对我在 Apache 访问日志中看到的内容感到困惑(我想我可能被黑客入侵了)?

对我在 Apache 访问日志中看到的内容感到困惑(我想我可能被黑客入侵了)?

我有一个运行 CentOS 的 VPS。我安装了 apache 并配置了访问日志。刚刚检查了一下,发现了一些有趣的流量:

VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET / HTTP/1.1" 200 13
VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209
VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:05:53 -0500] "GET /xvidtox-china-company HTTP/1.1" 404 219
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:15:18 -0500] "GET /xdmx-rental-cars-insurance HTTP/1.1" 404 224
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:16:47 -0500] "GET /nv-life-insurance-dies-when-premium/?si=2aa54ab4c0b33 HTTP/1.1" 404 234
VPS-Hostname 119.63.196.62 119.63.196.62 - - [23/Dec/2014:19:53:55 -0500] "GET /images/misc/legend.png HTTP/1.1" 404 220
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:20:45:21 -0500] "GET /xdmx-rental-cars-insurance/?si=2467513 HTTP/1.1" 404 225
VPS-Hostname 115.159.66.44 115.159.66.44 - - [23/Dec/2014:21:49:18 -0500] "GET http://www.ly.com/ HTTP/1.1" 200 13
VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:22:24:00 -0500] "GET /xpwx-china-exporters HTTP/1.1" 404 218
VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:00:28:24 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
...
270.vps.ovh.ca 46.246.113.109 46.246.113.109 - - [24/Dec/2014:01:47:28 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
VPS-Hostname 119.63.196.32 119.63.196.32 - - [24/Dec/2014:01:53:20 -0500] "GET /images/forumicons/sony2.jpg HTTP/1.1" 404 225
VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:02:05:02 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
...
VPS-Hostname 218.59.238.93 218.59.238.93 - - [24/Dec/2014:04:01:23 -0500] "GET http://proxyjudge.us/ HTTP/1.0" 200 13
VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:38:50 -0500] "GET http://httpheader.net HTTP/1.1" 200 13
VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:10 -0500] "-" 408 -
VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:32 -0500] "-" 408 -
VPS-Hostname 5.231.208.205 5.231.208.205 - - [24/Dec/2014:06:21:00 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226
VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:06:55:21 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235
VPS-Hostname 119.63.196.28 119.63.196.28 - - [24/Dec/2014:07:52:49 -0500] "GET /images/forumicons/latestmovies.jpg HTTP/1.1" 404 232

前三项是我浏览我设置的默认网站,其余的我不清楚。我是 Apache 新手,所以我不确定这里到底发生了什么。有人在服务器上使用 Apache 连接到其他网站吗?这怎么可能?

我保留 httpd.conf 的默认设置,仅在我的“默认站点”底部添加了一个虚拟主机配置:

<VirtualHost *:80>
    # This first-listed virtual host is also the default for *:80
    ServerAdmin [email protected]
    ServerName my.vps.hostname
    DocumentRoot /var/www/defaultsite
    LogFormat "%v %h %a %l %u %t \"%r\" %>s %b" vhostLogFormat
    CustomLog /var/log/httpd/defaultsite-access.log vhostLogFormat
    ErrorLog /var/log/httpd/defaultsite-error.log
</VirtualHost>

答案1

这是 RFC 的事情Apache 详述。默认情况下,即使请求包含无效的 URI,Apache 也会接受请求,但用户将被重定向到您的服务器的主页。CONNECT拒绝请求是正常行为。

如上面的链接所述,您可以手动阻止这些请求,但目前没有必要这样做。

答案2

看起来好像服务器被用作 Web 代理。尝试禁用该 IP 的出站端口 80(内部到外部),看看日志是否继续显示。如果没有,可能是时候考虑加强安全性了……

答案3

对于大多数日志行,你可以在 apache wiki 中找到关于代理滥用。倒数第五和第四个,响应代码为 408,表示请求超时。无需过多担心,它们正在扫描。

相关内容