我的服务器是不是被人盯上了?

2022-08-11 15:13:42 +08:00
 hhhhhh123

我刚刚发现 nginx 日志里面 有个 ip 疯狂在访问,这是为啥, 其实平常也是有很多不同的 ip 会访问,但是没在意。 虽然不知为啥,,然后我的网站还没弄好 域名都还没申请。很好奇他们是在干嘛?都是国外的 ip 因为我的服务器是亚马逊的。 这是一部分 IP 

18.139.219.224 - - [11/Aug/2022:03:33:09 +0000] "GET //info3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:10 +0000] "GET //info4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:12 +0000] "GET //phpinfo1.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:13 +0000] "GET //phpinfo2.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:14 +0000] "GET //phpinfo3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:16 +0000] "GET //phpinfo4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:17 +0000] "GET //o.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:19 +0000] "GET //dashboard/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:20 +0000] "GET //dashboard/test.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:21 +0000] "GET //dashboard/i.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:22 +0000] "GET //dashboard/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:23 +0000] "GET //dashboard/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:25 +0000] "GET //dashboard/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:26 +0000] "GET //p.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:28 +0000] "GET //ocp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:29 +0000] "GET //phpsysinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:31 +0000] "GET //phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:32 +0000] "GET //phpsysinfo/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:34 +0000] "GET //phpsysinfo/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:35 +0000] "GET //phpsysinfo/phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:36 +0000] "GET //deploy.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:38 +0000] "GET //dep.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:39 +0000] "GET //dev.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:41 +0000] "GET //tz.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:42 +0000] "GET //admin/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:44 +0000] "GET //admin/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:45 +0000] "GET //admin/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:46 +0000] "GET //admin/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:48 +0000] "GET //root/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:49 +0000] "GET //root/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:51 +0000] "GET //root/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:52 +0000] "GET //root/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:53 +0000] "GET //console/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:54 +0000] "GET //console/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:56 +0000] "GET //console/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:57 +0000] "GET //console/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:58 +0000] "GET //phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:34:00 +0000] "GET //root/phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
3860 次点击
所在节点    程序员
29 条回复
lichao
2022-08-11 15:16:15 +08:00
正常现象,99.99% 的服务器都会被扫描
misaka19000
2022-08-11 15:21:50 +08:00
月经贴。。。公网别人会扫你的,可以换 ssh 端口不要用 22 ,或者只允许密钥访问,启动 fail2ban
ViriF
2022-08-11 15:24:10 +08:00
很正常+1 ,天天都被扫几千 /万次,整个读日志自动 ban ip 的服务呗
zzzmh
2022-08-11 15:26:51 +08:00
是第一次当站长吗?这是最初级的扫描,基本对服务器没啥影响,可以忽略不计,我是干脆一上来就匹配.php .asp .jsp 结尾的请求全部干掉,节约资源。等站长做久了还会遇到各种各样搞事的,已经麻了。
fanchenio
2022-08-11 15:46:34 +08:00
我的网站一天要被扫 N 次,各种奇怪的请求。
nothingistrue
2022-08-11 16:09:18 +08:00
广撒网方式低级漏洞扫描,扫到就顺着漏洞控制服务器。只要你服务器能被公网访问,就会被这样扫。这个不是 DDOS 攻击,只要你没有低级安全问题——比如说 root 密码简单、redis/mysql 开放公网访问还不设密码,就不用管。
libook
2022-08-11 16:17:11 +08:00
自动化的漏洞扫描机器人,扫到漏洞之后会自动入侵进行勒索、挖矿、劫持为肉鸡,你需要一个 Web 应用防火墙。

云厂商的 IP 段是比较固定的,攻击机器人会不定期地把这些段的 IP 扫一遍。
LnTrx
2022-08-11 16:19:11 +08:00
公网 IPv4 就是会这样
yulgang
2022-08-11 16:28:49 +08:00
批量扫 正常
hhhhhh123
2022-08-11 16:36:20 +08:00
soga , 确实是第一次做站长。。嘿嘿
hhhhhh123
2022-08-11 16:49:08 +08:00
```
2022/08/11 03:34:30 [error] 3341766#3341766: *1627 open() "/usr/share/nginx/html/phpconfigure/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:31 [error] 3341766#3341766: *1628 open() "/usr/share/nginx/html/phpconfigure/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:32 [error] 3341766#3341766: *1629 open() "/usr/share/nginx/html/phpconfigure/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/index.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:33 [error] 3341766#3341766: *1630 open() "/usr/share/nginx/html/scripts/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/info.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:34 [error] 3341766#3341766: *1631 open() "/usr/share/nginx/html/scripts/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:36 [error] 3341766#3341766: *1632 open() "/usr/share/nginx/html/scripts/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:37 [error] 3341766#3341766: *1633 open() "/usr/share/nginx/html/scripts/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/index.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:38 [error] 3341766#3341766: *1634 open() "/usr/share/nginx/html/forum/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/info.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:39 [error] 3341766#3341766: *1635 open() "/usr/share/nginx/html/forum/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:40 [error] 3341766#3341766: *1636 open() "/usr/share/nginx/html/forum/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:41 [error] 3341766#3341766: *1637 open() "/usr/share/nginx/html/forum/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/index.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:34:42 [error] 3341766#3341766: *1638 open() "/usr/share/nginx/html/foo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //foo.php HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:41:21 [error] 3341766#3341766: *1639 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 93.182.108.25, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:58:26 [error] 3341766#3341766: *1645 open() "/usr/share/nginx/html/update2/version.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/version.manifest HTTP/1.1", host: "54.248.101.249"
2022/08/11 03:58:26 [error] 3341766#3341766: *1646 open() "/usr/share/nginx/html/update2/project.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/project.manifest HTTP/1.1", host: "54.248.101.249"
2022/08/11 04:23:57 [error] 3341766#3341766: *1647 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
2022/08/11 05:22:27 [error] 3341766#3341766: *1650 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 109.237.103.123, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
2022/08/11 05:48:43 [error] 3341766#3341766: *1652 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 184.105.247.243, server: 54.248.101.249, request: "GET /favicon.ico HTTP/1.1", host: "54.248.101.249"
2022/08/11 05:52:14 [error] 3341766#3341766: *1653 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"

```
LinsVert
2022-08-11 16:51:11 +08:00
习惯就好
hhhhhh123
2022-08-11 16:51:20 +08:00
@lichao @misaka19000 @ViriF @zzzmh @fanchenio @nothingistrue @all 各位这是我 nginx error.log 里面的。。我想知道, 为什么会执行这个 open file 打开文件的指令?
hhhhhh123
2022-08-11 16:52:45 +08:00
假设我 存在这个文件 会怎么样?
misaka19000
2022-08-11 17:04:06 +08:00
@hhhhhh123 #13 因为有的 PHP 站点可能会存在这个漏洞,所以它会根据常见漏洞来进行扫描,不代表你的服务就一定存在这个漏洞
hhhhhh123
2022-08-11 17:06:39 +08:00
@misaka19000 那假设我有这个文件的话, 它是不是就是可以破解我的服务器了?
onice
2022-08-11 17:10:53 +08:00
从扫描的路径来看,应该是后门(webshell)扫描。目测是云厂商的安全组件在扫描,如果扫描到漏洞存在,会给你报警。
hhhhhh123
2022-08-11 17:12:01 +08:00
@onice 请问一下, 这个怎么去区分,是服务商 还是 恶意扫描
misaka19000
2022-08-11 17:12:06 +08:00
@hhhhhh123 #16 不一定,要看是不是有这个漏洞
eason1874
2022-08-11 17:18:16 +08:00
不用区分扫描是恶意还是善意,直接匹配这些用不到的路径返回 404 就行了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/872175

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX