欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

阿里虚拟主机屡有非法访问攻击

程序员文章站 2022-04-23 21:34:57
...
  1. 从tomcat的访问记录查看非法攻击访问

这个是访问日志记录:

218.59.238.92 - - [08/Dec/2014:03:05:58 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:03:08:55 +0800] "GET /azz.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:05:34:47 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:09:00:28 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:24:42 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:26:35 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:26:36 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:28:00 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:28:02 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:10:22 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:11:38 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:12:15 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:56:18 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:12:41:11 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:12:44:01 +0800] "GET /azenv.php HTTP/1.0" 404 -

94.242.224.176 - - [08/Dec/2014:13:29:30 +0800] "GET /files/check.php?k=eKp9DbFH16TKhhY4/Chmfg== HTTP/1.1" 404 -

218.59.238.92 - - [08/Dec/2014:14:58:02 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:14:58:43 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:14:59:32 +0800] "GET /azz.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:15:50:20 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:15:50:25 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:15:50:34 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:16:55:41 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:20:36:26 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:20:40:00 +0800] "GET /azenv2.php HTTP/1.0" 404 -

 

 

218.59.238.92 - - [09/Dec/2014:13:33:57 +0800] "GET /azz.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:13:34:33 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:14:13:52 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:16:42:43 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:16:44:00 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:17:52:52 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:17:53:55 +0800] "GET /world.php HTTP/1.0" 404 -

 

112.124.36.187 - - [09/Dec/2014:17:54:35 +0800] "GET /news/js.php?f_id=1)%20UNION%20SELECT%201,md5(1016),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23&type=hot HTTP/1.1" 404 1016

112.124.36.187 - - [10/Dec/2014:13:30:27 +0800] "GET /uploads/update.php HTTP/1.1" 404 1030

 

42.120.145.118 - - [10/Dec/2014:14:33:40 +0800] "GET /wp-login.php HTTP/1.1" 404 1018

42.120.145.249 - - [10/Dec/2014:15:41:38 +0800] "GET /wp-login.php HTTP/1.1" 404 1018

42.120.145.210 - - [10/Dec/2014:19:05:22 +0800] "GET /wp-login.php HTTP/1.1" 404 1018

 

——————————————————————————————————————

218.59.238.92 :山东枣庄:访问php页面,网上搜索这是一个蠕虫病毒,试探端口。

 

 

112.124.36.187:

  • 浙江省杭州市 阿里云BGP数据中心:SQL注入

42.120.145.* 也是阿里云,存在故意试探访问。

 

____________________________________________________________________

112.124.36.187 - - [18/Dec/2014:21:34:58 +0800] "-" 400 -
222.186.21.206 - - [18/Dec/2014:21:42:50 +0800] "GET / HTTP/1.1" 200 4568
112.124.36.187 - - [18/Dec/2014:21:46:54 +0800] "POST /wp-admin/admin-ajax.php HTTP/1.1" 404 1040
112.124.36.187 - - [18/Dec/2014:21:46:54 +0800] "-" 400 -
210.35.251.202 - - [18/Dec/2014:22:08:40 +0800] "GET / HTTP/1.1" 200 4568
112.124.36.187 - - [18/Dec/2014:22:12:03 +0800] "POST /uploads/celive/live/header.php HTTP/1.1" 404 1054
112.124.36.187 - - [18/Dec/2014:22:12:03 +0800] "xajax=LiveMessage&xajaxargs[0]=<xjxobj><q><e><k>name</k><v>',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from cmseasy_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)--%20</v></e></q></xjxobj>" 505 -
117.141.119.220 - - [18/Dec/2014:22:48:48 +0800] "GET / HTTP/1.1" 200 4568
180.115.196.47 - - [18/Dec/2014:23:31:46 +0800] "GET /s.gif HTTP/1.1" 404 1004
180.115.196.47 - - [18/Dec/2014:23:31:46 +0800] "CONNECT api.weibo.com:443 HTTP/1.1" 400 -

——————————————————————————————————————

 

充分说明阿里云里面的机器,存在主动攻击别人的行为。另外就是,很多机器对阿里云主机进行攻击

 

  1. 设置ip禁用 

禁用命令:最简单的是禁止该ip访问一切端口

  • iptables -I INPUT -p TCP --dport 80 -j DROP  -s 218.59.238.92
  • iptables -I INPUT -p TCP --dport 80 -j DROP  -s 121.231.143.129

查看禁用表:/etc/init.d/iptables  status命令即可

[root@~]# /etc/init.d/iptables  status
表格:filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    DROP       tcp  --  112.124.36.187       0.0.0.0/0           tcp dpt:80
2    DROP       tcp  --  121.231.143.129      0.0.0.0/0           tcp dpt:80
3    DROP       tcp  --  218.59.238.92        0.0.0.0/0           tcp dpt:80