阿里虚拟主机屡有非法访问攻击

lvdccyb

浏览: 407429 次

最近访客更多访客>>

WindyQin

bigstar119

jiazhigang

JoinerSep

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

阿里云

虚拟主机 iptables

从tomcat的访问记录查看非法攻击访问

这个是访问日志记录：

218.59.238.92 - - [08/Dec/2014:03:05:58 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:03:08:55 +0800] "GET /azz.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:05:34:47 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:09:00:28 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:24:42 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:26:35 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:26:36 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:28:00 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:10:28:02 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:10:22 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:11:38 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:12:15 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:11:56:18 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:12:41:11 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:12:44:01 +0800] "GET /azenv.php HTTP/1.0" 404 -

94.242.224.176 - - [08/Dec/2014:13:29:30 +0800] "GET /files/check.php?k=eKp9DbFH16TKhhY4/Chmfg== HTTP/1.1" 404 -

218.59.238.92 - - [08/Dec/2014:14:58:02 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:14:58:43 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:14:59:32 +0800] "GET /azz.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:15:50:20 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:15:50:25 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:15:50:34 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:16:55:41 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:20:36:26 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [08/Dec/2014:20:40:00 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:13:33:57 +0800] "GET /azz.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:13:34:33 +0800] "GET /azenv2.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:14:13:52 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:16:42:43 +0800] "GET /azenv.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:16:44:00 +0800] "GET /az.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:17:52:52 +0800] "GET /world.php HTTP/1.0" 404 -

218.59.238.92 - - [09/Dec/2014:17:53:55 +0800] "GET /world.php HTTP/1.0" 404 -

112.124.36.187 - - [09/Dec/2014:17:54:35 +0800] "GET /news/js.php?f_id=1)%20UNION%20SELECT%201,md5(1016),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23&type=hot HTTP/1.1" 404 1016

112.124.36.187 - - [10/Dec/2014:13:30:27 +0800] "GET /uploads/update.php HTTP/1.1" 404 1030

42.120.145.118 - - [10/Dec/2014:14:33:40 +0800] "GET /wp-login.php HTTP/1.1" 404 1018

42.120.145.249 - - [10/Dec/2014:15:41:38 +0800] "GET /wp-login.php HTTP/1.1" 404 1018

42.120.145.210 - - [10/Dec/2014:19:05:22 +0800] "GET /wp-login.php HTTP/1.1" 404 1018

——————————————————————————————————————

218.59.238.92 ：山东枣庄：访问php页面，网上搜索这是一个蠕虫病毒，试探端口。

112.124.36.187：

浙江省杭州市阿里云BGP数据中心：SQL注入

42.120.145.* 也是阿里云，存在故意试探访问。

____________________________________________________________________

112.124.36.187 - - [18/Dec/2014:21:34:58 +0800] "-" 400 -
222.186.21.206 - - [18/Dec/2014:21:42:50 +0800] "GET / HTTP/1.1" 200 4568
112.124.36.187 - - [18/Dec/2014:21:46:54 +0800] "POST /wp-admin/admin-ajax.php HTTP/1.1" 404 1040
112.124.36.187 - - [18/Dec/2014:21:46:54 +0800] "-" 400 -
210.35.251.202 - - [18/Dec/2014:22:08:40 +0800] "GET / HTTP/1.1" 200 4568
112.124.36.187 - - [18/Dec/2014:22:12:03 +0800] "POST /uploads/celive/live/header.php HTTP/1.1" 404 1054
112.124.36.187 - - [18/Dec/2014:22:12:03 +0800] "xajax=LiveMessage&xajaxargs[0]=<xjxobj><q><e><k>name</k><v>',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from cmseasy_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)--%20</v></e></q></xjxobj>" 505 -
117.141.119.220 - - [18/Dec/2014:22:48:48 +0800] "GET / HTTP/1.1" 200 4568
180.115.196.47 - - [18/Dec/2014:23:31:46 +0800] "GET /s.gif HTTP/1.1" 404 1004
180.115.196.47 - - [18/Dec/2014:23:31:46 +0800] "CONNECT api.weibo.com:443 HTTP/1.1" 400 -

——————————————————————————————————————

充分说明阿里云里面的机器，存在主动攻击别人的行为。另外就是，很多机器对阿里云主机进行攻击

设置ip禁用

禁用命令：最简单的是禁止该ip访问一切端口

iptables -I INPUT -p TCP --dport 80 -j DROP -s 218.59.238.92
iptables -I INPUT -p TCP --dport 80 -j DROP -s 121.231.143.129

查看禁用表：/etc/init.d/iptables status命令即可

[root@~]# /etc/init.d/iptables status
表格：filter
Chain INPUT (policy ACCEPT)
num target     prot opt source               destination
1    DROP       tcp -- 112.124.36.187       0.0.0.0/0           tcp dpt:80
2    DROP       tcp -- 121.231.143.129      0.0.0.0/0           tcp dpt:80
3    DROP       tcp -- 218.59.238.92        0.0.0.0/0           tcp dpt:80

分享到：