在公司服务上发现木马，服务器开启了日志，记录到了入侵者的 IP，怎么请他喝茶？

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

这是一个创建于 3954 天前的主题，其中的信息可能已经有所发展或是发生改变。

详细访问日志：

12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 64 82586
12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 64 51870
12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 9781

12-31 12:03:29 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62
12-31 12:03:30 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62
12-31 12:03:32 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62

12-31 14:07:05 POST /.m/static/img/static.aspx - 80 - 219.135.67.177 Baiduspider 200 0 0 78
12-31 14:07:08 POST /.m/static/img/static.aspx - 80 - 219.135.67.177 Baiduspider 200 0 0 46

12-31 23:02:36 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 1918
12-31 23:03:01 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 93
12-31 23:03:05 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 62
12-31 23:03:07 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:03:10 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 109

12-31 23:08:06 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 109
12-31 23:08:08 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 62
12-31 23:08:11 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:08:13 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:08:15 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 93

12-31 23:25:14 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:25:17 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:25:19 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 468

01-02 00:47:59 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 64 58858
01-02 00:48:00 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 18002

01-02 01:05:11 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:14 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:17 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:24 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 5101
01-02 01:05:27 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:29 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:34 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 78
01-02 01:05:44 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62

01-02 03:12:41 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 3213
01-02 03:12:32 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 218

01-02 23:57:35 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 717
01-02 23:56:16 POST /.m/static/img/static.aspx - 80 - 14.123.240.85 Baiduspider 404 0 64 23446

01-03 00:03:01 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 6427
01-03 00:03:26 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 2854
01-03 00:38:42 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 1294
01-03 00:38:44 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 202
01-03 00:38:46 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0

第 1 条附言 · 2015-01-03 20:14:28 +08:00

这些文件之前服务器上是没有的，
我已经确认是入侵者上传的木马

post

Baiduspider

日志

20 条回复 • 2015-01-04 21:46:16 +08:00