Попытка взлома брутфорсом
Время от времени производятся попытки взломать наши сервера или сервисы. Так, например, вчера-сегодня с одного из серверов происходит попытка взлома брутфорсом по 80 порту.
Вот логи nginx:
72.55.148.21 - - [30/Aug/2011:08:44:26 +0300] "GET //admdb/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:26 +0300] "GET //!mysql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:27 +0300] "GET //phpma1/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:27 +0300] "GET //adminsql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:27 +0300] "GET //madm/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:28 +0300] "GET //ladminadminl/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:29 +0300] "GET //myad/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:32 +0300] "GET //PmA/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpMyAdmin-2.11.5.1-all-languages/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpmyadmin_2.10/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpmyadmin2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpmyadmin211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:37 +0300] "GET //phpMyAdmin211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:37 +0300] "GET //pma2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:37 +0300] "GET //pma211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:38 +0300] "GET //db2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:38 +0300] "GET //db211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:38 +0300] "GET //dbadmin2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:41 +0300] "GET //php2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:42 +0300] "GET //php211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:42 +0300] "GET //_sql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:42 +0300] "GET //sql2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //sql211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //phpadmin2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //phpadmin211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //mysql2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:44 +0300] "GET //mysql211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:44 +0300] "GET //phpM/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:44 +0300] "GET //phpMyAdmin.life/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //pma_2/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //phpMyAdmini/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //phpmysql/sql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //pma_ai/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:46 +0300] "GET //mygoodadmin/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:46 +0300] "GET //wp-pma-mod/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:46 +0300] "GET //phpMyAdmin-old/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //phpma/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //madm/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //php_jibin/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //db_my/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //data_admin/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //phpMyAdmin-2.11.1/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //rootsql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //rcsu_mydb/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:49 +0300] "GET //phpMyAdmin-2.11.9.6/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
Как видно, злоумышленник пытается найти учтановочные скрипты phpmyadmin для того, чтоб через них произвести взлом системы. Большим количеством обращений такой "взлом" способен "положить" веб-сервер и базу данных (конечно, если не предприяняты соответствующие меры защиты).
Вот логи nginx:
72.55.148.21 - - [30/Aug/2011:08:44:26 +0300] "GET //admdb/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:26 +0300] "GET //!mysql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:27 +0300] "GET //phpma1/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:27 +0300] "GET //adminsql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:27 +0300] "GET //madm/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:28 +0300] "GET //ladminadminl/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:29 +0300] "GET //myad/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:32 +0300] "GET //PmA/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpMyAdmin-2.11.5.1-all-languages/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpmyadmin_2.10/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpmyadmin2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:33 +0300] "GET //phpmyadmin211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:37 +0300] "GET //phpMyAdmin211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:37 +0300] "GET //pma2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:37 +0300] "GET //pma211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:38 +0300] "GET //db2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:38 +0300] "GET //db211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:38 +0300] "GET //dbadmin2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:41 +0300] "GET //php2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:42 +0300] "GET //php211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:42 +0300] "GET //_sql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:42 +0300] "GET //sql2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //sql211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //phpadmin2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //phpadmin211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:43 +0300] "GET //mysql2011/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:44 +0300] "GET //mysql211/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:44 +0300] "GET //phpM/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:44 +0300] "GET //phpMyAdmin.life/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //pma_2/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //phpMyAdmini/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //phpmysql/sql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:45 +0300] "GET //pma_ai/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:46 +0300] "GET //mygoodadmin/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:46 +0300] "GET //wp-pma-mod/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:46 +0300] "GET //phpMyAdmin-old/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //phpma/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //madm/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //php_jibin/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:47 +0300] "GET //db_my/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //data_admin/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //phpMyAdmin-2.11.1/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //rootsql/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:48 +0300] "GET //rcsu_mydb/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
72.55.148.21 - - [30/Aug/2011:08:44:49 +0300] "GET //phpMyAdmin-2.11.9.6/scripts/setup.php HTTP/1.1" 403 169 "-" "-"
Как видно, злоумышленник пытается найти учтановочные скрипты phpmyadmin для того, чтоб через них произвести взлом системы. Большим количеством обращений такой "взлом" способен "положить" веб-сервер и базу данных (конечно, если не предприяняты соответствующие меры защиты).
Комментарии