在公司服务上发现木马,服务器开启了日志,记录到了入侵者的 IP,怎么请他喝茶?

2015-01-03 18:59:23 +08:00
 dbfox
详细访问日志:



12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 64 82586
12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 64 51870
12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 9781


12-31 12:03:29 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62
12-31 12:03:30 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62
12-31 12:03:32 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62

12-31 14:07:05 POST /.m/static/img/static.aspx - 80 - 219.135.67.177 Baiduspider 200 0 0 78
12-31 14:07:08 POST /.m/static/img/static.aspx - 80 - 219.135.67.177 Baiduspider 200 0 0 46


12-31 23:02:36 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 1918
12-31 23:03:01 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 93
12-31 23:03:05 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 62
12-31 23:03:07 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:03:10 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 109

12-31 23:08:06 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 109
12-31 23:08:08 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 62
12-31 23:08:11 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:08:13 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:08:15 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 93

12-31 23:25:14 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:25:17 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
12-31 23:25:19 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 468




01-02 00:47:59 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 64 58858
01-02 00:48:00 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 18002

01-02 01:05:11 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:14 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:17 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:24 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 5101
01-02 01:05:27 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:29 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
01-02 01:05:34 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 78
01-02 01:05:44 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62

01-02 03:12:41 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 3213
01-02 03:12:32 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 218





01-02 23:57:35 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 717
01-02 23:56:16 POST /.m/static/img/static.aspx - 80 - 14.123.240.85 Baiduspider 404 0 64 23446

01-03 00:03:01 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 6427
01-03 00:03:26 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 2854
01-03 00:38:42 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 1294
01-03 00:38:44 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 202
01-03 00:38:46 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0
4462 次点击
所在节点    问与答
20 条回复
pfitseng
2015-01-03 19:45:27 +08:00
评估损失,去当地公安局报案
mahone3297
2015-01-03 19:48:50 +08:00
不懂,请教下。。。
都是 Baiduspider ,是入侵者?
tabris17
2015-01-03 20:01:08 +08:00
好,把李彦宏抓起来
Doubear
2015-01-03 20:01:08 +08:00
@mahone3297 蜘蛛不会post访问吧?不然post的数据哪里来?智能生成?
halczy
2015-01-03 20:04:05 +08:00
非常眼熟...

目测以上两个IP都是广州电信家庭拨号拿到的动态IP. 找公安问电信.
sanddudu
2015-01-03 20:07:07 +08:00
@mahone3297 UA 是可以伪造的,普通的爬虫进行这些访问很可疑
wzzyj8
2015-01-03 20:10:46 +08:00
@mahone3297
@tabris17

应该是伪装成spider穿过WAF吧
dbfox
2015-01-03 20:13:46 +08:00
@mahone3297
@tabris17

可以伪造 user-agent
flynaj
2015-01-03 20:16:43 +08:00
Baiduspider说明对方是伪装过的了,ip很有可能也是代理的ip
dbfox
2015-01-03 20:25:42 +08:00
@flynaj 额,有可能
9hills
2015-01-03 20:28:51 +08:00
建议自身做好安全措施,报警无用。除非你是12306
sneezry
2015-01-03 20:32:37 +08:00
@mahone3297
@tabris17
spider肿么会发送POST请求
chone
2015-01-03 20:32:55 +08:00
记录到ip应该是跳板,先处理好漏洞吧。
longear
2015-01-03 23:00:05 +08:00
这些黑产贩子才不会傻到用自己的IP等着查水表呢, 都是用肉鸡间接入侵,还不知道用了几跳呢。
你要举报多半是给无辜受害者找麻烦。
fising
2015-01-03 23:08:01 +08:00
警察会管你这些破事儿
mahone3297
2015-01-03 23:32:27 +08:00
@sanddudu
@dbfox
我知道,ua是可以伪造的。。。
我是想说,如何看出这是入侵者。。。
lz作为服务器管理员,可能可以看出,这些文件,是不存在的,是后来有人上传的,是木马。
我们,今天看帖子的人,如何看出这是入侵?post请求吗?
lvye
2015-01-04 00:57:45 +08:00
@mahone3297 img目录下放可执行脚本 而且还取掩人耳目的名字
ksupertu
2015-01-04 07:08:05 +08:00
1、网上110报警平台;
2、装个安全狗扫一遍网马
wisdom
2015-01-04 14:22:18 +08:00
报警无用。除非你是12306
abanx
2015-01-04 21:46:16 +08:00
这黑客怎么也不清理log?

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/158872

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX