web服务器安全分析
access_log分析
大量出现类似的日志项在access_log里 222.186.58.112 - - [05/Apr/2015:05:06:29 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 2093 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" 115.230.125.147 - - [05/Apr/2015:05:19:37 +0800] "GET http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.6093436214741765 HTTP/1.1" 404 291 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 360SE)" 111.123.180.44 - - [05/Apr/2015:05:36:22 +0800] "GET http://115.230.125.165:61254/8080 HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 115.236.20.36 - - [05/Apr/2015:15:24:56 +0800] "GET http://www.qq.com/404/search_children.js HTTP/1.1" 404 295 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
这是有其他人的代理扫描软件在检测你的服务器是否支持代理,从而可以利用你的服务器来做跳板访问其它网站,至于干什么就不用我说了吧
HTTP的代理协议跟你平常看到的一般请求有些许不同,如果你的服务器是一个HTTP代理,那么客户端发送的代理请求头部为
GET http://www.baidu.com/
这里GET后面是一个完整的地址,而不是我们常见的
GET /
这一点请知悉
error_log分析
[Mon Apr 06 04:45:39 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Apr 06 04:56:57 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi [Mon Apr 06 04:57:01 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Tue Apr 07 01:18:45 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi [Tue Apr 07 01:18:49 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
大量出现如下的信息在error_log里
[Mon Apr 06 04:12:24 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Apr 06 04:34:07 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/muieblackcat [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpMyAdmin [Mon Apr 06 05:03:58 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpmyadmin [Mon Apr 06 05:03:59 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/pma [Mon Apr 06 05:04:03 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/myadmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/MyAdmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/scripts [Mon Apr 06 05:44:34 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 06:55:02 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 08:05:36 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/