自建站以来,这个小破站便持续遭受各类攻击。现在把过去的日志拿出来分析,学习攻击者的手段,知己知彼。

早前网站开放评论功能时,曾频繁收到包含前端注入尝试的恶意留言。出于安全考虑,我最终决定关闭评论区(因为我无法知道某一天博客系统是否会爆出高危漏洞)。

然而,攻击并未因此停止————它们很快转向了服务器层面:包括 SSH 账户暴力破解、常见漏洞扫描、以及各类自动化探针。以下是从日志中筛选出的典型攻击记录,几乎每天都在发生。

整理这些内容,既是对我自身安全防护体系的一次复盘,也希望借此不断夯实网络安全知识,提升防御能力

服务器账户爆破

无穷无尽的账户试探,试图进行密码爆破

root     ssh:notty    2.57.122.169     Sat Jan 10 02:02 - 02:02  (00:00)
ahmad    ssh:notty    2.57.122.169     Sat Jan 10 01:35 - 01:35  (00:00)
ubuntu   ssh:notty    2.57.122.169     Sat Jan 10 01:08 - 01:08  (00:00)
fish     ssh:notty    2.57.122.169     Sat Jan 10 00:42 - 00:42  (00:00)
fish     ssh:notty    2.57.122.169     Sat Jan 10 00:42 - 00:42  (00:00)
supervis ssh:notty    2.57.122.169     Sat Jan 10 00:15 - 00:15  (00:00)

WordPress探针

探测是否使用WordPress,并利用xmlrpc.php接口进行发布文章

"GET //xmlrpc.php?rsd HTTP/1.1" 404 27 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"

扫描wp配置文件wlwmanifest.xml

"GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1" 404 7497 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"
GET //web/wp-includes/wlwmanifest.xml HTTP/1.1" 404
GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1"
GET //website/wp-includes/wlwmanifest.xml HTTP/1.1"
GET //wp/wp-includes/wlwmanifest.xml HTTP/1.1" 404
GET //news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 
GET //2018/wp-includes/wlwmanifest.xml HTTP/1.1" 404 
GET //2019/wp-includes/wlwmanifest.xml HTTP/1.1" 404 
GET //shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 
GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.1" 404
GET //test/wp-includes/wlwmanifest.xml HTTP/1.1" 404 
GET //media/wp-includes/wlwmanifest.xml HTTP/1.1" 404
GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.1" 404
GET //site/wp-includes/wlwmanifest.xml HTTP/1.1" 404 
GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1" 404 
GET //cms/wp-includes/wlwmanifest.xml HTTP/1.1" 404
GET //sito/wp-includes/wlwmanifest.xml HTTP/1.1" 404

GeoServer探针

探测是不是GeoServer服务,如果是的话,后续会利用诸如CVE-2024-36401这种高危漏洞

"GET /geoserver/wfs?request=ListStoredQueries&service=wfs&version=2.0.0 HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" "-"

Outlook探针

"POST /Autodiscover/Autodiscover.xml HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"

Apache 路径穿越漏洞探测

利用apache CVE-2021-41773漏洞,使用双重编码构造路径,如果探测通过可以执行任意系统命令

POST /cgi-bin/.%2e/.../bin/sh
POST /cgi-bin/%%32%65%%32%65/.../bin/sh

PHP配置注入

RCE 组合探测,目标为 Apache CGI 和 PHP-CGI 漏洞

POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input

FCKeditor编辑器探针

探测是否存在FCKeditor,FCKeditor此前存在任意文件上传漏洞

"GET /admin/FCKeditor/fckconfig.js HTTP/1.1" 301 169 "http://sumver.cn/admin/FCKeditor/fckconfig.js" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" "-"

TSL/SSL协议探针

试探TLS,但是不知道这个试探能得到啥结果。

"\x16\x03\x01\x01\x01\x01\x00\x00\xFD\x03\x03\x08X\xBA^\x1F\xB4\xD7\xA2\x91<W9\x8Ayn\xE7K\xF3\xDB\xE0\x06\x06\xB0\xB4\xC1`\xF0zC>\xB8\x04 \x14yA\xBB\x19\x14Z\xD9\x01\xED,\xC5\xB5\xB2*g" 400 157 "-" "-" "-"

web环境关键文件探针

来自OnlyScans的友好扫描,判定网站是否存在配置文件泄露漏洞

"GET /.env HTTP/1.1" 444 0 "-" "Mozilla/5.0; Keydrop.io/1.0(onlyscans.com/about);" "-"
"GET /.git/config HTTP/1.1" 444 0 "-" "Mozilla/5.0; Keydrop.io/1.0(onlyscans.com/about);" "-"

后台路径探针

这种遍历测试出后台地址的没啥好说的,属于是攻击中最多最多的类型了

"GET /admin/config.php HTTP/1.0" 444 0 "-" "xfa1,nvdorz,nvd0rz" "-"
"GET /wp-admin/style.php HTTP/1.1" 301 169 "-" "Go-http-client/1.1" "-"
"GET /wp-admin/style.php HTTP/1.1" 404 27 "http://sumver.top/wp-admin/style.php" "Go-http-client/1.1" "-"

防火墙探针

探测是否是CISCO ASA设备,如果是可利用CVE-2020-3452漏洞

"GET /+CSCOL+/Java.jar HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
"GET /+CSCOE+/logon_forms.js HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
"GET /+CSCOL+/a1.jar HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"

其他无关类型的探针就不列了,实在太多了。

盲漏洞试探

原理类似密码爆破,通过字典批量发起请求,看有没有返回异常的php文件

"GET //doc.php HTTP/1.1" 404 27 "-" "-" "-"
"GET /ha.php HTTP/1.1" 301 169 "-" "-" "-"
"GET /ha.php HTTP/1.1" 404 27 "-" "-" "-"

代理配置试探

试探http服务是否开启了代理,如果开启且配置不当,则可以使用该服务器作为中转节点对外发送信息

"CONNECT www.google.com:443 HTTP/1.1" 400 157 "-" "-" "-"

自从我开始重视网安后,我才发现攻击无处不在。虽然攻击流量看起来很盲目,但是只要被逮到一个漏洞或者猜中了密码,服务器就会沦为肉鸡。这方面还是得多提升意识。