Nginx

新創建的 VPS 上的未知和無法辨識的 POST 請求

  • August 5, 2019

我為個人項目創建了一個 VPS。我已經為傳入流量設置了 NGINX 代理。我打開了用於測試 SSL 和域名的伺服器,暫時將其置於基本身份驗證之後。

我剛剛注意到很多來自http://117.48.205.227的 POST 請求正在嘗試訪問

nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:27 +0000] "GET /phpdm.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:28 +0000] "GET /root.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:28 +0000] "GET /5678.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:28 +0000] "GET /root11.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:28 +0000] "GET /xiu.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:28 +0000] "POST /wuwu11.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:29 +0000] "POST /xw.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:29 +0000] "POST /xw1.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:29 +0000] "POST /9678.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:30 +0000] "POST /wc.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:30 +0000] "POST /xx.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:30 +0000] "POST /xx.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:30 +0000] "POST /s.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:31 +0000] "POST /w.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:31 +0000] "POST /sheep.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
nginx_1    | 117.48.205.227 - - [05/Aug/2019:07:45:31 +0000] "POST /qaq.php HTTP/1.1" 301 169 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

這只是所有請求中的一小部分。有人試圖找到不受保護的路線或其他東西,還是這是一些奇怪的網路爬蟲或其他東西?

無論如何,我應該如何處理這個?我的網路伺服器目前對 Internet 關閉。

問候!

這些是來自(很可能)受感染的 VPS 農場的標準黑客攻擊。您可以忽略這些攻擊,前提是您在將 Web 應用程序和 Web 伺服器打開到 Internet 之前對其進行了加固。您的 SSH 伺服器、FTP 伺服器和您的 VPS 的所有其他入口點也是如此。如果您訪問您的 SSH 日誌(或任何其他日誌,例如 FTP),您將看到來自相同類型 IP 地址的相同類型的黑客攻擊。請查找“VPS 強化”並按照說明進行操作。

引用自:https://serverfault.com/questions/977968