Question

我看到一些看起来很可疑的日志条目。下面列出的单个请求实际上并不适用于该应用程序。有人可以告诉我应该做什么吗？这是我在服务器上部署的第一个应用程序。

catalina.out中的条目

Mar 16, 2013 7:46:11 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"

localhost_access_log中的条目

210.44.159.49 - - [16/Mar/2013:00:24:04 +0530] "GET HTTP/1.1 HTTP/1.1" 400 -
210.44.159.49 - - [16/Mar/2013:00:24:04 +0530] "GET /index.php HTTP/1.1" 404 969
210.44.159.49 - - [16/Mar/2013:00:24:05 +0530] "GET /admin/index.php HTTP/1.1" 404 981
210.44.159.49 - - [16/Mar/2013:00:24:06 +0530] "GET /admin/pma/index.php HTTP/1.1" 404 989
210.44.159.49 - - [16/Mar/2013:00:24:06 +0530] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:07 +0530] "GET /db/index.php HTTP/1.1" 404 975
210.44.159.49 - - [16/Mar/2013:00:24:08 +0530] "GET /dbadmin/index.php HTTP/1.1" 404 985
210.44.159.49 - - [16/Mar/2013:00:24:08 +0530] "GET /myadmin/index.php HTTP/1.1" 404 985
210.44.159.49 - - [16/Mar/2013:00:24:10 +0530] "GET /mysql/index.php HTTP/1.1" 404 981
210.44.159.49 - - [16/Mar/2013:00:24:12 +0530] "GET /mysqladmin/index.php HTTP/1.1" 404 991
210.44.159.49 - - [16/Mar/2013:00:24:13 +0530] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:14 +0530] "GET /phpadmin/index.php HTTP/1.1" 404 987
210.44.159.49 - - [16/Mar/2013:00:24:15 +0530] "GET /phpMyAdmin/index.php HTTP/1.1" 404 991
210.44.159.49 - - [16/Mar/2013:00:24:15 +0530] "GET /phpmyadmin/index.php HTTP/1.1" 404 991
210.44.159.49 - - [16/Mar/2013:00:24:16 +0530] "GET /phpmyadmin1/index.php HTTP/1.1" 404 993
210.44.159.49 - - [16/Mar/2013:00:24:17 +0530] "GET /phpmyadmin2/index.php HTTP/1.1" 404 993
210.44.159.49 - - [16/Mar/2013:00:24:17 +0530] "GET /pma/index.php HTTP/1.1" 404 977
210.44.159.49 - - [16/Mar/2013:00:24:18 +0530] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 999
210.44.159.49 - - [16/Mar/2013:00:24:19 +0530] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:19 +0530] "GET /web/index.php HTTP/1.1" 404 977
210.44.159.49 - - [16/Mar/2013:00:24:20 +0530] "GET /php-my-admin/index.php HTTP/1.1" 404 995
210.44.159.49 - - [16/Mar/2013:00:24:20 +0530] "GET /websql/index.php HTTP/1.1" 404 983
210.44.159.49 - - [16/Mar/2013:00:24:21 +0530] "GET /phpmyadmin/index.php HTTP/1.1" 404 991
210.44.159.49 - - [16/Mar/2013:00:24:22 +0530] "GET /phpMyAdmin/index.php HTTP/1.1" 404 991
210.44.159.49 - - [16/Mar/2013:00:24:22 +0530] "GET /phpMyAdmin-2/index.php HTTP/1.1" 404 995
210.44.159.49 - - [16/Mar/2013:00:24:23 +0530] "GET /php-my-admin/index.php HTTP/1.1" 404 995
210.44.159.49 - - [16/Mar/2013:00:24:23 +0530] "GET /phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:24 +0530] "GET /phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:24 +0530] "GET /phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:25 +0530] "GET /phpMyAdmin-2.5.4/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:26 +0530] "GET /phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 1011
210.44.159.49 - - [16/Mar/2013:00:24:26 +0530] "GET /phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 1011
210.44.159.49 - - [16/Mar/2013:00:24:27 +0530] "GET /phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:27 +0530] "GET /phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 1011
210.44.159.49 - - [16/Mar/2013:00:24:28 +0530] "GET /phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 1011
210.44.159.49 - - [16/Mar/2013:00:24:28 +0530] "GET /phpMyAdmin-2.5.6-rc2/index.php HTTP/1.1" 404 1011
210.44.159.49 - - [16/Mar/2013:00:24:29 +0530] "GET /phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:29 +0530] "GET /phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 1003
210.44.159.49 - - [16/Mar/2013:00:24:30 +0530] "GET /phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 1011
210.44.159.49 - - [16/Mar/2013:00:24:31 +0530] "GET HTTP/1.1 " 400 -
69.175.54.106 - - [16/Mar/2013:00:44:54 +0530] "GET / HTTP/1.0" 200 7959
66.249.75.14 - - [16/Mar/2013:04:27:44 +0530] "GET /robots.txt HTTP/1.1" 404 971
2.122.109.242 - - [16/Mar/2013:16:50:17 +0530] "GET / HTTP/1.1" 200 7959
2.122.109.242 - - [16/Mar/2013:16:50:17 +0530] "GET /css/style_new.css HTTP/1.1" 304 -
2.122.109.242 - - [16/Mar/2013:16:50:17 +0530] "GET /favicon.ico HTTP/1.1" 404 973
2.122.109.242 - - [16/Mar/2013:16:50:26 +0530] "GET /OfferedOnRent.html HTTP/1.1" 200 17666
2.122.109.242 - - [16/Mar/2013:16:50:26 +0530] "GET /images/20130313094059_0_thumb.jpg HTTP/1.1" 200 4020
2.122.109.242 - - [16/Mar/2013:16:50:26 +0530] "GET /images/20130312105214_0_thumb.jpg HTTP/1.1" 200 2961
2.122.109.242 - - [16/Mar/2013:16:50:26 +0530] "GET /images/20130312051229_0_thumb.jpg HTTP/1.1" 200 3714
180.166.74.227 - - [16/Mar/2013:19:40:30 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:40:31 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:40:31 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:40:31 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:40:32 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:40:32 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:40:32 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:40:32 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:09 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:09 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:10 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:10 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:10 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:10 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:11 +0530] "HEAD /manager/status HTTP/1.1" 401 -
180.166.74.227 - - [16/Mar/2013:19:46:11 +0530] "HEAD /manager/status HTTP/1.1" 401 -

