这是不是在试图 getshell?而且还是百度的 IP

2017-07-26 15:11:29 +08:00
 Hardrain

今天检查服务器日志,发现如下内容

180.76.138.179 - - [23/Jul/2017:05:15:06 +0000] "GET / HTTP/1.1" 301 481 "http://hardrain980.com/" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:07 +0000] "GET / HTTP/1.1" 200 46301 "http://hardrain980.com/" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:09 +0000] "POST //plus/spider.php HTTP/1.1" 301 510 "http://hardrain980.com//plus/spider.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:09 +0000] "GET /plus/spider.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/spider.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:10 +0000] "POST //plus/e7xue.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/e7xue.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:10 +0000] "GET /plus/e7xue.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/e7xue.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:11 +0000] "POST //plus/mycak.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/mycak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:11 +0000] "GET /plus/mycak.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mycak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:12 +0000] "POST //sitemap/templates/met/SqlIn.asp HTTP/1.1" 301 542 "http://hardrain980.com//sitemap/templates/met/SqlIn.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:13 +0000] "GET /sitemap/templates/met/SqlIn.asp HTTP/1.1" 404 28028 "http://hardrain980.com//sitemap/templates/met/SqlIn.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:14 +0000] "POST //plus/mybak.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/mybak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:14 +0000] "GET /plus/mybak.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mybak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:15 +0000] "POST //plus/x.php HTTP/1.1" 301 500 "http://hardrain980.com//plus/x.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:15 +0000] "GET /plus/x.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/x.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:16 +0000] "POST //plus/service.php HTTP/1.1" 301 512 "http://hardrain980.com//plus/service.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:17 +0000] "GET /plus/service.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/service.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:18 +0000] "POST //plus/av.php HTTP/1.1" 301 502 "http://hardrain980.com//plus/av.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:18 +0000] "GET /plus/av.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/av.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:19 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:19 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:20 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:21 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:22 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:22 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:23 +0000] "POST //lang/cn/system.php HTTP/1.1" 301 516 "http://hardrain980.com//lang/cn/system.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:23 +0000] "GET /lang/cn/system.php HTTP/1.1" 404 28028 "http://hardrain980.com//lang/cn/system.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:24 +0000] "POST //config/AspCms_Config.asp HTTP/1.1" 301 528 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:25 +0000] "GET /config/AspCms_Config.asp HTTP/1.1" 404 28028 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:26 +0000] "POST //admin_login.php HTTP/1.1" 301 510 "http://hardrain980.com//admin_login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:26 +0000] "GET /admin_login.php HTTP/1.1" 404 28028 "http://hardrain980.com//admin_login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:27 +0000] "POST //Templates/red.asp HTTP/1.1" 301 514 "http://hardrain980.com//Templates/red.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:27 +0000] "GET /Templates/red.asp HTTP/1.1" 404 28028 "http://hardrain980.com//Templates/red.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:28 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:29 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
207.46.13.102 - - [23/Jul/2017:05:15:30 +0000] "GET /sitemap.xml HTTP/1.1" 200 4187 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
180.76.138.179 - - [23/Jul/2017:05:15:31 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:31 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:32 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:33 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:35 +0000] "POST //images/swfupload/images/uploadye.php HTTP/1.1" 301 552 "http://hardrain980.com//images/swfupload/images/uploadye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:35 +0000] "GET /images/swfupload/images/uploadye.php HTTP/1.1" 404 28028 "http://hardrain980.com//images/swfupload/images/uploadye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:38 +0000] "POST //utility/convert/data/config.inc.php HTTP/1.1" 301 550 "http://hardrain980.com//utility/convert/data/config.inc.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:38 +0000] "GET /utility/convert/data/config.inc.php HTTP/1.1" 404 28028 "http://hardrain980.com//utility/convert/data/config.inc.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:39 +0000] "POST //config/AspCms_Config.asp HTTP/1.1" 301 528 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:39 +0000] "GET /config/AspCms_Config.asp HTTP/1.1" 404 28028 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:40 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:41 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:42 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:42 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:43 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:44 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:45 +0000] "POST //plus/bakup.hp HTTP/1.1" 301 506 "http://hardrain980.com//plus/bakup.hp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:45 +0000] "GET /plus/bakup.hp HTTP/1.1" 404 28028 "http://hardrain980.com//plus/bakup.hp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:48 +0000] "POST //include/code/mp.php HTTP/1.1" 301 518 "http://hardrain980.com//include/code/mp.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:48 +0000] "GET /include/code/mp.php HTTP/1.1" 404 28028 "http://hardrain980.com//include/code/mp.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:49 +0000] "POST //plus/laobiao.php HTTP/1.1" 301 512 "http://hardrain980.com//plus/laobiao.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:49 +0000] "GET /plus/laobiao.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/laobiao.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:50 +0000] "POST //plus/mytag_js.php?aid=6022 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=6022" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:51 +0000] "GET /plus/mytag_js.php?aid=6022 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=6022" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:55 +0000] "POST //book/story_dod_hjkdsafon.php HTTP/1.1" 301 536 "http://hardrain980.com//book/story_dod_hjkdsafon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:56 +0000] "GET /book/story_dod_hjkdsafon.php HTTP/1.1" 404 28028 "http://hardrain980.com//book/story_dod_hjkdsafon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:57 +0000] "POST //data/s.asp HTTP/1.1" 301 500 "http://hardrain980.com//data/s.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:57 +0000] "GET /data/s.asp HTTP/1.1" 404 28028 "http://hardrain980.com//data/s.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:58 +0000] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:59 +0000] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"

这个 180.76 的 IP,POST 了很多不存在的路径,在 POST 后往往还 GET 相同一个路径。 我 Google 了几个 php 的路径,发现基本是 dedeCMS(织梦)的、能 GetShell 的 Vuln. 此外还有一堆.asp .aspx的路径

最关键的是通过 ipip.net 查询发现是百度的 IP 这是有人在利用百度云(云计算,非网盘)来扫 shell 吗?

5133 次点击
所在节点    问与答
10 条回复
Hardrain
2017-07-26 15:18:54 +08:00
补充:日志格式
ip 地址 登录名*2(两个"-") 时间 HTTP 请求 HTTP 状态码 发送的字节数 HTTP_referer UA
wql
2017-07-26 15:23:22 +08:00
是百度云的,非百度官方。你可以查查同一个 C 段 IP 的 rDNS 记录,例如 http://bgp.he.net/net/180.76.128.0/18#_dns,可以发现问题所在。
我把这段 IP 加入 deny 列表了……
millken
2017-07-26 15:27:24 +08:00
百度云观测吧
Hardrain
2017-07-26 15:32:46 +08:00
@wql 我 Block 了这个 IP,但没有 Block 掉整个 C 段
此外,我觉得需要用 WAF 把以 asp aspx 结尾的请求全都 Block 掉,因为我站点没有任何部分是用 asp 写的
wql
2017-07-26 15:37:26 +08:00
@Hardrain 如果你在 Header 里面加入 powered-by:ASP 的话,反而迷惑攻击者……
Hardrain
2017-07-26 15:45:40 +08:00
@wql X-Powered-By:ASP.Net/* 的 WordPress
简直了
ArcticL
2017-07-26 17:06:05 +08:00
明显的漏扫攻击行为,waf 上可以根据返回码做策略,大量访问返回 404 的,直接封了吧~PS:保险起见,先观察。。
msg7086
2017-07-27 08:25:18 +08:00
@wql 反正我 Nginx 的服务器标识都是 IIS ……
Hardrain
2017-07-27 11:36:20 +08:00
@ArcticL 其实他扫描的这些漏洞似乎都没有太高威胁(除了占用服务器资源)

因为我压根不用那些涉及『被扫描的漏洞』的 CMS
googlefans
2023-05-26 17:48:56 +08:00
这个最后是如何解决的?

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/378103

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX