网络安全分析
web服務器安全分析
access_log分析
大量出現類似的日志項在access_log里 222.186.58.112 - - [05/Apr/2015:05:06:29 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 2093 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)" 115.230.125.147 - - [05/Apr/2015:05:19:37 +0800] "GET http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.6093436214741765 HTTP/1.1" 404 291 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 360SE)" 111.123.180.44 - - [05/Apr/2015:05:36:22 +0800] "GET http://115.230.125.165:61254/8080 HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" 115.236.20.36 - - [05/Apr/2015:15:24:56 +0800] "GET http://www.qq.com/404/search_children.js HTTP/1.1" 404 295 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"
這是有其他人的代理掃描軟件在檢測你的服務器是否支持代理,從而可以利用你的服務器來做跳板訪問其它網站,至于干什么就不用我說了吧
HTTP的代理協議跟你平常看到的一般請求有些許不同,如果你的服務器是一個HTTP代理,那么客戶端發送的代理請求頭部為
GET http://www.baidu.com/
這里GET后面是一個完整的地址,而不是我們常見的
GET /
這一點請知悉
error_log分析
[Mon Apr 06 04:45:39 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Apr 06 04:56:57 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi [Mon Apr 06 04:57:01 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Tue Apr 07 01:18:45 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi [Tue Apr 07 01:18:49 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
大量出現如下的信息在error_log里
[Mon Apr 06 04:12:24 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Apr 06 04:34:07 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/muieblackcat [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpMyAdmin [Mon Apr 06 05:03:58 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpmyadmin [Mon Apr 06 05:03:59 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/pma [Mon Apr 06 05:04:03 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/myadmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/MyAdmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/scripts [Mon Apr 06 05:44:34 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 06:55:02 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 08:05:36 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/
linux下得到出口ip
curl http://members.3322.org/dyndns/getip
curl ifconfig.me,這個太慢了
curl cip.cc
curl ip.cip.cc
telnet cip.cc
ftp cip.cc
=======================================
流程
=======================================
一、從af1000(軟件版本af8.0.6)上的會話排行中查找到具體的源端口與ip
1、從會話排行上的內網機器開始,進行查詢并分析,先找感興趣的主機ip。
192.168.7.102 113.200.98.69 56756 199.182.204.197 199.182.204.197 123 UDP 建立 NTP trust untrust
2、查找內網主機7.102對應的服務。果然找到了對應的服務,199.182.204.197這個ip是ntp源之一。
[root@cu-app-102 ~]# systemctl status chronyd
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2019-07-08 09:16:32 CST; 4 days ago
Docs: man:chronyd(8)
man:chrony.conf(5)
Process: 756 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
Process: 732 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 746 (chronyd)
Tasks: 1
Memory: 1.1M
CGroup: /system.slice/chronyd.service
└─746 /usr/sbin/chronyd
Jul 08 09:16:32 cu-app-102 systemd[1]: Starting NTP client/server...
Jul 08 09:16:32 cu-app-102 chronyd[746]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG)
Jul 08 09:16:32 cu-app-102 chronyd[746]: Frequency -4.405 +/- 0.034 ppm read from /var/lib/chrony/drift
Jul 08 09:16:32 cu-app-102 systemd[1]: Started NTP client/server.
Jul 08 09:17:13 cu-app-102 chronyd[746]: Selected source 144.76.76.107
Jul 08 09:18:18 cu-app-102 chronyd[746]: Selected source 199.182.204.197
Jul 10 07:35:17 cu-app-102 chronyd[746]: Selected source 45.43.30.59
========================================
二、再在clavister上的connection中過濾源端口與目的ip
1、輸入目的ip,目的端口,源端口就是af中的源端口,假如af上的源端口是46982,就輸入46982,但找出來的是34688。這個要注意。
TCP_OPEN TCP ge3:192.168.3.185:34687 ge5:113.200.98.66:5908 261662
TCP_OPEN TCP ge3:192.168.3.185:34688 ge5:113.200.98.66:5908 262136
TCP_OPEN TCP ge3:192.168.3.169:55148 ge5:113.200.98.66:5908 260719
2、再在內網中win機器上用nbtstat -A 192.168.3.185找到具體的主機名。
========================================
這樣就知道了兩臺機器之間的通信路徑了。
總結
- 上一篇: vue引入nutUI
- 下一篇: 【Kafka】Kafka高性能原因