V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
Hardrain
V2EX  ›  问与答

这是不是在试图 getshell?而且还是百度的 IP

  •  
  •   Hardrain · 2017-07-26 15:11:29 +08:00 · 5141 次点击
    这是一个创建于 2680 天前的主题,其中的信息可能已经有所发展或是发生改变。

    今天检查服务器日志,发现如下内容

    180.76.138.179 - - [23/Jul/2017:05:15:06 +0000] "GET / HTTP/1.1" 301 481 "http://hardrain980.com/" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:07 +0000] "GET / HTTP/1.1" 200 46301 "http://hardrain980.com/" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:09 +0000] "POST //plus/spider.php HTTP/1.1" 301 510 "http://hardrain980.com//plus/spider.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:09 +0000] "GET /plus/spider.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/spider.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:10 +0000] "POST //plus/e7xue.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/e7xue.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:10 +0000] "GET /plus/e7xue.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/e7xue.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:11 +0000] "POST //plus/mycak.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/mycak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:11 +0000] "GET /plus/mycak.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mycak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:12 +0000] "POST //sitemap/templates/met/SqlIn.asp HTTP/1.1" 301 542 "http://hardrain980.com//sitemap/templates/met/SqlIn.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:13 +0000] "GET /sitemap/templates/met/SqlIn.asp HTTP/1.1" 404 28028 "http://hardrain980.com//sitemap/templates/met/SqlIn.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:14 +0000] "POST //plus/mybak.php HTTP/1.1" 301 508 "http://hardrain980.com//plus/mybak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:14 +0000] "GET /plus/mybak.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mybak.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:15 +0000] "POST //plus/x.php HTTP/1.1" 301 500 "http://hardrain980.com//plus/x.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:15 +0000] "GET /plus/x.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/x.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:16 +0000] "POST //plus/service.php HTTP/1.1" 301 512 "http://hardrain980.com//plus/service.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:17 +0000] "GET /plus/service.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/service.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:18 +0000] "POST //plus/av.php HTTP/1.1" 301 502 "http://hardrain980.com//plus/av.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:18 +0000] "GET /plus/av.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/av.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:19 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:19 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:20 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:21 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:22 +0000] "POST //plus/mytag_js.php?aid=511348 HTTP/1.1" 301 536 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:22 +0000] "GET /plus/mytag_js.php?aid=511348 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=511348" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:23 +0000] "POST //lang/cn/system.php HTTP/1.1" 301 516 "http://hardrain980.com//lang/cn/system.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:23 +0000] "GET /lang/cn/system.php HTTP/1.1" 404 28028 "http://hardrain980.com//lang/cn/system.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:24 +0000] "POST //config/AspCms_Config.asp HTTP/1.1" 301 528 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:25 +0000] "GET /config/AspCms_Config.asp HTTP/1.1" 404 28028 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:26 +0000] "POST //admin_login.php HTTP/1.1" 301 510 "http://hardrain980.com//admin_login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:26 +0000] "GET /admin_login.php HTTP/1.1" 404 28028 "http://hardrain980.com//admin_login.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:27 +0000] "POST //Templates/red.asp HTTP/1.1" 301 514 "http://hardrain980.com//Templates/red.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:27 +0000] "GET /Templates/red.asp HTTP/1.1" 404 28028 "http://hardrain980.com//Templates/red.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:28 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:29 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    207.46.13.102 - - [23/Jul/2017:05:15:30 +0000] "GET /sitemap.xml HTTP/1.1" 200 4187 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
    180.76.138.179 - - [23/Jul/2017:05:15:31 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:31 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:32 +0000] "POST //plus/mytag_js.php?aid=8080 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:33 +0000] "GET /plus/mytag_js.php?aid=8080 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=8080" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:35 +0000] "POST //images/swfupload/images/uploadye.php HTTP/1.1" 301 552 "http://hardrain980.com//images/swfupload/images/uploadye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:35 +0000] "GET /images/swfupload/images/uploadye.php HTTP/1.1" 404 28028 "http://hardrain980.com//images/swfupload/images/uploadye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:38 +0000] "POST //utility/convert/data/config.inc.php HTTP/1.1" 301 550 "http://hardrain980.com//utility/convert/data/config.inc.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:38 +0000] "GET /utility/convert/data/config.inc.php HTTP/1.1" 404 28028 "http://hardrain980.com//utility/convert/data/config.inc.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:39 +0000] "POST //config/AspCms_Config.asp HTTP/1.1" 301 528 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:39 +0000] "GET /config/AspCms_Config.asp HTTP/1.1" 404 28028 "http://hardrain980.com//config/AspCms_Config.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:40 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:41 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:42 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:42 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:43 +0000] "POST //plus/mytag_js.php?aid=9090 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:44 +0000] "GET /plus/mytag_js.php?aid=9090 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9090" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:45 +0000] "POST //plus/bakup.hp HTTP/1.1" 301 506 "http://hardrain980.com//plus/bakup.hp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:45 +0000] "GET /plus/bakup.hp HTTP/1.1" 404 28028 "http://hardrain980.com//plus/bakup.hp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:48 +0000] "POST //include/code/mp.php HTTP/1.1" 301 518 "http://hardrain980.com//include/code/mp.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:48 +0000] "GET /include/code/mp.php HTTP/1.1" 404 28028 "http://hardrain980.com//include/code/mp.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:49 +0000] "POST //plus/laobiao.php HTTP/1.1" 301 512 "http://hardrain980.com//plus/laobiao.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:49 +0000] "GET /plus/laobiao.php HTTP/1.1" 404 28028 "http://hardrain980.com//plus/laobiao.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:50 +0000] "POST //plus/mytag_js.php?aid=6022 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=6022" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:51 +0000] "GET /plus/mytag_js.php?aid=6022 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=6022" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:55 +0000] "POST //book/story_dod_hjkdsafon.php HTTP/1.1" 301 536 "http://hardrain980.com//book/story_dod_hjkdsafon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:56 +0000] "GET /book/story_dod_hjkdsafon.php HTTP/1.1" 404 28028 "http://hardrain980.com//book/story_dod_hjkdsafon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:57 +0000] "POST //data/s.asp HTTP/1.1" 301 500 "http://hardrain980.com//data/s.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:57 +0000] "GET /data/s.asp HTTP/1.1" 404 28028 "http://hardrain980.com//data/s.asp" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:58 +0000] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 532 "http://hardrain980.com//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    180.76.138.179 - - [23/Jul/2017:05:15:59 +0000] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 28028 "http://hardrain980.com//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
    

    这个 180.76 的 IP,POST 了很多不存在的路径,在 POST 后往往还 GET 相同一个路径。 我 Google 了几个 php 的路径,发现基本是 dedeCMS(织梦)的、能 GetShell 的 Vuln. 此外还有一堆.asp .aspx的路径

    最关键的是通过 ipip.net 查询发现是百度的 IP 这是有人在利用百度云(云计算,非网盘)来扫 shell 吗?

    第 1 条附言  ·  2017-07-27 11:39:55 +08:00

    这次ban掉了几个试图利用漏洞拿Shell的IP

    • 国内的主要扫描织梦的漏洞,其次是Discuz(的插件)的漏洞
    • 国外的主要扫描各种Wordpress插件的漏洞,Tinymce最多,其他各类,从名称来看都是有上传功能的,如uploadify

    此外,用了SSL还有个好处,就是这些搞漏洞利用程序的还要学习一个 他们POST的、scheme为http的包在301后就没下文了...

    10 条回复    2023-05-26 17:48:56 +08:00
    Hardrain
        1
    Hardrain  
    OP
       2017-07-26 15:18:54 +08:00
    补充:日志格式
    ip 地址 登录名*2(两个"-") 时间 HTTP 请求 HTTP 状态码 发送的字节数 HTTP_referer UA
    wql
        2
    wql  
       2017-07-26 15:23:22 +08:00 via Android
    是百度云的,非百度官方。你可以查查同一个 C 段 IP 的 rDNS 记录,例如 http://bgp.he.net/net/180.76.128.0/18#_dns,可以发现问题所在。
    我把这段 IP 加入 deny 列表了……
    millken
        3
    millken  
       2017-07-26 15:27:24 +08:00 via Android
    百度云观测吧
    Hardrain
        4
    Hardrain  
    OP
       2017-07-26 15:32:46 +08:00
    @wql 我 Block 了这个 IP,但没有 Block 掉整个 C 段
    此外,我觉得需要用 WAF 把以 asp aspx 结尾的请求全都 Block 掉,因为我站点没有任何部分是用 asp 写的
    wql
        5
    wql  
       2017-07-26 15:37:26 +08:00 via Android
    @Hardrain 如果你在 Header 里面加入 powered-by:ASP 的话,反而迷惑攻击者……
    Hardrain
        6
    Hardrain  
    OP
       2017-07-26 15:45:40 +08:00
    @wql X-Powered-By:ASP.Net/* 的 WordPress
    简直了
    ArcticL
        7
    ArcticL  
       2017-07-26 17:06:05 +08:00
    明显的漏扫攻击行为,waf 上可以根据返回码做策略,大量访问返回 404 的,直接封了吧~PS:保险起见,先观察。。
    msg7086
        8
    msg7086  
       2017-07-27 08:25:18 +08:00
    @wql 反正我 Nginx 的服务器标识都是 IIS ……
    Hardrain
        9
    Hardrain  
    OP
       2017-07-27 11:36:20 +08:00
    @ArcticL 其实他扫描的这些漏洞似乎都没有太高威胁(除了占用服务器资源)

    因为我压根不用那些涉及『被扫描的漏洞』的 CMS
    googlefans
        10
    googlefans  
       2023-05-26 17:48:56 +08:00
    这个最后是如何解决的?
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5927 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 01:53 · PVG 09:53 · LAX 17:53 · JFK 20:53
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.