我的服务器是不是被人盯上了?

2022-08-11 15:13:42 +08:00
 hhhhhh123

我刚刚发现 nginx 日志里面 有个 ip 疯狂在访问,这是为啥, 其实平常也是有很多不同的 ip 会访问,但是没在意。 虽然不知为啥,,然后我的网站还没弄好 域名都还没申请。很好奇他们是在干嘛?都是国外的 ip 因为我的服务器是亚马逊的。 这是一部分 IP 

18.139.219.224 - - [11/Aug/2022:03:33:09 +0000] "GET //info3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:10 +0000] "GET //info4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:12 +0000] "GET //phpinfo1.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:13 +0000] "GET //phpinfo2.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:14 +0000] "GET //phpinfo3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:16 +0000] "GET //phpinfo4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:17 +0000] "GET //o.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:19 +0000] "GET //dashboard/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:20 +0000] "GET //dashboard/test.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:21 +0000] "GET //dashboard/i.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:22 +0000] "GET //dashboard/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:23 +0000] "GET //dashboard/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:25 +0000] "GET //dashboard/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:26 +0000] "GET //p.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:28 +0000] "GET //ocp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:29 +0000] "GET //phpsysinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:31 +0000] "GET //phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:32 +0000] "GET //phpsysinfo/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:34 +0000] "GET //phpsysinfo/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:35 +0000] "GET //phpsysinfo/phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:36 +0000] "GET //deploy.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:38 +0000] "GET //dep.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:39 +0000] "GET //dev.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:41 +0000] "GET //tz.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:42 +0000] "GET //admin/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:44 +0000] "GET //admin/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:45 +0000] "GET //admin/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:46 +0000] "GET //admin/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:48 +0000] "GET //root/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:49 +0000] "GET //root/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:51 +0000] "GET //root/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:52 +0000] "GET //root/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:53 +0000] "GET //console/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:54 +0000] "GET //console/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:56 +0000] "GET //console/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:57 +0000] "GET //console/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:33:58 +0000] "GET //phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
18.139.219.224 - - [11/Aug/2022:03:34:00 +0000] "GET //root/phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
3887 次点击
所在节点    程序员
29 条回复
onice
2022-08-11 17:18:31 +08:00
@hhhhhh123 你仔细看路径,都是扫描的 php 文件,发 get ,判断文件是否存在。phpinfo.php 是攻击者经常使用的探针,攻击者利用网站漏洞,写入 phpinfo 文件,通过访问这个文件可以看到服务器的 php 配置信息。

你要自己测试的话,可以搭建一个 php 环境,写一个 phpinfo.php ,内容为<?php phpinfo(); ?>,访问该文件,就能看到服务器的详细配置了。

攻击者通过访问该探针,获取服务器的更多信息,找到有漏洞的组件进行进一步的攻击。

当然,对于网站后门,攻击者也喜欢写成 phpinfo.php 。

日志中,只是单纯的判断这些后门文件是否存在,所以可以初步断定为是云运营商安全组件的扫描。

如果是攻击者的扫描行为,路径中会包含攻击代码。比如 SQL 注入会有 and 1=1 或者是 and 1=2 之类的关键字,XSS 攻击会有<script>或者是</script>关键字。
hhhhhh123
2022-08-11 17:20:42 +08:00
@onice Soga
@eason1874 已经在学习 nginx 语法了, 准备屏蔽了
hhhhhh123
2022-08-11 17:31:28 +08:00
@onice 很好奇,都说要防止 sql 注入, 我在想 这种 sql 入侵都是什么情况下会发生? 想不到场景
onice
2022-08-11 17:44:33 +08:00
@hhhhhh123 SQL 注入发生在用户的输入和数据库有交互的地方。比如查询商品信息。url 可能如下: https://xx.com/goods?id=1 ,id 参数是商品编号。用户传入不同的编号,页面上可以显示不同的商品信息。

对于不怀好意的用户(攻击者),他们不会老老实实的只传编号,而是尝试传入攻击语句。由于编号会作为查询条件带入 sql 交予数据库去执行,所以把编号换成攻击语句,数据库也会执行攻击语句。这样就达到攻击的效果了。

只要是用户输入的东西,和数据库有交互的功能,而开发者也没有对用户传入的参数进行过滤和处理,都可能存在 SQL 注入漏洞。

SQL 注入漏洞的核心是通过用户的输入,控制原有的 sql 语句,达到攻击的效果。所以 sql 能做的事情,sql 注入都能做。这就是 SQL 注入的危害。

轻则泄露管理员用户和密码,直接进后台。重则通过 sql 直接写入后门文件直接控制网站。
hhhhhh123
2022-08-11 17:48:23 +08:00
@onice soga
vhus
2022-08-11 18:27:02 +08:00
设置禁止 ip 直接访问。
chainsR
2022-08-12 09:06:06 +08:00
nginx 装个 waf ,过几天你去看防护日志,会发现更多牛鬼蛇神
AS4694lAS4808
2022-08-12 10:16:46 +08:00
复杂服务在端口前加个 aws waf 。简单服务的话直接 fail2ban 读日志,禁用高频访问
xiaopigfly
2022-08-12 17:05:55 +08:00
冷知识,放到公网上总会被人扫描。不管就是了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/872175

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX