V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
hhhhhh123
V2EX  ›  程序员

我的服务器是不是被人盯上了?

  •  
  •   hhhhhh123 · 2022-08-11 15:13:42 +08:00 · 4091 次点击
    这是一个创建于 836 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我刚刚发现 nginx 日志里面 有个 ip 疯狂在访问,这是为啥, 其实平常也是有很多不同的 ip 会访问,但是没在意。 虽然不知为啥,,然后我的网站还没弄好 域名都还没申请。很好奇他们是在干嘛?都是国外的 ip 因为我的服务器是亚马逊的。 这是一部分 IP

    18.139.219.224 - - [11/Aug/2022:03:33:09 +0000] "GET //info3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:10 +0000] "GET //info4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:12 +0000] "GET //phpinfo1.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:13 +0000] "GET //phpinfo2.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:14 +0000] "GET //phpinfo3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:16 +0000] "GET //phpinfo4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:17 +0000] "GET //o.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:19 +0000] "GET //dashboard/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:20 +0000] "GET //dashboard/test.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:21 +0000] "GET //dashboard/i.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:22 +0000] "GET //dashboard/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:23 +0000] "GET //dashboard/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:25 +0000] "GET //dashboard/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:26 +0000] "GET //p.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:28 +0000] "GET //ocp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:29 +0000] "GET //phpsysinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:31 +0000] "GET //phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:32 +0000] "GET //phpsysinfo/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:34 +0000] "GET //phpsysinfo/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:35 +0000] "GET //phpsysinfo/phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:36 +0000] "GET //deploy.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:38 +0000] "GET //dep.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:39 +0000] "GET //dev.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:41 +0000] "GET //tz.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:42 +0000] "GET //admin/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:44 +0000] "GET //admin/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:45 +0000] "GET //admin/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:46 +0000] "GET //admin/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:48 +0000] "GET //root/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:49 +0000] "GET //root/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:51 +0000] "GET //root/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:52 +0000] "GET //root/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:53 +0000] "GET //console/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:54 +0000] "GET //console/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:56 +0000] "GET //console/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:57 +0000] "GET //console/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:58 +0000] "GET //phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:34:00 +0000] "GET //root/phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    
    
    第 1 条附言  ·  2022-08-11 16:49:33 +08:00
    ```
    2022/08/11 03:34:30 [error] 3341766#3341766: *1627 open() "/usr/share/nginx/html/phpconfigure/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:31 [error] 3341766#3341766: *1628 open() "/usr/share/nginx/html/phpconfigure/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:32 [error] 3341766#3341766: *1629 open() "/usr/share/nginx/html/phpconfigure/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:33 [error] 3341766#3341766: *1630 open() "/usr/share/nginx/html/scripts/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/info.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:34 [error] 3341766#3341766: *1631 open() "/usr/share/nginx/html/scripts/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:36 [error] 3341766#3341766: *1632 open() "/usr/share/nginx/html/scripts/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo.php HTTP/1.1", host: "54.248.101.249"


    ```
    29 条回复    2022-08-12 17:05:55 +08:00
    lichao
        1
    lichao  
       2022-08-11 15:16:15 +08:00
    正常现象,99.99% 的服务器都会被扫描
    misaka19000
        2
    misaka19000  
       2022-08-11 15:21:50 +08:00
    月经贴。。。公网别人会扫你的,可以换 ssh 端口不要用 22 ,或者只允许密钥访问,启动 fail2ban
    ViriF
        3
    ViriF  
       2022-08-11 15:24:10 +08:00
    很正常+1 ,天天都被扫几千 /万次,整个读日志自动 ban ip 的服务呗
    zzzmh
        4
    zzzmh  
       2022-08-11 15:26:51 +08:00
    是第一次当站长吗?这是最初级的扫描,基本对服务器没啥影响,可以忽略不计,我是干脆一上来就匹配.php .asp .jsp 结尾的请求全部干掉,节约资源。等站长做久了还会遇到各种各样搞事的,已经麻了。
    fanchenio
        5
    fanchenio  
       2022-08-11 15:46:34 +08:00
    我的网站一天要被扫 N 次,各种奇怪的请求。
    nothingistrue
        6
    nothingistrue  
       2022-08-11 16:09:18 +08:00
    广撒网方式低级漏洞扫描,扫到就顺着漏洞控制服务器。只要你服务器能被公网访问,就会被这样扫。这个不是 DDOS 攻击,只要你没有低级安全问题——比如说 root 密码简单、redis/mysql 开放公网访问还不设密码,就不用管。
    libook
        7
    libook  
       2022-08-11 16:17:11 +08:00
    自动化的漏洞扫描机器人,扫到漏洞之后会自动入侵进行勒索、挖矿、劫持为肉鸡,你需要一个 Web 应用防火墙。

    云厂商的 IP 段是比较固定的,攻击机器人会不定期地把这些段的 IP 扫一遍。
    LnTrx
        8
    LnTrx  
       2022-08-11 16:19:11 +08:00
    公网 IPv4 就是会这样
    yulgang
        9
    yulgang  
       2022-08-11 16:28:49 +08:00
    批量扫 正常
    hhhhhh123
        10
    hhhhhh123  
    OP
       2022-08-11 16:36:20 +08:00
    soga , 确实是第一次做站长。。嘿嘿
    hhhhhh123
        11
    hhhhhh123  
    OP
       2022-08-11 16:49:08 +08:00
    ```
    2022/08/11 03:34:30 [error] 3341766#3341766: *1627 open() "/usr/share/nginx/html/phpconfigure/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:31 [error] 3341766#3341766: *1628 open() "/usr/share/nginx/html/phpconfigure/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:32 [error] 3341766#3341766: *1629 open() "/usr/share/nginx/html/phpconfigure/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:33 [error] 3341766#3341766: *1630 open() "/usr/share/nginx/html/scripts/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/info.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:34 [error] 3341766#3341766: *1631 open() "/usr/share/nginx/html/scripts/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:36 [error] 3341766#3341766: *1632 open() "/usr/share/nginx/html/scripts/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:37 [error] 3341766#3341766: *1633 open() "/usr/share/nginx/html/scripts/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:38 [error] 3341766#3341766: *1634 open() "/usr/share/nginx/html/forum/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/info.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:39 [error] 3341766#3341766: *1635 open() "/usr/share/nginx/html/forum/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:40 [error] 3341766#3341766: *1636 open() "/usr/share/nginx/html/forum/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:41 [error] 3341766#3341766: *1637 open() "/usr/share/nginx/html/forum/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:42 [error] 3341766#3341766: *1638 open() "/usr/share/nginx/html/foo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //foo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:41:21 [error] 3341766#3341766: *1639 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 93.182.108.25, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:58:26 [error] 3341766#3341766: *1645 open() "/usr/share/nginx/html/update2/version.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/version.manifest HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:58:26 [error] 3341766#3341766: *1646 open() "/usr/share/nginx/html/update2/project.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/project.manifest HTTP/1.1", host: "54.248.101.249"
    2022/08/11 04:23:57 [error] 3341766#3341766: *1647 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
    2022/08/11 05:22:27 [error] 3341766#3341766: *1650 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 109.237.103.123, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
    2022/08/11 05:48:43 [error] 3341766#3341766: *1652 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 184.105.247.243, server: 54.248.101.249, request: "GET /favicon.ico HTTP/1.1", host: "54.248.101.249"
    2022/08/11 05:52:14 [error] 3341766#3341766: *1653 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"

    ```
    LinsVert
        12
    LinsVert  
       2022-08-11 16:51:11 +08:00
    习惯就好
    hhhhhh123
        13
    hhhhhh123  
    OP
       2022-08-11 16:51:20 +08:00
    @lichao @misaka19000 @ViriF @zzzmh @fanchenio @nothingistrue @all 各位这是我 nginx error.log 里面的。。我想知道, 为什么会执行这个 open file 打开文件的指令?
    hhhhhh123
        14
    hhhhhh123  
    OP
       2022-08-11 16:52:45 +08:00
    假设我 存在这个文件 会怎么样?
    misaka19000
        15
    misaka19000  
       2022-08-11 17:04:06 +08:00
    @hhhhhh123 #13 因为有的 PHP 站点可能会存在这个漏洞,所以它会根据常见漏洞来进行扫描,不代表你的服务就一定存在这个漏洞
    hhhhhh123
        16
    hhhhhh123  
    OP
       2022-08-11 17:06:39 +08:00
    @misaka19000 那假设我有这个文件的话, 它是不是就是可以破解我的服务器了?
    onice
        17
    onice  
       2022-08-11 17:10:53 +08:00
    从扫描的路径来看,应该是后门(webshell)扫描。目测是云厂商的安全组件在扫描,如果扫描到漏洞存在,会给你报警。
    hhhhhh123
        18
    hhhhhh123  
    OP
       2022-08-11 17:12:01 +08:00
    @onice 请问一下, 这个怎么去区分,是服务商 还是 恶意扫描
    misaka19000
        19
    misaka19000  
       2022-08-11 17:12:06 +08:00
    @hhhhhh123 #16 不一定,要看是不是有这个漏洞
    eason1874
        20
    eason1874  
       2022-08-11 17:18:16 +08:00
    不用区分扫描是恶意还是善意,直接匹配这些用不到的路径返回 404 就行了
    onice
        21
    onice  
       2022-08-11 17:18:31 +08:00
    @hhhhhh123 你仔细看路径,都是扫描的 php 文件,发 get ,判断文件是否存在。phpinfo.php 是攻击者经常使用的探针,攻击者利用网站漏洞,写入 phpinfo 文件,通过访问这个文件可以看到服务器的 php 配置信息。