Answer 1

这种情况一直都在发生，可能绝对甚至不是物理上的人。人们编写脚本以尝试从任何版本的PHPMyAdmin获得成功结果，尝试对可能的每个帐户名和密码进行SSH尝试，或者只是寻找任何可能存在潜在漏洞的内容。当您在公共的，开放的IP地址上拥有服务器时，这些事情一定会发生。

当有人试图访问网站时，会在HTTP服务器上执行GET请求。这显然是一个脚本（查看时间戳），正在尝试GET通用名称，对于每个GET请求，在Apache（或您的情况下为Tomcat Apache）中创建日志条目GET这是结果。这些条目中的大多数都是HTTP 404错误，大多数人都知道这些错误意味着找不到资源。

有几种资源可以帮助服务器管理员跟踪或阻止此类活动：

fail2ban

DenyHosts

LogWatch

最好的建议是经常打补丁，特别是如果你看到一个被列为安全补丁，两个，使用防火墙，只打开从服务器到开放世界的绝对最需要的端口。

Answer 2

你确保安装了吗？

在我看来，经理应用可以从外面访问 180.166.74.227 - - [16 / Mar / 2013：19：46：09 +0530]“HEAD / manager / status HTTP / 1.1”401 -

您应该采取措施保护经理。 https://www.owasp.org/index.php/Securing_tomcat#Securing_Manager_WebApp

Answer 3

在我看来，有人试图破解你的服务器。

Tomcat - 不寻常的日志

3 个答案: