我有一台服务器 (vps) 用作存储库和测试 (gitlab 和 redmine) 服务器。但是 apache 崩溃了,看到有/var/log/apache2/error.log
很多此类错误:
[Fri Jan 31 16:07:31.056851 2014] [:error] [pid 1538] [client 63.141.239.204:4740] script '/var/www/ads.php' not found or unable to stat, referer: http://www.wealthsuperman.com/index.php/component/k2/item/1017-3-industry-impacting-innovations-on-the-horizon
[Fri Jan 31 16:07:31.377531 2014] [:error] [pid 1549] [client 216.244.79.163:2282] script '/var/www/ads.php' not found or unable to stat, referer: http://www.movieseeing.com/index.php?option=com_content&view=article&id=2244:bin-aflek-kevin-names-directory&catid=45:superman-movie&Itemid=418
[Fri Jan 31 16:07:31.538993 2014] [:error] [pid 1436] [client 23.88.201.68:4073] script '/var/www/banner_728x90.php' not found or unable to stat, referer: ://www.worldfinancialtoday.com/index.php?option=com_content&view=article&id=481:2011-07-01-23-20-39&catid=41:debt-management&Itemid=224
[Fri Jan 31 16:07:32.267787 2014] [:error] [pid 1573] [client 216.244.87.196:4726] script '/var/www/banner_160x600.php' not found or unable to stat, referer: http://www.sexwomanbaby.com/index.php?option=com_content&view=category&layout=blog&id=37&Itemid=71&limitstart=351
[Fri Jan 31 16:07:32.576526 2014] [:error] [pid 1383] [client 198.50.177.34:3046] script '/var/www/ads.php' not found or unable to stat, referer: http://www.healthlifeways.com/healthy-eating-2/2000-i-want-to-eat-healthy-i-want-to-lose-weight-and-eat-healthy-vegetarian.html
[Fri Jan 31 16:07:34.948099 2014] [:error] [pid 1525] [client 208.115.124.196:4361] script '/var/www/banner_300x250.php' not found or unable to stat, referer: http://www.gamebabygirls.com/index.php?option=com_content&view=article&id=1991:how-to-download-games-onto-your-psp-for-free-free-games-to-download&catid=58:free-game-downloads&Itemid=182
[Fri Jan 31 16:07:35.492746 2014] [:error] [pid 1429] [client 192.187.124.67:3583] script '/var/www/ads.php' not found or unable to stat, referer: http://www.entainmentworld.com/index.php/chicago-entertainment-2/262-ipelinecom-seattle-entertainment
[Fri Jan 31 16:07:35.938016 2014] [:error] [pid 1524] [client 172.246.42.245:1589] script '/var/www/banner_160x600.php' not found or unable to stat, referer: ://www.galacticearthalliance.com/index.php?option=com_content&view=category&layout=blog&id=43&Itemid=226
/var/log/apache2/other_vhosts_access.log
127.0.0.1:80 64.120.60.118 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=4931465&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://happyhourstravel.com/index.php/international-travel/4088-china-eastern-airline" "Opera/10.60 (Windows NT 5.1; U; en-US) Presto/2.6.30 Version/10.60"
127.0.0.1:80 74.63.197.142 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=3698931&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.mortcard.com/index.php?option=com_content&view=article&id=14:Amount-of-Pay-Earned-for-a-Kindergarten-Teacher--&catid=13" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
127.0.0.1:80 142.54.183.92 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=5245782&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.healthlifeways.com/healthy-eating-2/18-healthy-life/3339-what-is-a-healthy-balanced-diet-what-is-healthy-life.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.36 (KHTML, like Gecko) Chrome/13.0.766.0 Safari/534.36"
127.0.0.1:80 216.244.79.171 - - [01/Feb/2014:00:49:40 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=5280785&pub_url=themoviebus.com HTTP/1.0" 404 494 "http://www.themoviebus.com/index.php/37-news/slideshow/67-donec-nec-feugiat-felis" "Mozilla/4.08 [en] (WinNT; U)"
127.0.0.1:80 198.2.200.40 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=2023417&position=above HTTP/1.0" 404 494 "http://www.gameuloved.com/?cat=3" "Opera/9.80 (Windows NT 5.1; U; it) Presto/2.7.62 Version/11.00"
127.0.0.1:80 107.148.8.58 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=2142019 HTTP/1.0" 404 494 "http://www.new-energy-auto.com/?p=548" "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
127.0.0.1:80 63.141.239.206 - - [01/Feb/2014:00:49:40 +0000] "GET http://ad.yieldmanager.com/st?ad_type=pop&ad_size=0x0§ion=5073837&banned_pop_types=28&pop_times=1&pop_frequency=86400&pub_url=${PUB_URL} HTTP/1.0" 404 500 "http://www.healthlifeways.com/healthy-eating-2/4591-eat-drink-be-healthy-eat-healthy-magazine.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
127.0.0.1:80 23.228.234.115 - - [01/Feb/2014:00:49:40 +0000] "GET http://ib.adnxs.com/ttj?id=1165515 HTTP/1.0" 404 494 "http://www.liekkas.com/?tag=pc" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
127.0.0.1:80 199.231.212.25 - - [01/Feb/2014:00:49:41 +0000] "GET http://ib.adnxs.com/ttj?id=2169359&cb=[CACHEBUSTER]&referrer=[REFERRER_URL] HTTP/1.0" 404 494 "://www.twotags.com/o~c-Clothing~a-ap_gender_age_women-24330635_v_neck~b-31515.aspx" "Mozilla/4.75 [en] (Win98; U)"
127.0.0.1:80 137.175.9.44 - - [01/Feb/2014:00:49:42 +0000] "GET http://ads.deliads.com/ttj?id=2069500&referrer=financialgately.com HTTP/1.0" 404 497 "http://www.financialgately.com/?p=748" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre"
127.0.0.1:80 198.56.202.213 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=723" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; ru-ru) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16"
127.0.0.1:80 198.2.208.247 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2048452&position=above HTTP/1.0" 404 494 "http://www.everyloans.net/?p=562" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100726 CentOS/3.6-3.el5.centos Firefox/3.6.7"
127.0.0.1:80 63.141.244.45 - - [01/Feb/2014:00:49:42 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=300x250§ion=5233043&pub_url=probuinessp.com HTTP/1.0" 404 494 "http://probuinessp.com/index.php/small-business-marketing-ideas/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6pre) Gecko/20100903 Firefox/4.0b6pre"
127.0.0.1:80 174.34.159.13 - - [01/Feb/2014:00:49:42 +0000] "GET http://ib.adnxs.com/ttj?id=2168373&position=above HTTP/1.0" 404 494 "http://www.searchthenewsofmovie.com/?p=742" "Mozilla/5.0 ArchLinux (X11; U; Linux x86_64; en-US) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100"
127.0.0.1:80 192.169.85.115 - - [01/Feb/2014:00:49:43 +0000] "GET http://ads.yahoo.com/st?ad_type=iframe&ad_size=728x90§ion=5151124&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.salebusinessidea.com/index.php?option=com_content&view=article&id=234:What-Is-a-SAP-Inventory-System?--&catid=119&Itemid=83" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 95; Alexa Toolbar)"
127.0.0.1:80 23.239.119.194 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2106211&referrer=%5BREFERRER_URL%5D HTTP/1.1" 404 438 "http://ask.com" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
127.0.0.1:80 198.56.202.212 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=633" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)"
127.0.0.1:80 198.56.202.213 - - [01/Feb/2014:00:49:43 +0000] "GET http://ib.adnxs.com/ttj?id=2168277&position=above HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=209" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5"
127.0.0.1:80 198.98.104.241 - - [01/Feb/2014:00:49:44 +0000] "GET http://tags.h12-media.com/tags.js?site=216e49346226002857e6bcd64223e7fc&type=728x90 HTTP/1.0" 404 504 "://www.lookforwardhappiness.com/index.php?view=article&catid=35%3Ahealth-insurance&id=5102%3A2013-12-28-11-28-29&format=pdf&option=com_content&Itemid=54" "Mozilla/4.0 (compatible; MSIE 6.01; Windows 98; Alexa Toolbar)"
127.0.0.1:80 173.234.41.37 - - [01/Feb/2014:00:49:44 +0000] "GET http://ad.smxchange.com/st?ad_type=iframe&ad_size=160x600§ion=4848284&pub_url=${PUB_URL} HTTP/1.0" 404 497 "http://hotbizs.com/index.php?option=com_content&view=section&id=19&layout=blog&Itemid=412&limitstart=261" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"
127.0.0.1:80 198.200.42.8 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2150922 HTTP/1.0" 404 494 "http://www.autosoldbest.com/?p=33" "Mozilla/5.0 (Windows NT 5.1; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00"
127.0.0.1:80 192.169.85.227 - - [01/Feb/2014:00:49:44 +0000] "GET http://ads.yahoo.com/st?ad_type=pop&ad_size=0x0§ion=3914696&banned_pop_types=28&pop_times=1&pop_frequency=0&pub_url=${PUB_URL} HTTP/1.0" 404 494 "http://www.eiaok.com/financial-affairs/reasons-why-you-want-to-start-a-business-financial-security.html" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.39 Version/11.00"
127.0.0.1:80 198.2.199.147 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2059583&position=above HTTP/1.0" 404 494 "http://www.bodybecare.com/future-lady-fashion-institute-kerala-zardosi-painting-courses-cochin-kerala/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; YPC 3.2.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)"
127.0.0.1:80 172.246.42.139 - - [01/Feb/2014:00:49:44 +0000] "GET http://ib.adnxs.com/ttj?id=2198716 HTTP/1.0" 404 494 "http://www.fulleducate.com/?p=612" "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
我怀疑这是一种攻击(DDoS)。
已经重新安装了 apache 和 php,但问题仍然存在。到现在为止,阻止了日志中出现的许多 ip,但没有解决。
有人能告诉我该怎么做才能解决这个问题吗?
