今天检查服务器日志,发现如下内容
180.76.138.179 - - [23/Jul/2017:05:15:06 +0000] "GET / HTTP/1.1" 301 481 "http://hardrain980.com/" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:07 +0000] "GET / HTTP/1.1" 200 46301 "http://hardrain980.com/" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:09 +0000] "POST //plus/spider.php HTTP/1.1" 301 510 "http://hardrain980.com//plus/spider.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:09 +0000] "GET /plus/spider.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/spider.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:10 +0000] "POST //plus/e7xue.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/e7xue.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:10 +0000] "GET /plus/e7xue.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/e7xue.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:11 +0000] "POST //plus/mycak.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/mycak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:11 +0000] "GET /plus/mycak.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mycak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:12 +0000] "POST //sitemap/templates/met/SqlIn.asp HTTP/1.1" 301 542 "http://hardrain980.com//sitemap/templates/met/SqlIn.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:13 +0000] "GET /sitemap/templates/met/SqlIn.asp HTTP/1.1" 404 28028 "http://hardrain980.com//sitemap/templates/met/SqlIn.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:14 +0000] "POST //plus/mybak.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/mybak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:14 +0000] "GET /plus/mybak.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mybak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:15 +0000] "POST //plus/x.php HTTP/1.1" 301 500 "http://hardrain980.com//plus/x.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:15 +0000] "GET /plus/x.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/x.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:16 +0000] "POST //plus/service.php HTTP/1.1" 301 512 "http://hardrain980.com//plus/service.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:17 +0000] "GET /plus/service.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/service.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:18 +0000] "POST //plus/av.php HTTP/1.1" 301 502 "http://hardrain980.com//plus/av.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:18 +0000] "GET /plus/av.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/av.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:19 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:19 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:20 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:21 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:22 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:22 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:23 +0000] "POST //lang/cn/system.php HTTP/1.1" 301 516 "http://hardrain980.com//lang/cn/system.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:23 +0000] "GET /lang/cn/system.php HTTP/1.1" 404 28028 "http://hardrain980.com//lang/cn/system.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:24 +0000] "POST //config/AspCms_Config.asp HTTP/1.1" 301 528 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:25 +0000] "GET /config/AspCms_Config.asp HTTP/1.1" 404 28028 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:26 +0000] "POST //admin_login.php HTTP/1.1" 301 510 "http://hardrain980.com//admin_login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:26 +0000] "GET /admin_login.php HTTP/1.1" 404 28028 "http://hardrain980.com//admin_login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:27 +0000] "POST //Templates/red.asp HTTP/1.1" 301 514 "http://hardrain980.com//Templates/red.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:27 +0000] "GET /Templates/red.asp HTTP/1.1" 404 28028 "http://hardrain980.com//Templates/red.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:28 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:29 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
207.46.13.102 - - [23/Jul/2017:05:15:30 +0000] "GET /sitemap.xml HTTP/1.1" 200 4187 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
180.76.138.179 - - [23/Jul/2017:05:15:31 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:31 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:32 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:33 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:35 +0000] "POST //images/swfupload/images/uploadye.php HTTP/1.1" 301 552 "http://hardrain980.com//images/swfupload/images/uploadye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:35 +0000] "GET /images/swfupload/images/uploadye.php HTTP/1.1" 404 28028 "http://hardrain980.com//images/swfupload/images/uploadye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:38 +0000] "POST //utility/convert/data/config.inc.php HTTP/1.1" 301 550 "http://hardrain980.com//utility/convert/data/config.inc.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:38 +0000] "GET /utility/convert/data/config.inc.php HTTP/1.1" 404 28028 "http://hardrain980.com//utility/convert/data/config.inc.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:39 +0000] "POST //config/AspCms_Config.asp HTTP/1.1" 301 528 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:39 +0000] "GET /config/AspCms_Config.asp HTTP/1.1" 404 28028 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:40 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:41 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:42 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:42 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:43 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:44 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:45 +0000] "POST //plus/bakup.hp HTTP/1.1" 301 506 "http://hardrain980.com//plus/bakup.hp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:45 +0000] "GET /plus/bakup.hp HTTP/1.1" 404 28028 "http://hardrain980.com//plus/bakup.hp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:48 +0000] "POST //include/code/mp.php HTTP/1.1" 301 518 "http://hardrain980.com//include/code/mp.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:48 +0000] "GET /include/code/mp.php HTTP/1.1" 404 28028 "http://hardrain980.com//include/code/mp.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:49 +0000] "POST //plus/laobiao.php HTTP/1.1" 301 512 "http://hardrain980.com//plus/laobiao.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:49 +0000] "GET /plus/laobiao.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/laobiao.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:50 +0000] "POST //plus/mytag_js.php?aid=6022 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=6022" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:51 +0000] "GET /plus/mytag_js.php?aid=6022 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=6022" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:55 +0000] "POST //book/story_dod_hjkdsafon.php HTTP/1.1" 301 536 "http://hardrain980.com//book/story_dod_hjkdsafon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:56 +0000] "GET /book/story_dod_hjkdsafon.php HTTP/1.1" 404 28028 "http://hardrain980.com//book/story_dod_hjkdsafon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:57 +0000] "POST //data/s.asp HTTP/1.1" 301 500 "http://hardrain980.com//data/s.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:57 +0000] "GET /data/s.asp HTTP/1.1" 404 28028 "http://hardrain980.com//data/s.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:58 +0000] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
180.76.138.179 - - [23/Jul/2017:05:15:59 +0000] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
这个 180.76 的 IP,POST 了很多不存在的路径,在 POST 后往往还 GET 相同一个路径。
我 Google 了几个 php 的路径,发现基本是 dedeCMS(织梦)的、能 GetShell 的 Vuln.
此外还有一堆.asp
.aspx
的路径
最关键的是通过 ipip.net 查询发现是百度的 IP 这是有人在利用百度云(云计算,非网盘)来扫 shell 吗?
这次ban掉了几个试图利用漏洞拿Shell的IP
uploadify
此外,用了SSL还有个好处,就是这些搞漏洞利用程序的还要学习一个 他们POST的、scheme为http的包在301后就没下文了...
1
Hardrain OP 补充:日志格式
ip 地址 登录名*2(两个"-") 时间 HTTP 请求 HTTP 状态码 发送的字节数 HTTP_referer UA |
2
wql 2017-07-26 15:23:22 +08:00 via Android
是百度云的,非百度官方。你可以查查同一个 C 段 IP 的 rDNS 记录,例如 http://bgp.he.net/net/180.76.128.0/18#_dns,可以发现问题所在。
我把这段 IP 加入 deny 列表了…… |
3
millken 2017-07-26 15:27:24 +08:00 via Android
百度云观测吧
|
4
Hardrain OP @wql 我 Block 了这个 IP,但没有 Block 掉整个 C 段
此外,我觉得需要用 WAF 把以 asp aspx 结尾的请求全都 Block 掉,因为我站点没有任何部分是用 asp 写的 |
7
ArcticL 2017-07-26 17:06:05 +08:00
明显的漏扫攻击行为,waf 上可以根据返回码做策略,大量访问返回 404 的,直接封了吧~PS:保险起见,先观察。。
|
9
Hardrain OP |
10
googlefans 2023-05-26 17:48:56 +08:00
这个最后是如何解决的?
|