b027d416261af42e
14-3-2012 11:49:56 - disp=Deny, src_ip=x.x.x.65, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=303, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 11:49:56 - disp=Deny, src_ip=x.x.x.65, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=266, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 11:49:56 - disp=Deny, src_ip=x.x.x.65, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=303, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 11:49:56 - disp=Deny, src_ip=x.x.x.65, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=266, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 11:49:56 - disp=Deny, src_ip=x.x.x.65, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=196, op=GET, dstname=accent6 . in, arg=/Tli/NRJKSumt.class (deny vanwege *.class)
14-3-2012 11:49:56 - disp=Deny, src_ip=x.x.x.65, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=202, op=GET, dstname=accent6 . in, arg=/Tli/NRJKSumt/class.class (deny vanwege *.class)
14-3-2012 11:49:59 - disp=Allow, src_ip=x.x.x.55, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=13310, sent_bytes=666, op=GET, dstname=accent6 . in, arg=/index.php?0acb5dbb36f93141b027d416261af42e (Alleen plug-in detectie script opgevraagd geen exploit geserveerd)
14-3-2012 11:52:08 - disp=Allow, src_ip=x.x.x.25, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=13317, sent_bytes=640, op=GET, dstname=accent6 . in, arg=/index.php?0acb5dbb36f93141b027d416261af42e (Alleen plug-in detectie script opgevraagd geen exploit geserveerd)
14-3-2012 12:00:23 - disp=Allow, src_ip=x.x.x.66, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=13314, sent_bytes=667, op=GET, dstname=accent6 . in, arg=/index.php?0acb5dbb36f93141b027d416261af42e
14-3-2012 12:00:27 - disp=Deny, src_ip=x.x.x.66, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=303, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 12:00:27 - disp=Deny, src_ip=x.x.x.66, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=266, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 12:00:27 - disp=Deny, src_ip=x.x.x.66, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=303, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 12:00:28 - disp=Deny, src_ip=x.x.x.66, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=266, op=GET, dstname=accent6 . in, arg=//images/r/f3d091bce8d6b08df676c3bd7801e936.jar (deny vanwege *.jar)
14-3-2012 12:00:28 - disp=Deny, src_ip=x.x.x.66, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=196, op=GET, dstname=accent6 . in, arg=/Tli/NRJKSumt.class (deny vanwege *.class)
14-3-2012 12:00:28 - disp=Deny, src_ip=x.x.x.66, dst_ip=188.95.50.57, dst_port=80, rcvd_bytes=0, sent_bytes=202, op=GET, dstname=accent6 . in, arg=/Tli/NRJKSumt/class.class (deny vanwege *.class)
Hier stop mijn detectie want nu.nl werd toegevoegd aan blacklist firewall.