在公司服务上发现木马,服务器开启了日志,记录到了入侵者的 IP,怎么请他喝茶? - V2EX
首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
dbfox
V2EX    问与答

在公司服务上发现木马,服务器开启了日志,记录到了入侵者的 IP,怎么请他喝茶?

  •  
  •   dbfox 2015-01-03 18:59:23 +08:00 5075 次点击
    这是一个创建于 3938 天前的主题,其中的信息可能已经有所发展或是发生改变。
    详细访问日志:



    12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 64 82586
    12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 64 51870
    12-31 11:01:45 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 9781


    12-31 12:03:29 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62
    12-31 12:03:30 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62
    12-31 12:03:32 POST /.m/static/img/static.aspx - 80 - 113.76.193.74 Baiduspider 200 0 0 62

    12-31 14:07:05 POST /.m/static/img/static.aspx - 80 - 219.135.67.177 Baiduspider 200 0 0 78
    12-31 14:07:08 POST /.m/static/img/static.aspx - 80 - 219.135.67.177 Baiduspider 200 0 0 46


    12-31 23:02:36 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 1918
    12-31 23:03:01 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 93
    12-31 23:03:05 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 62
    12-31 23:03:07 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
    12-31 23:03:10 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 109

    12-31 23:08:06 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 109
    12-31 23:08:08 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 62
    12-31 23:08:11 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
    12-31 23:08:13 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
    12-31 23:08:15 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 93

    12-31 23:25:14 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
    12-31 23:25:17 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 78
    12-31 23:25:19 POST /.m/static/img/static.aspx - 80 - 14.125.36.190 Baiduspider 200 0 0 468




    01-02 00:47:59 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 64 58858
    01-02 00:48:00 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 18002

    01-02 01:05:11 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
    01-02 01:05:14 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
    01-02 01:05:17 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
    01-02 01:05:24 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 5101
    01-02 01:05:27 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
    01-02 01:05:29 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62
    01-02 01:05:34 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 78
    01-02 01:05:44 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 62

    01-02 03:12:41 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 3213
    01-02 03:12:32 POST /.m/static/img/static.aspx - 80 - 113.76.129.248 Baiduspider 200 0 0 218





    01-02 23:57:35 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 717
    01-02 23:56:16 POST /.m/static/img/static.aspx - 80 - 14.123.240.85 Baiduspider 404 0 64 23446

    01-03 00:03:01 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 6427
    01-03 00:03:26 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 2854
    01-03 00:38:42 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 1294
    01-03 00:38:44 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0 202
    01-03 00:38:46 POST /aspnet_client/system_web/client/env.aspx - 80 - 14.123.240.85 Baiduspider 200 0 0
    第 1 条附言    2015-01-03 20:14:28 +08:00
    这些文件 之前服务器上是没有的,
    我已经确认是入侵者上传的木马
  • post
  • Baiduspider
  • 日志
    20 条回复    2015-01-04 21:46:16 +08:00
    pfitseng
        1
    pfitseng  
       2015-01-03 19:45:27 +08:00
    评估损失,去当地公安局报案
    mahone3297
        2
    mahone3297  
       2015-01-03 19:48:50 +08:00
    不懂,请教下。。。
    都是 Baiduspider ,是入侵者?
    tabris17
        3
    tabris17  
       2015-01-03 20:01:08 +08:00
    好,把李彦宏抓起来
    halczy
        5
    halczy  
       2015-01-03 20:04:05 +08:00
    非常眼熟...

    目测以上两个IP都是广州电信家庭拨号拿到的动态IP. 找公安问电信.
    sanddudu
        6
    sanddudu  
       2015-01-03 20:07:07 +08:00
    @mahone3297 UA 是可以伪造的,普通的爬虫进行这些访问很可疑
    wzzyj8
        7
    wzzyj8  
       2015-01-03 20:10:46 +08:00
    @mahone3297
    @tabris17

    应该是伪装成spider穿过WAF吧
    dbfox
        8
    dbfox  
    OP
       2015-01-03 20:13:46 +08:00
    @mahone3297
    @tabris17

    可以伪造 user-agent
    flynaj
        9
    flynaj  
       2015-01-03 20:16:43 +08:00 via Android
    Baiduspider说明对方是伪装过的了,ip很有可能也是代理的ip
    dbfox
        10
    dbfox  
    OP
       2015-01-03 20:25:42 +08:00
    @flynaj 额,有可能
    9hills
        11
    9hills  
       2015-01-03 20:28:51 +08:00 via iPhone
    建议自身做好安全措施,报警无用。除非你是12306
    sneezry
        12
    sneezry  
       2015-01-03 20:32:37 +08:00
    @mahone3297
    @tabris17
    spider肿么会发送POST请求
    chone
        13
    chone  
       2015-01-03 20:32:55 +08:00 via iPhone
    记录到ip应该是跳板,先处理好漏洞吧。
    longear
        14
    longear  
       2015-01-03 23:00:05 +08:00
    这些黑产贩子才不会傻到用自己的IP等着查水表呢, 都是用肉鸡间接入侵,还不知道用了几跳呢。
    你要举报多半是给无辜受害者找麻烦。
    fising
        15
    fising  
       2015-01-03 23:08:01 +08:00 via iPad
    警察会管你这些破事儿
    mahone3297
        16
    mahone3297  
       2015-01-03 23:32:27 +08:00
    @sanddudu
    @dbfox
    我知道,ua是可以伪造的。。。
    我是想说,如何看出这是入侵者。。。
    lz作为服务器管理员,可能可以看出,这些文件,是不存在的,是后来有人上传的,是木马。
    我们,今天看帖子的人,如何看出这是入侵?post请求吗?
    lvye
        17
    lvye  
       2015-01-04 00:57:45 +08:00 via iPhone
    @mahone3297 img目录下放可执行脚本 而且还取掩人耳目的名字
    ksupertu
        18
    ksupertu  
       2015-01-04 07:08:05 +08:00
    1、网上110报警平台;
    2、装个安全狗扫一遍网马
    gpg
        19
    gpg  
       2015-01-04 14:22:18 +08:00
    报警无用。除非你是12306
    abanx
        20
    abanx  
       2015-01-04 21:46:16 +08:00
    这黑客怎么也不清理log?
    关于     帮助文档     自助推广系统     博客     API     FAQ     Solana     4731 人在线   最高记录 6679       Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 24ms UTC 04:00 PVG 12:00 LAX 21:00 JFK 00:00
    Do have faith in what you're doing.
    ubao msn snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86