web服务器安全分析

access_log分析

大量出现类似的日志项在access_log里
222.186.58.112 - - [05/Apr/2015:05:06:29 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 2093 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
115.230.125.147 - - [05/Apr/2015:05:19:37 +0800] "GET http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.6093436214741765 HTTP/1.1" 404 291 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 360SE)"
111.123.180.44 - - [05/Apr/2015:05:36:22 +0800] "GET http://115.230.125.165:61254/8080 HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
115.236.20.36 - - [05/Apr/2015:15:24:56 +0800] "GET http://www.qq.com/404/search_children.js HTTP/1.1" 404 295 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36"

这是有其他人的代理扫描软件在检测你的服务器是否支持代理,从而可以利用你的服务器来做跳板访问其它网站,至于干什么就不用我说了吧
HTTP的代理协议跟你平常看到的一般请求有些许不同,如果你的服务器是一个HTTP代理,那么客户端发送的代理请求头部为
GET http://www.baidu.com/
这里GET后面是一个完整的地址,而不是我们常见的
GET /
这一点请知悉

error_log分析

[Mon Apr 06 04:45:39 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Apr 06 04:56:57 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Mon Apr 06 04:57:01 2015] [error] [client 70.46.57.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Tue Apr 07 01:18:45 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
[Tue Apr 07 01:18:49 2015] [error] [client 97.91.223.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
大量出现如下的信息在error_log里
[Mon Apr 06 04:12:24 2015] [error] [client 46.28.206.148] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Apr 06 04:34:07 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/muieblackcat [Mon Apr 06 05:03:57 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpMyAdmin [Mon Apr 06 05:03:58 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/phpmyadmin [Mon Apr 06 05:03:59 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/pma [Mon Apr 06 05:04:03 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/myadmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/MyAdmin [Mon Apr 06 05:04:04 2015] [error] [client 93.158.200.34] File does not exist: /var/www/html/scripts [Mon Apr 06 05:44:34 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 06:55:02 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/ [Mon Apr 06 08:05:36 2015] [error] [client 222.186.56.44] File does not exist: /var/www/html/ic.asp, referer: http://ip138.com/

linux下得到出口ip
curl http://members.3322.org/dyndns/getip
curl ifconfig.me,这个太慢了
curl cip.cc
curl ip.cip.cc
telnet cip.cc
ftp cip.cc

=======================================
流程

=======================================
一、从af1000(软件版本af8.0.6)上的会话排行中查找到具体的源端口与ip
1、从会话排行上的内网机器开始,进行查询并分析,先找感兴趣的主机ip。

192.168.7.102 113.200.98.69 56756 199.182.204.197 199.182.204.197 123 UDP 建立 NTP trust untrust

2、查找内网主机7.102对应的服务。果然找到了对应的服务,199.182.204.197这个ip是ntp源之一。

[root@cu-app-102 ~]# systemctl status chronyd
● chronyd.service – NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2019-07-08 09:16:32 CST; 4 days ago
Docs: man:chronyd(8)
man:chrony.conf(5)
Process: 756 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
Process: 732 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 746 (chronyd)
Tasks: 1
Memory: 1.1M
CGroup: /system.slice/chronyd.service
└─746 /usr/sbin/chronyd

Jul 08 09:16:32 cu-app-102 systemd[1]: Starting NTP client/server…
Jul 08 09:16:32 cu-app-102 chronyd[746]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG)
Jul 08 09:16:32 cu-app-102 chronyd[746]: Frequency -4.405 +/- 0.034 ppm read from /var/lib/chrony/drift
Jul 08 09:16:32 cu-app-102 systemd[1]: Started NTP client/server.
Jul 08 09:17:13 cu-app-102 chronyd[746]: Selected source 144.76.76.107
Jul 08 09:18:18 cu-app-102 chronyd[746]: Selected source 199.182.204.197
Jul 10 07:35:17 cu-app-102 chronyd[746]: Selected source 45.43.30.59

========================================

二、再在clavister上的connection中过滤源端口与目的ip
1、输入目的ip,目的端口,源端口就是af中的源端口,假如af上的源端口是46982,就输入46982,但找出来的是34688。这个要注意。
TCP_OPEN TCP ge3:192.168.3.185:34687 ge5:113.200.98.66:5908 261662

TCP_OPEN TCP ge3:192.168.3.185:34688 ge5:113.200.98.66:5908 262136
TCP_OPEN TCP ge3:192.168.3.169:55148 ge5:113.200.98.66:5908 260719
2、再在内网中win机器上用nbtstat -A 192.168.3.185找到具体的主机名。

========================================
这样就知道了两台机器之间的通信路径了。