Apache-2.2
對我在 apache 訪問日誌中看到的內容感到困惑(認為我可能已被黑客入侵)?
我有一個執行 CentOS 的 VPS。我安裝了apache並配置了訪問日誌。剛查了一下,發現了一些有趣的流量:
VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET / HTTP/1.1" 200 13 VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209 VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:05:53 -0500] "GET /xvidtox-china-company HTTP/1.1" 404 219 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:15:18 -0500] "GET /xdmx-rental-cars-insurance HTTP/1.1" 404 224 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:16:47 -0500] "GET /nv-life-insurance-dies-when-premium/?si=2aa54ab4c0b33 HTTP/1.1" 404 234 VPS-Hostname 119.63.196.62 119.63.196.62 - - [23/Dec/2014:19:53:55 -0500] "GET /images/misc/legend.png HTTP/1.1" 404 220 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:20:45:21 -0500] "GET /xdmx-rental-cars-insurance/?si=2467513 HTTP/1.1" 404 225 VPS-Hostname 115.159.66.44 115.159.66.44 - - [23/Dec/2014:21:49:18 -0500] "GET http://www.ly.com/ HTTP/1.1" 200 13 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:22:24:00 -0500] "GET /xpwx-china-exporters HTTP/1.1" 404 218 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:00:28:24 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 ... 270.vps.ovh.ca 46.246.113.109 46.246.113.109 - - [24/Dec/2014:01:47:28 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 VPS-Hostname 119.63.196.32 119.63.196.32 - - [24/Dec/2014:01:53:20 -0500] "GET /images/forumicons/sony2.jpg HTTP/1.1" 404 225 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:02:05:02 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 ... VPS-Hostname 218.59.238.93 218.59.238.93 - - [24/Dec/2014:04:01:23 -0500] "GET http://proxyjudge.us/ HTTP/1.0" 200 13 VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:38:50 -0500] "GET http://httpheader.net HTTP/1.1" 200 13 VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:10 -0500] "-" 408 - VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:32 -0500] "-" 408 - VPS-Hostname 5.231.208.205 5.231.208.205 - - [24/Dec/2014:06:21:00 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:06:55:21 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 VPS-Hostname 119.63.196.28 119.63.196.28 - - [24/Dec/2014:07:52:49 -0500] "GET /images/forumicons/latestmovies.jpg HTTP/1.1" 404 232
前三個條目是我瀏覽到我設置的預設站點,其餘的我不知道。我是 apache 的新手,所以我不確定這裡到底發生了什麼。有人在伺服器上使用 apache 連接到其他站點嗎?這怎麼可能?
我將 httpd.conf 保留為預設設置,僅在底部添加一個虛擬主機配置到我的“預設站點”:
<VirtualHost *:80> # This first-listed virtual host is also the default for *:80 ServerAdmin derp@derpaderpderp.net ServerName my.vps.hostname DocumentRoot /var/www/defaultsite LogFormat "%v %h %a %l %u %t \"%r\" %>s %b" vhostLogFormat CustomLog /var/log/httpd/defaultsite-access.log vhostLogFormat ErrorLog /var/log/httpd/defaultsite-error.log </VirtualHost>
這是Apache 詳細說明的 RFC 內容。預設情況下,即使請求包含無效的 URI,Apache 也會接受,但使用者將被重定向到伺服器的首頁。被拒絕的
CONNECT
請求是正確的行為。如上面連結中所述,您可以手動阻止這些請求,但沒有立即需要。
看起來好像伺服器被用作 Web 代理。嘗試禁用從該 IP(內部到外部)出站的埠 80,並查看日誌是否繼續顯示。如果不是這樣,可能是時候考慮加強您的安全性了……