zoukankan      html  css  js  c++  java
  • 网络安全分析

    web服务器安全分析

    access_log分析

    大量出现类似的日志项在access_log里
    222.186.58.112 - - [05/Apr/2015:05:06:29 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 2093 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
    115.230.125.147 - - [05/Apr/2015:05:19:37 +0800] "GET http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.6093436214741765 HTTP/1.1" 404 291 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 360SE)"
    111.123.180.44 - - [05/Apr/2015:05:36:22 +0800] "GET http://115.230.125.165:61254/8080 HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
    115.236.20.36 - - [05/Apr/2015:15:24:56 +0800] "GET http://www.qq.com/404/search_children.js HTTP/1.1" 404 295 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"

    这是有其他人的代理扫描软件在检测你的服务器是否支持代理,从而可以利用你的服务器来做跳板访问其它网站,至于干什么就不用我说了吧
    HTTP的代理协议跟你平常看到的一般请求有些许不同,如果你的服务器是一个HTTP代理,那么客户端发送的代理请求头部为
    GET http://www.baidu.com/
    这里GET后面是一个完整的地址,而不是我们常见的
    GET /
    这一点请知悉

    error_log分析

    [Mon Apr 06 04:45:39 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Mon Apr 06 04:56:57 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
    [Mon Apr 06 04:57:01 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Tue Apr 07 01:18:45 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
    [Tue Apr 07 01:18:49 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    大量出现如下的信息在error_log里
    [Mon Apr 06 04:12:24 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Apr 06 04:34:07 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/muieblackcat [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpMyAdmin [Mon Apr 06 05:03:58 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpmyadmin [Mon Apr 06 05:03:59 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/pma [Mon Apr 06 05:04:03 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/myadmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/MyAdmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/scripts [Mon Apr 06 05:44:34 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 06:55:02 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 08:05:36 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/


    linux下得到出口ip
    curl http://members.3322.org/dyndns/getip
    curl ifconfig.me,这个太慢了
    curl cip.cc
    curl ip.cip.cc
    telnet cip.cc
    ftp cip.cc

    =======================================
    流程

    =======================================
    一、从af1000(软件版本af8.0.6)上的会话排行中查找到具体的源端口与ip
    1、从会话排行上的内网机器开始,进行查询并分析,先找感兴趣的主机ip。

    192.168.7.102 113.200.98.69 56756 199.182.204.197 199.182.204.197 123 UDP 建立 NTP trust untrust

    2、查找内网主机7.102对应的服务。果然找到了对应的服务,199.182.204.197这个ip是ntp源之一。

    [root@cu-app-102 ~]# systemctl status chronyd
    ● chronyd.service - NTP client/server
    Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
    Active: active (running) since Mon 2019-07-08 09:16:32 CST; 4 days ago
    Docs: man:chronyd(8)
    man:chrony.conf(5)
    Process: 756 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
    Process: 732 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
    Main PID: 746 (chronyd)
    Tasks: 1
    Memory: 1.1M
    CGroup: /system.slice/chronyd.service
    └─746 /usr/sbin/chronyd

    Jul 08 09:16:32 cu-app-102 systemd[1]: Starting NTP client/server...
    Jul 08 09:16:32 cu-app-102 chronyd[746]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG)
    Jul 08 09:16:32 cu-app-102 chronyd[746]: Frequency -4.405 +/- 0.034 ppm read from /var/lib/chrony/drift
    Jul 08 09:16:32 cu-app-102 systemd[1]: Started NTP client/server.
    Jul 08 09:17:13 cu-app-102 chronyd[746]: Selected source 144.76.76.107
    Jul 08 09:18:18 cu-app-102 chronyd[746]: Selected source 199.182.204.197
    Jul 10 07:35:17 cu-app-102 chronyd[746]: Selected source 45.43.30.59

    ========================================


    二、再在clavister上的connection中过滤源端口与目的ip
    1、输入目的ip,目的端口,源端口就是af中的源端口,假如af上的源端口是46982,就输入46982,但找出来的是34688。这个要注意。
    TCP_OPEN TCP ge3:192.168.3.185:34687 ge5:113.200.98.66:5908 261662

    TCP_OPEN TCP ge3:192.168.3.185:34688 ge5:113.200.98.66:5908 262136
    TCP_OPEN TCP ge3:192.168.3.169:55148 ge5:113.200.98.66:5908 260719
    2、再在内网中win机器上用nbtstat -A 192.168.3.185找到具体的主机名。


    ========================================
    这样就知道了两台机器之间的通信路径了。

  • 相关阅读:
    ABAP POH和POV事件中 获得屏幕字段的值
    SAP 发送邮件 面向对象
    SAP文件的上传下载 SMW0,二进制文件
    SAP smartform 实现打印条形码
    SAP GB01替代 程序:RGUGBR00
    SAP问题【转载】
    物料库存确定组
    SAP ECC EHP7 RFC 发布成WebService
    NUMBER_GET_NEXT 获取编号 遇到关于按年度编号的问题
    SAP 参照sto订单创建外向交货BAPI
  • 原文地址:https://www.cnblogs.com/createyuan/p/4402969.html
Copyright © 2011-2022 走看看