apache access.log 从 localhost 到 localhost 的请求

apache access.log 从 localhost 到 localhost 的请求

我的服务器正在通过 www-data 用户的 postfix 发送垃圾邮件。

在 apache access.log 中:

90.156.208.121 - - [20/Jan/2014:17:24:01 +0300] "GET /treningi.php HTTP/1.0" 200 21025 "-" "Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1"
90.156.208.121 - - [20/Jan/2014:17:23:56 +0300] "POST /public/files/__DxS_NEWDIR__a3X/nd24f62.php HTTP/1.0" 200 - "-" "-"
90.156.208.121 - - [20/Jan/2014:17:24:31 +0300] "GET / HTTP/1.0" 200 9499 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot-Mobile/2.1; +http://  www.google.com/bot.html)"
90.156.208.121 - - [20/Jan/2014:17:25:08 +0300] "POST /public/files/__DxS_NEWDIR__a3X/nd24f62.php HTTP/1.0" 200 - "-" "-"
90.156.208.121 - - [20/Jan/2014:17:25:36 +0300] "GET / HTTP/1.0" 200 9499 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 YaBrowser/13.10.1500.9323 Safari/537.36"
90.156.208.121 - - [20/Jan/2014:17:25:46 +0300] "GET /novostibankov.php HTTP/1.0" 200 28410 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 YaBrowser/13.10.1500.9323 Safari/537.36"

服务器 IP 是 90.156.208.121。“POST /public/files/__DxS_NEWDIR__a3X/nd24f62.php”是 spambot 的请求,但它显示来自服务器 IP。

但是 20/Jan/2014:17:25:46 +0300 是我来自 YaBrowser 的请求,而不是来自服务器的请求!

为什么显示的是服务器IP,而不是我的?

显示的某些请求不是来自服务器:

10.16.24.221 - - [20/Jan/2014:17:05:28 +0300] "GET /main.php HTTP/1.0" 200 9499

“http:// www.DOMAIN.ru/generatepasswordpage.php” “Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 版本/12.16” 10.16.24.221 - - [20/Jan/2014:17:05:31 +0300] “GET /r_vse.php HTTP/1.0” 200 14623 “http:// www.DOMAIN.ru/main.php” “Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 版本/12.16” 10.16.24.221 - - [20/Jan/2014:17:05:42 +0300] “GET /myrich.php HTTP/1.0” 200 11449 “http:// www.DOMAIN.ru/r_vse.php” “Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 版本/12.16”

答案1

http://www.cvedetails.com/vulnerability-list/vendor_id-10048/product_id-17956/version_id-81261/Nginx-Nginx-0.6.32.html您正在运行的 nginx 版本可能容易受到远程代码执行攻击,有人可能已经侵入您的计算机。我建议备份所有重要文件,然后在您的 VPS 上完全重新安装操作系统,以删除可能已放置在您计算机上的任何后门。

相关内容