Question

更新：谢谢杰里。一名黑客实际上设法上载了一个可执行文件，该文件获得了对服务器的根访问权限。黑客指示服务器加入一些硬币挖矿。 IT部门不想阻止来自某些国家/地区的ip，因为我们实际上在那设有办事处。因此，我搜索了如何使TOMCAT更安全。 1.删除了webapps文件夹中默认安装附带的所有应用程序。 2.不要使用Tomcat Web管理器，请删除与其关联的所有内容。黑客正试图猜测管理员用户名和密码。启用Tomcat管理员应用程序就像在向充满鲨鱼的海洋滴血。黑客将被您的服务器吸引。删除webapp的内容后，我的服务器现在返回404代码。我仍然不时看到一些黑客活动，但是经过404次回复后，他们才停止。

＃

我查看了Tomcat的访问日志，并看到以下条目。似乎有人试图入侵我的服务器。这是我们的测试服务器，没有域名，只能通过IP地址访问。我已启用Tomcat Admin网页以进行调试。

利用所有这些get和post调用，黑客试图实现什么？ Tomcat服务器当前受到攻击还是已经被黑客入侵？我该怎么做才能阻止黑客？

198.108.66.176 - - [04/Dec/2018:00:06:28 -0600] "GET / HTTP/1.1" 302 -
198.108.66.176 - - [04/Dec/2018:00:06:28 -0600] "GET / HTTP/1.1" 302 -
196.52.43.116 - - [04/Dec/2018:01:07:31 -0600] "GET / HTTP/1.0" 302 -
92.52.204.77 - - [04/Dec/2018:01:29:58 -0600] "GET / HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:00 -0600] "PROPFIND / HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:00 -0600] "GET /webdav/ HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /help.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /java.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /_query.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /test.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /db_cts.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /db_pma.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /logon.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:06 -0600] "GET /help-e.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:06 -0600] "GET /license.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /log.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /hell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /pmd_online.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /x.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /shell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /htdocs.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /desktop.ini.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /z.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /lala.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /lala-dpr.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /wpc.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /wpo.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /text.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:10 -0600] "GET /wp-config.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:10 -0600] "GET /muhstik.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstik2.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstiks.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstik-dpr.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /lol.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /uploader.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /cmd.php HTTP/1.1" 302 -

41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /wuwu11.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /xw.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /xw1.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /9678.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /wc.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /xx.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /s.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:18 -0600] "POST /w.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:19 -0600] "POST /sheep.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:19 -0600] "POST /qaq.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db_session.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db__.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /wp-admins.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /m.php?pbid=open HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /db_dataml.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /db_desql.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /mx.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:22 -0600] "POST /wshell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /xshell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /qq.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /conflg.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /lindex.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /phpstudy.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /phpStudy.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /weixiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /feixiang.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /ak47.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /ak48.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /xiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:26 -0600] "POST /yao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:27 -0600] "POST /defect.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:27 -0600] "POST /webslee.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /q.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /pe.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /hm.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /cainiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /zuoshou.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /zuo.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /aotu.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /cmd.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /bak.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /system.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /l6.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /l7.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:31 -0600] "POST /l8.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:31 -0600] "POST /q.php HTTP/1.1" 302 -

Answer 1

利用所有这些get和post调用，黑客试图实现什么？

寻找他们可能利用的漏洞；可能是带有已知错误/漏洞的软件的已知文件名；可能到现在为止，可能有人怀疑来自不同地址的类似请求。

Tomcat服务器是否正在受到攻击或已经被黑客入侵？

攻击-如果日志中的状态为200，则可能被黑客入侵。以上所有日志显示302 /重定向；因此可以认为这次黑客攻击没有取得成果。

我该怎么做才能阻止黑客？

在IP地址上输入whois；阻止报告的范围-很有可能来自您不曾或不想与之开展业务的国家/地区。 ;）最好是可以在Internet边界（网关/路由器）处丢弃（或阻止）流量。还可以配置Apache-见下文：

Blocking multiple ip ranges using mod access in htaccess

Tomcat服务器受到攻击

1 个答案: