小贝子编程

Tomcat服务器受到攻击



更新:谢谢杰瑞。其中一名黑客实际上成功上传了一个可执行文件,该文件获得了对服务器的root访问权限。黑客指示服务器加入比特币挖矿活动。IT部门不想阻止来自某个国家的ip,因为我们实际上在那里有办公室。所以我在谷歌上搜索了如何让TOMCAT更安全。1.删除了webapps文件夹中默认安装的所有应用程序。2.不要使用Tomcat网络管理器,删除了与之相关的所有内容。黑客试图猜测管理员用户名和密码。打开Tomcat管理应用程序就像把血滴进满是鲨鱼的海洋。黑客会被你的服务器吸引。删除网络应用程序的内容后,我的服务器现在返回404代码。我仍然不时看到一些黑客活动,但在404次回复后,他们就停止了。

#我查看了Tomcat的访问日志,看到了以下条目。看起来有人想破解我的服务器。这是我们的测试服务器,没有域名,只能通过IP地址访问。我启用了Tomcat Admin网页以进行调试。

黑客试图通过这些获取和发布电话来实现什么?Tomcat服务器当前是否受到攻击或已被黑客入侵?我能做些什么来阻止黑客?

198.108.66.176 - - [04/Dec/2018:00:06:28 -0600] "GET / HTTP/1.1" 302 -
198.108.66.176 - - [04/Dec/2018:00:06:28 -0600] "GET / HTTP/1.1" 302 -
196.52.43.116 - - [04/Dec/2018:01:07:31 -0600] "GET / HTTP/1.0" 302 -
92.52.204.77 - - [04/Dec/2018:01:29:58 -0600] "GET / HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:00 -0600] "PROPFIND / HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:00 -0600] "GET /webdav/ HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /help.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /java.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /_query.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /test.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /db_cts.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /db_pma.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /logon.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:06 -0600] "GET /help-e.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:06 -0600] "GET /license.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /log.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /hell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /pmd_online.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /x.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /shell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /htdocs.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /desktop.ini.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /z.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /lala.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /lala-dpr.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /wpc.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /wpo.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /text.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:10 -0600] "GET /wp-config.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:10 -0600] "GET /muhstik.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstik2.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstiks.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstik-dpr.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /lol.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /uploader.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /cmd.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /wuwu11.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /xw.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /xw1.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /9678.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /wc.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /xx.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /s.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:18 -0600] "POST /w.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:19 -0600] "POST /sheep.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:19 -0600] "POST /qaq.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db_session.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db__.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /wp-admins.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /m.php?pbid=open HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /db_dataml.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /db_desql.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /mx.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:22 -0600] "POST /wshell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /xshell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /qq.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /conflg.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /lindex.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /phpstudy.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /phpStudy.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /weixiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /feixiang.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /ak47.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /ak48.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /xiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:26 -0600] "POST /yao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:27 -0600] "POST /defect.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:27 -0600] "POST /webslee.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /q.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /pe.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /hm.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /cainiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /zuoshou.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /zuo.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /aotu.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /cmd.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /bak.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /system.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /l6.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /l7.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:31 -0600] "POST /l8.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:31 -0600] "POST /q.php HTTP/1.1" 302 -

黑客试图通过所有这些获取和发布调用来实现什么?

要找到他们可能利用的漏洞;可以是具有已知错误/漏洞的软件的已知文件名;到目前为止,可能有人怀疑来自不同地址的类似请求。

Tomcat服务器当前是否受到攻击或已被黑客入侵?

攻击——如果日志中有状态200,那么可能会进行黑客攻击。以上日志显示302/redirect;因此,人们可以认为这次黑客攻击没有收获。

我能做些什么来阻止黑客?

在ip地址上做whois;封锁报告的范围——很可能来自你不想或想与之做生意的国家。(最好是流量可以在互联网demarc(网关/路由器(处被丢弃(或阻止(。Apache也可以进行配置——请参阅以下内容:

在htaccess 中使用mod访问阻止多个ip范围

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium