Tomcat 服务器受到攻击

Tomcat Server under attack

更新: 谢谢杰里。其中一名黑客实际上设法上传了一个可执行文件,该文件获得了对服务器的根访问权限。黑客指示服务器加入比特币挖掘活动。 IT 部门不想阻止来自特定国家/地区的 ips,因为我们实际上在那里设有办事处。所以我用谷歌搜索如何让 TOMCAT 更安全。 1.删​​除了webapps文件夹中默认安装的所有应用程序。 2. 不要使用Tomcat web manager,删除与之相关的所有内容。黑客试图猜测管理员用户名和密码。打开 Tomcat 管理应用程序就像将血液滴入充满鲨鱼的海洋中。黑客将被吸引到您的服务器。删除 webapps 的内容后,我的服务器现在 returns 出现 404 代码。我仍然不时看到一些黑客活动,但在几次 404 响应之后,他们就停止了。

#

我查看了 Tomcat 的访问日志并看到了以下条目。看起来有人试图破解我的服务器。这是我们的测试服务器,没有域名,只能通过IP地址访问。我为调试目的启用了 Tomcat 管理网页。

黑客试图通过所有这些 get 和 post 调用实现什么目标? Tomcat 服务器目前正在受到攻击还是已经被黑客入侵?我能做些什么来阻止黑客?

198.108.66.176 - - [04/Dec/2018:00:06:28 -0600] "GET / HTTP/1.1" 302 -
198.108.66.176 - - [04/Dec/2018:00:06:28 -0600] "GET / HTTP/1.1" 302 -
196.52.43.116 - - [04/Dec/2018:01:07:31 -0600] "GET / HTTP/1.0" 302 -
92.52.204.77 - - [04/Dec/2018:01:29:58 -0600] "GET / HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:00 -0600] "PROPFIND / HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:00 -0600] "GET /webdav/ HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /help.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /java.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /_query.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:04 -0600] "GET /test.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /db_cts.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /db_pma.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:05 -0600] "GET /logon.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:06 -0600] "GET /help-e.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:06 -0600] "GET /license.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /log.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /hell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:07 -0600] "GET /pmd_online.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /x.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /shell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /htdocs.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /desktop.ini.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:08 -0600] "GET /z.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /lala.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /lala-dpr.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /wpc.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /wpo.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:09 -0600] "GET /text.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:10 -0600] "GET /wp-config.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:10 -0600] "GET /muhstik.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstik2.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstiks.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:11 -0600] "GET /muhstik-dpr.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /lol.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /uploader.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:12 -0600] "GET /cmd.php HTTP/1.1" 302 -

41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /wuwu11.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /xw.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /xw1.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:16 -0600] "POST /9678.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /wc.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /xx.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:17 -0600] "POST /s.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:18 -0600] "POST /w.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:19 -0600] "POST /sheep.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:19 -0600] "POST /qaq.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db_session.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /db__.init.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /wp-admins.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:20 -0600] "POST /m.php?pbid=open HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /db_dataml.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /db_desql.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:21 -0600] "POST /mx.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:22 -0600] "POST /wshell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /xshell.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /qq.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:23 -0600] "POST /conflg.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /lindex.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /phpstudy.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /phpStudy.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /weixiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:24 -0600] "POST /feixiang.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /ak47.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /ak48.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:25 -0600] "POST /xiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:26 -0600] "POST /yao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:27 -0600] "POST /defect.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:27 -0600] "POST /webslee.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /q.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /pe.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /hm.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /cainiao.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:28 -0600] "POST /zuoshou.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /zuo.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /aotu.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /cmd.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:29 -0600] "POST /bak.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /system.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /l6.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:30 -0600] "POST /l7.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:31 -0600] "POST /l8.php HTTP/1.1" 302 -
41.223.49.173 - - [04/Dec/2018:02:07:31 -0600] "POST /q.php HTTP/1.1" 302 -

What is the hacker trying to achieve with all those get and post calls?

找到他们可能利用的漏洞;可以是已知 bugs/holes 的软件的已知文件名;可能到现在已经有人怀疑来自不同地址的类似请求。

Is the Tomcat server currently under attack or already been hacked?

攻击——如果日志中有状态 200,则可能是黑客攻击。上面的日志都显示 302/redirect;所以人们可以假设黑客没有成果。

What can I do to stop the hacker?

对ip地址做whois;阻止报告的范围——很可能它来自您不想或不想与之做生意的国家。 ;) 最好在互联网分界线 (gateway/router) 处丢弃(或阻止)流量。也可以配置 Apache——见下文:

Blocking multiple ip ranges using mod access in htaccess