我正在运行 Ubuntu 20.04.1 LTS,显然防火墙默认未启用。我不记得安装了 apache2 webserver,但我发现它在端口 80 上托管欢迎页面。
我不太了解网络,但不知何故这个页面被公开了。我现在禁用了它,但里面有一个详尽的连接列表/var/log/apache2/acces.log。
一些联系:
8.25 Safari/537.36"
157.33.87.249 - - [08/Jan/2021:12:25:08 +0100] "GET http://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css?ver=4.9.8 HTTP/1.1" 404 502 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
123.240.216.151 - - [08/Jan/2021:12:25:10 +0100] "CONNECT cn.aol.com:443 HTTP/1.1" 405 557 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
51.210.41.62 - - [08/Jan/2021:12:25:31 +0100] "GET http://azenv.net/ HTTP/1.1" 200 11173 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
51.210.41.62 - - [08/Jan/2021:12:25:31 +0100] "CONNECT www.google.com:443 HTTP/1.1" 405 505 "-" "-"
20.188.62.120 - - [08/Jan/2021:12:25:33 +0100] "-" 408 0 "-" "-"
5.188.211.15 - - [08/Jan/2021:12:26:20 +0100] "POST http://5.188.211.72/check.php HTTP/1.1" 404 454 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
142.54.173.35 - - [08/Jan/2021:12:26:59 +0100] "GET http://gamenewss.com/steyt1.php HTTP/1.1" 404 436 "-" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.734 Safari/537.36"
142.54.173.35 - - [08/Jan/2021:12:27:00 +0100] "GET http://gamenewss.com/steyt1.php HTTP/1.1" 404 455 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36/M8ZW4tNE-18"
188.134.5.43 - - [08/Jan/2021:12:27:12 +0100] "GET /proxy.php HTTP/1.1" 404 444 "RefererString" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
142.54.173.35 - - [08/Jan/2021:12:27:19 +0100] "-" 408 0 "-" "-"
98.148.170.224 - - [08/Jan/2021:12:27:28 +0100] "CONNECT 142.250.72.228:443 HTTP/1.0" 405 524 "-" "-"
188.134.5.43 - - [08/Jan/2021:12:27:30 +0100] "CONNECT chekfast.zennolab.com:443 HTTP/1.1" 400 0 "-" "-"
98.148.170.224 - - [08/Jan/2021:12:27:33 +0100] "\x04\x01\x01\xbb\x8e\xfaH\xe4" 400 0 "-" "-"
98.148.170.224 - - [08/Jan/2021:12:27:39 +0100] "\x05\x01" 400 0 "-" "-"
98.148.170.224 - - [08/Jan/2021:12:27:39 +0100] "GET https://www.google.com/search?q=%search% HTTP/1.1" 404 438 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20060127 Netscape/8.1"
101.206.1.250 - - [08/Jan/2021:12:27:40 +0100] "CONNECT tz.gxout.com:443 HTTP/1.1" 405 503 "-"
这些连接是什么?问题有多严重?这些连接是否试图让我的计算机执行这些请求?我的文件可能被访问到什么程度?
答案1
它们是运行在远程计算机上的脚本和机器人,试图探测您的服务器,寻找漏洞。如果您的系统已过时,而它们恰好戳中了正确的漏洞,那么它们就可以进入。然后它们就可以将您的计算机用于邪恶目的。如果您的系统是最新的,并且您没有对文件权限进行愚蠢的更改,也没有安装旧的/不安全的 Web 应用程序副本(例如基于 php 的东西),那么您很可能是安全的。