V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
hhhhhh123
V2EX  ›  程序员

我的服务器是不是被人盯上了?

  •  
  •   hhhhhh123 · 112 天前 · 3289 次点击
    这是一个创建于 112 天前的主题,其中的信息可能已经有所发展或是发生改变。

    我刚刚发现 nginx 日志里面 有个 ip 疯狂在访问,这是为啥, 其实平常也是有很多不同的 ip 会访问,但是没在意。 虽然不知为啥,,然后我的网站还没弄好 域名都还没申请。很好奇他们是在干嘛?都是国外的 ip 因为我的服务器是亚马逊的。 这是一部分 IP

    18.139.219.224 - - [11/Aug/2022:03:33:09 +0000] "GET //info3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:10 +0000] "GET //info4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:12 +0000] "GET //phpinfo1.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:13 +0000] "GET //phpinfo2.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:14 +0000] "GET //phpinfo3.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:16 +0000] "GET //phpinfo4.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:17 +0000] "GET //o.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:19 +0000] "GET //dashboard/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:20 +0000] "GET //dashboard/test.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:21 +0000] "GET //dashboard/i.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:22 +0000] "GET //dashboard/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:23 +0000] "GET //dashboard/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:25 +0000] "GET //dashboard/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:26 +0000] "GET //p.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:28 +0000] "GET //ocp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:29 +0000] "GET //phpsysinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:31 +0000] "GET //phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:32 +0000] "GET //phpsysinfo/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:34 +0000] "GET //phpsysinfo/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:35 +0000] "GET //phpsysinfo/phpsysinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:36 +0000] "GET //deploy.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:38 +0000] "GET //dep.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:39 +0000] "GET //dev.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:41 +0000] "GET //tz.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:42 +0000] "GET //admin/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:44 +0000] "GET //admin/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:45 +0000] "GET //admin/infophp.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:46 +0000] "GET //admin/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:48 +0000] "GET //root/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:49 +0000] "GET //root/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:51 +0000] "GET //root/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:52 +0000] "GET //root/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:53 +0000] "GET //console/phpinfo HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:54 +0000] "GET //console/info.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:56 +0000] "GET //console/phpinfo.php HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:57 +0000] "GET //console/infophp HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:33:58 +0000] "GET //phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    18.139.219.224 - - [11/Aug/2022:03:34:00 +0000] "GET //root/phpinfo.html HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
    
    
    第 1 条附言  ·  112 天前
    ```
    2022/08/11 03:34:30 [error] 3341766#3341766: *1627 open() "/usr/share/nginx/html/phpconfigure/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:31 [error] 3341766#3341766: *1628 open() "/usr/share/nginx/html/phpconfigure/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:32 [error] 3341766#3341766: *1629 open() "/usr/share/nginx/html/phpconfigure/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:33 [error] 3341766#3341766: *1630 open() "/usr/share/nginx/html/scripts/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/info.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:34 [error] 3341766#3341766: *1631 open() "/usr/share/nginx/html/scripts/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:36 [error] 3341766#3341766: *1632 open() "/usr/share/nginx/html/scripts/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo.php HTTP/1.1", host: "54.248.101.249"


    ```
    29 条回复    2022-08-12 17:05:55 +08:00
    lichao
        1
    lichao  
       112 天前
    正常现象,99.99% 的服务器都会被扫描
    misaka19000
        2
    misaka19000  
       112 天前
    月经贴。。。公网别人会扫你的,可以换 ssh 端口不要用 22 ,或者只允许密钥访问,启动 fail2ban
    ViriF
        3
    ViriF  
       112 天前
    很正常+1 ,天天都被扫几千 /万次,整个读日志自动 ban ip 的服务呗
    zzzmh
        4
    zzzmh  
       112 天前
    是第一次当站长吗?这是最初级的扫描,基本对服务器没啥影响,可以忽略不计,我是干脆一上来就匹配.php .asp .jsp 结尾的请求全部干掉,节约资源。等站长做久了还会遇到各种各样搞事的,已经麻了。
    fanchenio
        5
    fanchenio  
       112 天前
    我的网站一天要被扫 N 次,各种奇怪的请求。
    nothingistrue
        6
    nothingistrue  
       112 天前
    广撒网方式低级漏洞扫描,扫到就顺着漏洞控制服务器。只要你服务器能被公网访问,就会被这样扫。这个不是 DDOS 攻击,只要你没有低级安全问题——比如说 root 密码简单、redis/mysql 开放公网访问还不设密码,就不用管。
    libook
        7
    libook  
       112 天前
    自动化的漏洞扫描机器人,扫到漏洞之后会自动入侵进行勒索、挖矿、劫持为肉鸡,你需要一个 Web 应用防火墙。

    云厂商的 IP 段是比较固定的,攻击机器人会不定期地把这些段的 IP 扫一遍。
    LnTrx
        8
    LnTrx  
       112 天前
    公网 IPv4 就是会这样
    yulgang
        9
    yulgang  
       112 天前
    批量扫 正常
    hhhhhh123
        10
    hhhhhh123  
    OP
       112 天前
    soga , 确实是第一次做站长。。嘿嘿
    hhhhhh123
        11
    hhhhhh123  
    OP
       112 天前
    ```
    2022/08/11 03:34:30 [error] 3341766#3341766: *1627 open() "/usr/share/nginx/html/phpconfigure/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:31 [error] 3341766#3341766: *1628 open() "/usr/share/nginx/html/phpconfigure/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:32 [error] 3341766#3341766: *1629 open() "/usr/share/nginx/html/phpconfigure/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //phpconfigure/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:33 [error] 3341766#3341766: *1630 open() "/usr/share/nginx/html/scripts/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/info.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:34 [error] 3341766#3341766: *1631 open() "/usr/share/nginx/html/scripts/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:36 [error] 3341766#3341766: *1632 open() "/usr/share/nginx/html/scripts/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:37 [error] 3341766#3341766: *1633 open() "/usr/share/nginx/html/scripts/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //scripts/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:38 [error] 3341766#3341766: *1634 open() "/usr/share/nginx/html/forum/info.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/info.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:39 [error] 3341766#3341766: *1635 open() "/usr/share/nginx/html/forum/phpinfo" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:40 [error] 3341766#3341766: *1636 open() "/usr/share/nginx/html/forum/phpinfo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/phpinfo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:41 [error] 3341766#3341766: *1637 open() "/usr/share/nginx/html/forum/index.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //forum/index.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:34:42 [error] 3341766#3341766: *1638 open() "/usr/share/nginx/html/foo.php" failed (2: No such file or directory), client: 18.139.219.224, server: 54.248.101.249, request: "GET //foo.php HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:41:21 [error] 3341766#3341766: *1639 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 93.182.108.25, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:58:26 [error] 3341766#3341766: *1645 open() "/usr/share/nginx/html/update2/version.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/version.manifest HTTP/1.1", host: "54.248.101.249"
    2022/08/11 03:58:26 [error] 3341766#3341766: *1646 open() "/usr/share/nginx/html/update2/project.manifest" failed (2: No such file or directory), client: 183.157.11.162, server: 54.248.101.249, request: "GET /update2/project.manifest HTTP/1.1", host: "54.248.101.249"
    2022/08/11 04:23:57 [error] 3341766#3341766: *1647 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
    2022/08/11 05:22:27 [error] 3341766#3341766: *1650 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 109.237.103.123, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"
    2022/08/11 05:48:43 [error] 3341766#3341766: *1652 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 184.105.247.243, server: 54.248.101.249, request: "GET /favicon.ico HTTP/1.1", host: "54.248.101.249"
    2022/08/11 05:52:14 [error] 3341766#3341766: *1653 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 185.254.196.115, server: 54.248.101.249, request: "GET /.env HTTP/1.1", host: "54.248.101.249"

    ```
    LinsVert
        12
    LinsVert  
       112 天前
    习惯就好
    hhhhhh123
        13
    hhhhhh123  
    OP
       112 天前
    @lichao @misaka19000 @ViriF @zzzmh @fanchenio @nothingistrue @all 各位这是我 nginx error.log 里面的。。我想知道, 为什么会执行这个 open file 打开文件的指令?
    hhhhhh123
        14
    hhhhhh123  
    OP
       112 天前
    假设我 存在这个文件 会怎么样?
    misaka19000
        15
    misaka19000  
       112 天前
    @hhhhhh123 #13 因为有的 PHP 站点可能会存在这个漏洞,所以它会根据常见漏洞来进行扫描,不代表你的服务就一定存在这个漏洞
    hhhhhh123
        16
    hhhhhh123  
    OP
       112 天前
    @misaka19000 那假设我有这个文件的话, 它是不是就是可以破解我的服务器了?
    onice
        17
    onice  
       112 天前
    从扫描的路径来看,应该是后门(webshell)扫描。目测是云厂商的安全组件在扫描,如果扫描到漏洞存在,会给你报警。
    hhhhhh123
        18
    hhhhhh123  
    OP
       112 天前
    @onice 请问一下, 这个怎么去区分,是服务商 还是 恶意扫描
    misaka19000
        19
    misaka19000  
       112 天前
    @hhhhhh123 #16 不一定,要看是不是有这个漏洞
    eason1874
        20
    eason1874  
       112 天前
    不用区分扫描是恶意还是善意,直接匹配这些用不到的路径返回 404 就行了
    onice
        21
    onice  
       112 天前
    @hhhhhh123 你仔细看路径,都是扫描的 php 文件,发 get ,判断文件是否存在。phpinfo.php 是攻击者经常使用的探针,攻击者利用网站漏洞,写入 phpinfo 文件,通过访问这个文件可以看到服务器的 php 配置信息。

    你要自己测试的话,可以搭建一个 php 环境,写一个 phpinfo.php ,内容为<?php phpinfo(); ?>,访问该文件,就能看到服务器的详细配置了。

    攻击者通过访问该探针,获取服务器的更多信息,找到有漏洞的组件进行进一步的攻击。

    当然,对于网站后门,攻击者也喜欢写成 phpinfo.php 。

    日志中,只是单纯的判断这些后门文件是否存在,所以可以初步断定为是云运营商安全组件的扫描。

    如果是攻击者的扫描行为,路径中会包含攻击代码。比如 SQL 注入会有 and 1=1 或者是 and 1=2 之类的关键字,XSS 攻击会有<script>或者是</script>关键字。
    hhhhhh123
        22
    hhhhhh123  
    OP
       112 天前
    @onice Soga
    @eason1874 已经在学习 nginx 语法了, 准备屏蔽了
    hhhhhh123
        23
    hhhhhh123  
    OP
       112 天前
    @onice 很好奇,都说要防止 sql 注入, 我在想 这种 sql 入侵都是什么情况下会发生? 想不到场景
    onice
        24
    onice  
       112 天前
    @hhhhhh123 SQL 注入发生在用户的输入和数据库有交互的地方。比如查询商品信息。url 可能如下: https://xx.com/goods?id=1 ,id 参数是商品编号。用户传入不同的编号,页面上可以显示不同的商品信息。

    对于不怀好意的用户(攻击者),他们不会老老实实的只传编号,而是尝试传入攻击语句。由于编号会作为查询条件带入 sql 交予数据库去执行,所以把编号换成攻击语句,数据库也会执行攻击语句。这样就达到攻击的效果了。

    只要是用户输入的东西,和数据库有交互的功能,而开发者也没有对用户传入的参数进行过滤和处理,都可能存在 SQL 注入漏洞。

    SQL 注入漏洞的核心是通过用户的输入,控制原有的 sql 语句,达到攻击的效果。所以 sql 能做的事情,sql 注入都能做。这就是 SQL 注入的危害。

    轻则泄露管理员用户和密码,直接进后台。重则通过 sql 直接写入后门文件直接控制网站。
    hhhhhh123
        25
    hhhhhh123  
    OP
       112 天前
    @onice soga
    vhus
        26
    vhus  
       111 天前
    设置禁止 ip 直接访问。
    chainsR
        27
    chainsR  
       111 天前 via iPhone
    nginx 装个 waf ,过几天你去看防护日志,会发现更多牛鬼蛇神
    AS4694lAS4808
        28
    AS4694lAS4808  
       111 天前
    复杂服务在端口前加个 aws waf 。简单服务的话直接 fail2ban 读日志,禁用高频访问
    xiaopigfly
        29
    xiaopigfly  
       111 天前
    冷知识,放到公网上总会被人扫描。不管就是了
    关于   ·   帮助文档   ·   API   ·   FAQ   ·   我们的愿景   ·   广告投放   ·   感谢   ·   实用小工具   ·   4224 人在线   最高记录 5497   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 43ms · UTC 09:58 · PVG 17:58 · LAX 01:58 · JFK 04:58
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.