阿里虚拟主机屡有非法访问攻击
- 从tomcat的访问记录查看非法攻击访问
这个是访问日志记录:
218.59.238.92 - - [08/Dec/2014:03:05:58 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:03:08:55 +0800] "GET /azz.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:05:34:47 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:09:00:28 +0800] "GET /az.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:10:24:42 +0800] "GET /az.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:10:26:35 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:10:26:36 +0800] "GET /world.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:10:28:00 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:10:28:02 +0800] "GET /az.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:11:10:22 +0800] "GET /world.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:11:11:38 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:11:12:15 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:11:56:18 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:12:41:11 +0800] "GET /az.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:12:44:01 +0800] "GET /azenv.php HTTP/1.0" 404 -
94.242.224.176 - - [08/Dec/2014:13:29:30 +0800] "GET /files/check.php?k=eKp9DbFH16TKhhY4/Chmfg== HTTP/1.1" 404 -
218.59.238.92 - - [08/Dec/2014:14:58:02 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:14:58:43 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:14:59:32 +0800] "GET /azz.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:15:50:20 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:15:50:25 +0800] "GET /world.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:15:50:34 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:16:55:41 +0800] "GET /world.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:20:36:26 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [08/Dec/2014:20:40:00 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [09/Dec/2014:13:33:57 +0800] "GET /azz.php HTTP/1.0" 404 -
218.59.238.92 - - [09/Dec/2014:13:34:33 +0800] "GET /azenv2.php HTTP/1.0" 404 -
218.59.238.92 - - [09/Dec/2014:14:13:52 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [09/Dec/2014:16:42:43 +0800] "GET /azenv.php HTTP/1.0" 404 -
218.59.238.92 - - [09/Dec/2014:16:44:00 +0800] "GET /az.php HTTP/1.0" 404 -
218.59.238.92 - - [09/Dec/2014:17:52:52 +0800] "GET /world.php HTTP/1.0" 404 -
218.59.238.92 - - [09/Dec/2014:17:53:55 +0800] "GET /world.php HTTP/1.0" 404 -
112.124.36.187 - - [09/Dec/2014:17:54:35 +0800] "GET /news/js.php?f_id=1)%20UNION%20SELECT%201,md5(1016),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23&type=hot HTTP/1.1" 404 1016
112.124.36.187 - - [10/Dec/2014:13:30:27 +0800] "GET /uploads/update.php HTTP/1.1" 404 1030
42.120.145.118 - - [10/Dec/2014:14:33:40 +0800] "GET /wp-login.php HTTP/1.1" 404 1018
42.120.145.249 - - [10/Dec/2014:15:41:38 +0800] "GET /wp-login.php HTTP/1.1" 404 1018
42.120.145.210 - - [10/Dec/2014:19:05:22 +0800] "GET /wp-login.php HTTP/1.1" 404 1018
——————————————————————————————————————
218.59.238.92 :山东枣庄:访问php页面,网上搜索这是一个蠕虫病毒,试探端口。
112.124.36.187:
-
浙江省杭州市 阿里云BGP数据中心:SQL注入
42.120.145.* 也是阿里云,存在故意试探访问。
____________________________________________________________________
112.124.36.187 - - [18/Dec/2014:21:34:58 +0800] "-" 400 -
222.186.21.206 - - [18/Dec/2014:21:42:50 +0800] "GET / HTTP/1.1" 200 4568
112.124.36.187 - - [18/Dec/2014:21:46:54 +0800] "POST /wp-admin/admin-ajax.php HTTP/1.1" 404 1040
112.124.36.187 - - [18/Dec/2014:21:46:54 +0800] "-" 400 -
210.35.251.202 - - [18/Dec/2014:22:08:40 +0800] "GET / HTTP/1.1" 200 4568
112.124.36.187 - - [18/Dec/2014:22:12:03 +0800] "POST /uploads/celive/live/header.php HTTP/1.1" 404 1054
112.124.36.187 - - [18/Dec/2014:22:12:03 +0800] "xajax=LiveMessage&xajaxargs[0]=<xjxobj><q><e><k>name</k><v>',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from cmseasy_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)--%20</v></e></q></xjxobj>" 505 -
117.141.119.220 - - [18/Dec/2014:22:48:48 +0800] "GET / HTTP/1.1" 200 4568
180.115.196.47 - - [18/Dec/2014:23:31:46 +0800] "GET /s.gif HTTP/1.1" 404 1004
180.115.196.47 - - [18/Dec/2014:23:31:46 +0800] "CONNECT api.weibo.com:443 HTTP/1.1" 400 -
——————————————————————————————————————
充分说明阿里云里面的机器,存在主动攻击别人的行为。另外就是,很多机器对阿里云主机进行攻击
- 设置ip禁用
禁用命令:最简单的是禁止该ip访问一切端口
- iptables -I INPUT -p TCP --dport 80 -j DROP -s 218.59.238.92
- iptables -I INPUT -p TCP --dport 80 -j DROP -s 121.231.143.129
查看禁用表:/etc/init.d/iptables status命令即可
[root@~]# /etc/init.d/iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 112.124.36.187 0.0.0.0/0 tcp dpt:80
2 DROP tcp -- 121.231.143.129 0.0.0.0/0 tcp dpt:80
3 DROP tcp -- 218.59.238.92 0.0.0.0/0 tcp dpt:80