Apache-2.2

對我在 apache 訪問日誌中看到的內容感到困惑(認為我可能已被黑客入侵)?

  • December 24, 2014

我有一個執行 CentOS 的 VPS。我安裝了apache並配置了訪問日誌。剛查了一下,發現了一些有趣的流量:

VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET / HTTP/1.1" 200 13
VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209
VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:05:53 -0500] "GET /xvidtox-china-company HTTP/1.1" 404 219
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:15:18 -0500] "GET /xdmx-rental-cars-insurance HTTP/1.1" 404 224
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:16:47 -0500] "GET /nv-life-insurance-dies-when-premium/?si=2aa54ab4c0b33 HTTP/1.1" 404 234
VPS-Hostname 119.63.196.62 119.63.196.62 - - [23/Dec/2014:19:53:55 -0500] "GET /images/misc/legend.png HTTP/1.1" 404 220
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:20:45:21 -0500] "GET /xdmx-rental-cars-insurance/?si=2467513 HTTP/1.1" 404 225
VPS-Hostname 115.159.66.44 115.159.66.44 - - [23/Dec/2014:21:49:18 -0500] "GET http://www.ly.com/ HTTP/1.1" 200 13
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:22:24:00 -0500] "GET /xpwx-china-exporters HTTP/1.1" 404 218
VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:00:28:24 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
...
270.vps.ovh.ca 46.246.113.109 46.246.113.109 - - [24/Dec/2014:01:47:28 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
VPS-Hostname 119.63.196.32 119.63.196.32 - - [24/Dec/2014:01:53:20 -0500] "GET /images/forumicons/sony2.jpg HTTP/1.1" 404 225
VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:02:05:02 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
...
VPS-Hostname 218.59.238.93 218.59.238.93 - - [24/Dec/2014:04:01:23 -0500] "GET http://proxyjudge.us/ HTTP/1.0" 200 13
VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:38:50 -0500] "GET http://httpheader.net HTTP/1.1" 200 13
VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:10 -0500] "-" 408 -
VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:32 -0500] "-" 408 -
VPS-Hostname 5.231.208.205 5.231.208.205 - - [24/Dec/2014:06:21:00 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226
VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:06:55:21 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
VPS-Hostname 119.63.196.28 119.63.196.28 - - [24/Dec/2014:07:52:49 -0500] "GET /images/forumicons/latestmovies.jpg HTTP/1.1" 404 232

前三個條目是我瀏覽到我設置的預設站點,其餘的我不知道。我是 apache 的新手,所以我不確定這裡到底發生了什麼。有人在伺服器上使用 apache 連接到其他站點嗎?這怎麼可能?

我將 httpd.conf 保留為預設設置,僅在底部添加一個虛擬主機配置到我的“預設站點”:

<VirtualHost *:80>
   # This first-listed virtual host is also the default for *:80
   ServerAdmin derp@derpaderpderp.net
   ServerName my.vps.hostname
   DocumentRoot /var/www/defaultsite
   LogFormat "%v %h %a %l %u %t \"%r\" %>s %b" vhostLogFormat
   CustomLog /var/log/httpd/defaultsite-access.log vhostLogFormat
   ErrorLog /var/log/httpd/defaultsite-error.log
</VirtualHost>

這是Apache 詳細說明的 RFC 內容。預設情況下,即使請求包含無效的 URI,Apache 也會接受,但使用者將被重定向到伺服器的首頁。被拒絕的CONNECT請求是正確的行為。

如上面連結中所述,您可以手動阻止這些請求,但沒有立即需要。

看起來好像伺服器被用作 Web 代理。嘗試禁用從該 IP(內部到外部)出站的埠 80,並查看日誌是否繼續顯示。如果不是這樣,可能是時候考慮加強您的安全性了……

引用自:https://serverfault.com/questions/654622