我刚刚发现 nginx 日志里面 有个 ip 疯狂在访问,这是为啥, 其实平常也是有很多不同的 ip 会访问,但是没在意。 虽然不知为啥,,然后我的网站还没弄好 域名都还没申请。很好奇他们是在干嘛?都是国外的 ip 因为我的服务器是亚马逊的。 这是一部分 IP
18.139.219.224 - - [11/Aug/2022:03:33:09 +0000] "GET //info3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:10 +0000] "GET //info4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:12 +0000] "GET //phpinfo1.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:13 +0000] "GET //phpinfo2.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:14 +0000] "GET //phpinfo3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:16 +0000] "GET //phpinfo4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:17 +0000] "GET //o.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:19 +0000] "GET //dashboard/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:20 +0000] "GET //dashboard/test.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:21 +0000] "GET //dashboard/i.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:22 +0000] "GET //dashboard/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:23 +0000] "GET //dashboard/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:25 +0000] "GET //dashboard/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:26 +0000] "GET //p.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:28 +0000] "GET //ocp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:29 +0000] "GET //phpsysinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:31 +0000] "GET //phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:32 +0000] "GET //phpsysinfo/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:34 +0000] "GET //phpsysinfo/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:35 +0000] "GET //phpsysinfo/phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:36 +0000] "GET //deploy.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:38 +0000] "GET //dep.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:39 +0000] "GET //dev.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:41 +0000] "GET //tz.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:42 +0000] "GET //admin/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:44 +0000] "GET //admin/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:45 +0000] "GET //admin/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:46 +0000] "GET //admin/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:48 +0000] "GET //root/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:49 +0000] "GET //root/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:51 +0000] "GET //root/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:52 +0000] "GET //root/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:53 +0000] "GET //console/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:54 +0000] "GET //console/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:56 +0000] "GET //console/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:57 +0000] "GET //console/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:58 +0000] "GET //phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:34:00 +0000] "GET //root/phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
1
lichao 2022-08-11 15:16:15 +08:00
正常现象,99.99% 的服务器都会被扫描
|
2
misaka19000 2022-08-11 15:21:50 +08:00
月经贴。。。公网别人会扫你的,可以换 ssh 端口不要用 22 ,或者只允许密钥访问,启动 fail2ban
|
3
ViriF 2022-08-11 15:24:10 +08:00
很正常+1 ,天天都被扫几千 /万次,整个读日志自动 ban ip 的服务呗
|
4
zzzmh 2022-08-11 15:26:51 +08:00
是第一次当站长吗?这是最初级的扫描,基本对服务器没啥影响,可以忽略不计,我是干脆一上来就匹配.php .asp .jsp 结尾的请求全部干掉,节约资源。等站长做久了还会遇到各种各样搞事的,已经麻了。
|
5
fanchenio 2022-08-11 15:46:34 +08:00
我的网站一天要被扫 N 次,各种奇怪的请求。
|
6
nothingistrue 2022-08-11 16:09:18 +08:00
广撒网方式低级漏洞扫描,扫到就顺着漏洞控制服务器。只要你服务器能被公网访问,就会被这样扫。这个不是 DDOS 攻击,只要你没有低级安全问题——比如说 root 密码简单、redis/mysql 开放公网访问还不设密码,就不用管。
|
7
libook 2022-08-11 16:17:11 +08:00
自动化的漏洞扫描机器人,扫到漏洞之后会自动入侵进行勒索、挖矿、劫持为肉鸡,你需要一个 Web 应用防火墙。
云厂商的 IP 段是比较固定的,攻击机器人会不定期地把这些段的 IP 扫一遍。 |
8
LnTrx 2022-08-11 16:19:11 +08:00
公网 IPv4 就是会这样
|
9
yulgang 2022-08-11 16:28:49 +08:00
批量扫 正常
|
10
hhhhhh123 OP soga , 确实是第一次做站长。。嘿嘿
|
11
hhhhhh123 OP ```
2022/08/11 03:34:30 [error] 3341766#3341766: *1627 open() "/usr/share/nginx/html/phpconfigure/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:31 [error] 3341766#3341766: *1628 open() "/usr/share/nginx/html/phpconfigure/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:32 [error] 3341766#3341766: *1629 open() "/usr/share/nginx/html/phpconfigure/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/index.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:33 [error] 3341766#3341766: *1630 open() "/usr/share/nginx/html/scripts/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/info.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:34 [error] 3341766#3341766: *1631 open() "/usr/share/nginx/html/scripts/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:36 [error] 3341766#3341766: *1632 open() "/usr/share/nginx/html/scripts/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:37 [error] 3341766#3341766: *1633 open() "/usr/share/nginx/html/scripts/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/index.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:38 [error] 3341766#3341766: *1634 open() "/usr/share/nginx/html/forum/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/info.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:39 [error] 3341766#3341766: *1635 open() "/usr/share/nginx/html/forum/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:40 [error] 3341766#3341766: *1636 open() "/usr/share/nginx/html/forum/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:41 [error] 3341766#3341766: *1637 open() "/usr/share/nginx/html/forum/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/index.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:34:42 [error] 3341766#3341766: *1638 open() "/usr/share/nginx/html/foo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //foo.php HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:41:21 [error] 3341766#3341766: *1639 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 93.182.108.25, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:58:26 [error] 3341766#3341766: *1645 open() "/usr/share/nginx/html/update2/version.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/version.manifest HTTP/1.1", host: "54.248.101.249" 2022/08/11 03:58:26 [error] 3341766#3341766: *1646 open() "/usr/share/nginx/html/update2/project.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/project.manifest HTTP/1.1", host: "54.248.101.249" 2022/08/11 04:23:57 [error] 3341766#3341766: *1647 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249" 2022/08/11 05:22:27 [error] 3341766#3341766: *1650 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 109.237.103.123, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249" 2022/08/11 05:48:43 [error] 3341766#3341766: *1652 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 184.105.247.243, server: 54.248.101.249, request: "GET /favicon.ico HTTP/1.1", host: "54.248.101.249" 2022/08/11 05:52:14 [error] 3341766#3341766: *1653 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249" ``` |
12
LinsVert 2022-08-11 16:51:11 +08:00
习惯就好
|
13
hhhhhh123 OP @lichao @misaka19000 @ViriF @zzzmh @fanchenio @nothingistrue @all 各位这是我 nginx error.log 里面的。。我想知道, 为什么会执行这个 open file 打开文件的指令?