我在用着:
Linux version 3.11.0-12-generic (buildd@allspice) (gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu7) ) #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013
Server version: Apache/2.4.6 (Ubuntu)
Server built: Dec 5 2013 18:32:22
我的过程:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1384 www-data 20 0 181m 1652 1084 S 0.3 0.3 0:01.28 apache2
1405 www-data 20 0 181m 1652 1084 S 0.3 0.3 0:01.24 apache2
1544 www-data 20 0 181m 1688 1080 S 0.3 0.3 0:01.34 apache2
1575 www-data 20 0 181m 1696 1088 S 0.3 0.3 0:01.30 apache2
1783 root 20 0 17796 1556 1004 R 0.3 0.3 0:00.08 top
1 root 20 0 26920 1500 588 S 0.0 0.3 0:01.45 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:02.56 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
6 root 20 0 0 0 0 S 0.0 0.0 0:00.88 kworker/u2:0
7 root rt 0 0 0 0 S 0.0 0.0 0:00.00 migration/0
8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh
9 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcuob/0
10 root 20 0 0 0 0 S 0.0 0.0 0:07.99 rcu_sched
11 root 20 0 0 0 0 R 0.0 0.0 0:17.54 rcuos/0
12 root rt 0 0 0 0 S 0.0 0.0 0:00.04 watchdog/0
13 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper
14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
15 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns
16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 writeback
17 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd
18 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 bioset
19 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/u3:0
20 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd
21 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff
22 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd
23 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 md
24 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 devfreq_wq
25 root 20 0 0 0 0 S 0.0 0.0 0:01.06 kworker/0:1
26 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
27 root 20 0 0 0 0 S 0.0 0.0 0:01.10 kswapd0
28 root 25 5 0 0 0 S 0.0 0.0 0:00.00 ksmd
29 root 20 0 0 0 0 S 0.0 0.0 0:00.00 fsnotify_mark
30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 ecryptfs-kthrea
31 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 crypto
43 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kthrotld
44 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kworker/u2:1
45 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
46 root 20 0 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_1
66 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 deferwq
67 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 charger_manager
119 root 20 0 0 0 0 S 0.0 0.0 0:00.28 jbd2/vda-8
120 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ext4-rsv-conver
121 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ext4-unrsv-conv
299 root 20 0 17452 136 136 S 0.0 0.0 0:00.12 upstart-udev-br
308 root 20 0 42624 508 508 S 0.0 0.1 0:00.03 systemd-udevd
310 messageb 20 0 30508 496 304 S 0.0 0.1 0:00.16 dbus-daemon
PS:我是终端新手。
编辑:
我注意到了一些事情。删除了日志,只有当我重新启动 apache 时它们才会重新出现。
答案1
- 确保您的所有数据都已在服务器上备份。
- 从头开始重新安装实例。
- 确保实例符合 Debian CIS 基准的安全性。
- 确保 Apache 符合 Apache CIS 基准的安全性。
- 确保 VPS 提供商正在使用 IPS/IDS 来监控您的实例,如果没有,请寻找其他提供商。
- 确保所有相关日志都发送到与 Web 服务器实例不同的中央 syslog 服务器。这将提高日志的完整性。
- 您可能想要安装 Snort IPS/IDS 解决方案,只是为了看看是否会发起另一次攻击。
- 安装文件完整性监控解决方案(例如 AIDE)并监控配置文件的变化。