    你要自己测试的话,可以搭建一个 php 环境,写一个 phpinfo.php ,内容为<?php phpinfo(); ?>,访问该文件,就能看到服务器的详细配置了。

    攻击者通过访问该探针,获取服务器的更多信息,找到有漏洞的组件进行进一步的攻击。

    当然,对于网站后门,攻击者也喜欢写成 phpinfo.php 。

    日志中,只是单纯的判断这些后门文件是否存在,所以可以初步断定为是云运营商安全组件的扫描。

    如果是攻击者的扫描行为,路径中会包含攻击代码。比如 SQL 注入会有 and 1=1 或者是 and 1=2 之类的关键字,XSS 攻击会有<script>或者是</script>关键字。
    hhhhhh123
        22
    hhhhhh123  
    OP
       2022-08-11 17:20:42 +08:00
    @onice Soga
    @eason1874 已经在学习 nginx 语法了, 准备屏蔽了
    hhhhhh123
        23
    hhhhhh123  
    OP
       2022-08-11 17:31:28 +08:00
    @onice 很好奇,都说要防止 sql 注入, 我在想 这种 sql 入侵都是什么情况下会发生? 想不到场景
    onice
        24
    onice  
       2022-08-11 17:44:33 +08:00
    @hhhhhh123 SQL 注入发生在用户的输入和数据库有交互的地方。比如查询商品信息。url 可能如下: https://xx.com/goods?id=1 ,id 参数是商品编号。用户传入不同的编号,页面上可以显示不同的商品信息。

    对于不怀好意的用户(攻击者),他们不会老老实实的只传编号,而是尝试传入攻击语句。由于编号会作为查询条件带入 sql 交予数据库去执行,所以把编号换成攻击语句,数据库也会执行攻击语句。这样就达到攻击的效果了。

    只要是用户输入的东西,和数据库有交互的功能,而开发者也没有对用户传入的参数进行过滤和处理,都可能存在 SQL 注入漏洞。

    SQL 注入漏洞的核心是通过用户的输入,控制原有的 sql 语句,达到攻击的效果。所以 sql 能做的事情,sql 注入都能做。这就是 SQL 注入的危害。

    轻则泄露管理员用户和密码,直接进后台。重则通过 sql 直接写入后门文件直接控制网站。
    hhhhhh123
        25
    hhhhhh123  
    OP
       2022-08-11 17:48:23 +08:00
    @onice soga
    vhus
        26
    vhus  
       2022-08-11 18:27:02 +08:00
    设置禁止 ip 直接访问。
    chainsR
        27
    chainsR  
       2022-08-12 09:06:06 +08:00 via iPhone
    nginx 装个 waf ,过几天你去看防护日志,会发现更多牛鬼蛇神
    AS4694lAS4808
        28
    AS4694lAS4808  
       2022-08-12 10:16:46 +08:00
    复杂服务在端口前加个 aws waf 。简单服务的话直接 fail2ban 读日志,禁用高频访问
    xiaopigfly
        29
    xiaopigfly  
       2022-08-12 17:05:55 +08:00
    冷知识,放到公网上总会被人扫描。不管就是了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2992 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 83ms · UTC 14:09 · PVG 22:09 · LAX 06:09 · JFK 09:09
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.