|
14
hhhhhh123 OP 假设我 存在这个文件 会怎么样?
|
15
misaka19000 2022-08-11 17:04:06 +08:00
@hhhhhh123 #13 因为有的 PHP 站点可能会存在这个漏洞,所以它会根据常见漏洞来进行扫描,不代表你的服务就一定存在这个漏洞
|
16
hhhhhh123 OP @misaka19000 那假设我有这个文件的话, 它是不是就是可以破解我的服务器了?
|
17
onice 2022-08-11 17:10:53 +08:00
从扫描的路径来看,应该是后门(webshell)扫描。目测是云厂商的安全组件在扫描,如果扫描到漏洞存在,会给你报警。
|
19
misaka19000 2022-08-11 17:12:06 +08:00
@hhhhhh123 #16 不一定,要看是不是有这个漏洞
|
20
eason1874 2022-08-11 17:18:16 +08:00
不用区分扫描是恶意还是善意,直接匹配这些用不到的路径返回 404 就行了
|
21
onice 2022-08-11 17:18:31 +08:00
@hhhhhh123 你仔细看路径,都是扫描的 php 文件,发 get ,判断文件是否存在。phpinfo.php 是攻击者经常使用的探针,攻击者利用网站漏洞,写入 phpinfo 文件,通过访问这个文件可以看到服务器的 php 配置信息。
你要自己测试的话,可以搭建一个 php 环境,写一个 phpinfo.php ,内容为<?php phpinfo(); ?>,访问该文件,就能看到服务器的详细配置了。 攻击者通过访问该探针,获取服务器的更多信息,找到有漏洞的组件进行进一步的攻击。 当然,对于网站后门,攻击者也喜欢写成 phpinfo.php 。 日志中,只是单纯的判断这些后门文件是否存在,所以可以初步断定为是云运营商安全组件的扫描。 如果是攻击者的扫描行为,路径中会包含攻击代码。比如 SQL 注入会有 and 1=1 或者是 and 1=2 之类的关键字,XSS 攻击会有<script>或者是</script>关键字。 |
24
onice 2022-08-11 17:44:33 +08:00
@hhhhhh123 SQL 注入发生在用户的输入和数据库有交互的地方。比如查询商品信息。url 可能如下: https://xx.com/goods?id=1 ,id 参数是商品编号。用户传入不同的编号,页面上可以显示不同的商品信息。
对于不怀好意的用户(攻击者),他们不会老老实实的只传编号,而是尝试传入攻击语句。由于编号会作为查询条件带入 sql 交予数据库去执行,所以把编号换成攻击语句,数据库也会执行攻击语句。这样就达到攻击的效果了。 只要是用户输入的东西,和数据库有交互的功能,而开发者也没有对用户传入的参数进行过滤和处理,都可能存在 SQL 注入漏洞。 SQL 注入漏洞的核心是通过用户的输入,控制原有的 sql 语句,达到攻击的效果。所以 sql 能做的事情,sql 注入都能做。这就是 SQL 注入的危害。 轻则泄露管理员用户和密码,直接进后台。重则通过 sql 直接写入后门文件直接控制网站。 |
26
vhus 2022-08-11 18:27:02 +08:00
设置禁止 ip 直接访问。
|
27
chainsR 2022-08-12 09:06:06 +08:00 via iPhone
nginx 装个 waf ,过几天你去看防护日志,会发现更多牛鬼蛇神
|
28
AS4694lAS4808 2022-08-12 10:16:46 +08:00
复杂服务在端口前加个 aws waf 。简单服务的话直接 fail2ban 读日志,禁用高频访问
|
29
xiaopigfly 2022-08-12 17:05:55 +08:00
冷知识,放到公网上总会被人扫描。不管就是了
|