我的新虚拟机被黑客入侵了吗?

tag-icon tag-icon linux nginx ubuntu digital-ocean
我的新虚拟机被黑客入侵了吗?

我刚刚部署了一个 Digital Ocean droplet,我认为它在部署后 20 分钟内就被黑客入侵了。基本上,我从源代码构建了 Nginx,我安装的唯一附加附加组件(依赖项之外)是来自 GitHub 的 mod_pagespeed(https://github.com/apache/incubator-pagespeed-ngx/archive/v${NPS_VERSION}.tar.gz)。

我很快就注意到了这一点,因为端口正在使用中,所以我无法启动 nginx,并且注意到新 droplet 的一些非常奇怪的日志。

访问下面这些日志中列出的网站时,会显示默认的 nginx 页面。我尝试检查域的 DNS 记录,但它使用的是 Cloudflare。现在,自从破坏并重建 droplet 以来,该网站已关闭,因此看起来该网站肯定是从我的服务器加载的。有人知道可能发生了什么吗?它被黑客入侵了吗?或者这是一个重复使用的 IP 之类的东西,如果被黑客入侵,如何防止这种情况再次发生?

2021/05/05 08:54:50 [error] 49585#49585: *13 open() "/usr/local/nginx/html/breakingNews/newsDetails/12887/SEE-WHAT-FIRST-LADY-DID-TO-KUMUYI---PHOTOS" failed (2: No such file or directory), client: 162.158.159.133, server: localhost, request: "GET /breakingNews/newsDetails/12887/SEE-WHAT-FIRST-LADY-DID-TO-KUMUYI---PHOTOS HTTP/1.1", host: "ogbongefriends.com"
2021/05/05 08:59:10 [error] 49585#49585: *14 open() "/usr/local/nginx/html/userdata/news_media/SE0b5iQjWpCdz9y17IVs.jpg" failed (2: No such file or directory), client: 141.101.99.44, server: localhost, request: "GET /userdata/news_media/SE0b5iQjWpCdz9y17IVs.jpg HTTP/1.1", host: "www.ogbongefriends.com", referrer: "http://www.ogbongefriends.com/breakingNews/newsDetails/7648/NAKED-NIGERIAN-GIRLS-STORM-A-NIGHT-CLUB-IN-LAGOS-PHOTOS"
2021/05/05 09:14:25 [error] 49585#49585: *15 open() "/usr/local/nginx/html/breakingNews/newsDetails/13376/NINE-BLACK-AMERICANS-SHOT-BY-US-POLICE" failed (2: No such file or directory), client: 141.101.98.147, server: localhost, request: "GET /breakingNews/newsDetails/13376/NINE-BLACK-AMERICANS-SHOT-BY-US-POLICE HTTP/1.1", host: "ogbongefriends.com"
2021/05/05 09:27:15 [error] 49585#49585: *17 open() "/usr/local/nginx/html/userdata/news_media/gVCbr935Om2fnWo4zhLS.jpg" failed (2: No such file or directory), client: 141.101.99.238, server: localhost, request: "GET /userdata/news_media/gVCbr935Om2fnWo4zhLS.jpg HTTP/1.1", host: "www.ogbongefriends.com"
2021/05/05 09:29:25 [error] 49585#49585: *18 open() "/usr/local/nginx/html/config/getuser" failed (2: No such file or directory), client: 205.185.122.102, server: localhost, request: "GET /config/getuser?index=0 HTTP/1.1", host: "188.166.156.235:80"

答案1

这些只是向您的服务器发出的随机 GET 请求,NGINX 会尽职尽责地尝试从磁盘中查找,但自然找不到,因此无法提供服务,从而产生错误。基本上,要么是在您之前有人拥有该特定 IP 并托管了这些内容,要么是有人出于永远不清楚的原因在世界各地发出随机 GET 请求。

TL;DR:这些只是请求,因此没有迹象表明服务器已受感染,只是互联网背景噪音。互联网是一个奇怪的地方。

相关内容