我是不是被黑客攻击？ [英] Am I being hacked?

问题描述

下面是从我的Apache 2.0短短的几行 error_log中：

Here are just a few lines from my Apache 2.0 error_log:

[Sun Nov 25 08:22:04 2012] [error] [client 64.34.195.190] File does not exist: /var/www/vhosts/default/htdocs/admin
[Sun Nov 25 14:14:32 2012] [error] [client 96.254.171.2] File does not exist: /var/www/vhosts/default/htdocs/azenv.php
[Wed Nov 28 03:02:01 2012] [error] [client 91.205.189.15] File does not exist: /var/www/vhosts/default/htdocs/user
[Wed Nov 28 03:44:35 2012] [error] [client 66.193.171.223] File does not exist: /var/www/vhosts/default/htdocs/vtigercrm
[Mon Dec 03 00:09:16 2012] [error] [client 82.223.239.68] File does not exist: /var/www/vhosts/default/htdocs/jmx-console
[Mon Dec 03 20:48:44 2012] [error] [client 221.2.209.46] File does not exist: /var/www/vhosts/default/htdocs/manager
[Thu Dec 06 07:37:04 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
[Thu Dec 06 07:37:05 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin
[Thu Dec 06 07:37:05 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin
[Thu Dec 06 07:37:06 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/pma
[Thu Dec 06 07:37:06 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/myadmin
[Thu Dec 06 07:37:07 2012] [error] [client 116.254.203.24] File does not exist: /var/www/vhosts/default/htdocs/MyAdmin
[Thu Dec 13 02:19:53 2012] [error] [client 96.254.171.2] File does not exist: /var/www/vhosts/default/htdocs/judge.php

最常见的错误是对于phpMyAdmin的文件的要求，以及w00tw00t.at.blackhats.romanian.anti秒:)。

The most common errors are requests for the "phpMyAdmin" file, and "w00tw00t.at.blackhats.romanian.anti-sec:)".

我可以看到请求的来源IP地址。但是，谁是客户？

I can see the IP address that the requests are coming from. But who is "client"?

谢谢，
巴蒂尔。

Thanks, Shane.

推荐答案

这只是许多脚本小子部署了一个脚本自动寻找你的Apache版本/配置的安全漏洞。签名w00tw00t通常是由 DFind 离开了。

This is just an automatic script deployed by many Script Kiddies looking for a security breach in your apache version/configuration. The signature w00tw00t is usually left by DFind.

只要使用像的fail2ban 程序配置，如这个例子说明，以避免这些请求被淹没：

Just use a program like fail2ban configured such as this example explains to avoid being flooded by these requests :

<一个href=\"http://www.userdel.com/post/18618537324/block-w00tw00t-scans-with-fail2ban\">http://www.userdel.com/post/18618537324/block-w00tw00t-scans-with-fail2ban

这并不一定意味着你已经被黑客入侵，但服务器已扫描的漏洞。但是，如果你使用任何你这些日志中看到了软件，它是具有已知漏洞的旧版本，你应该检查你的服务器不正常的文件和登录活动。

This does not necessarily mean you've been hacked, but the server has been scanned for vulnerabilities. However, if you use any of the software that you saw in those logs and it is an older version having known vulnerabilities, you should check your server for unusual files and login activities.

这篇关于我是不是被黑客攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！