Ayuda sobre qué hacer con estos registros de suspecios

Question

Ayuda sobre qué hacer con estos registros de suspecios

0

Simplemente configuré mi primer servidor linode el último miércoles, y hoy traté de echar un vistazo a los registros de acceso nginx y encontré estos registros sospechosos.

47.96.15.13 - - [28/Jul/2018:14:54:05 +0800] "GET /webdav/ HTTP/1.1" 404 6303 "-" "-" "-"
47.96.15.13 - - [28/Jul/2018:14:54:06 +0800] "PROPFIND / HTTP/1.1" 404 6303 "-" "-" "-"
47.96.15.13 - - [28/Jul/2018:14:54:09 +0800] "POST /wuwu11.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:09 +0800] "POST /xw.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:10 +0800] "POST /xw1.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:10 +0800] "POST /9678.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:23 +0800] "POST /xx.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:25 +0800] "POST /wc.php HTTP/1.1" 499 0 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:27 +0800] "POST /w.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:30 +0800] "POST /sheep.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:30 +0800] "POST /db.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:31 +0800] "POST /db_session.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:32 +0800] "POST /db__.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:33 +0800] "POST /mx.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:33 +0800] "POST /wshell.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:39 +0800] "POST /xshell.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /qq.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /lindex.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /conflg.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:41 +0800] "POST /phpstudy.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:51 +0800] "POST /ak47.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:51 +0800] "POST /xiao.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:55 +0800] "POST /defect.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:55 +0800] "POST /webslee.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:02 +0800] "POST /hm.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:10 +0800] "POST /zuoshou.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:22 +0800] "POST /system.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:22 +0800] "POST /l7.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:27 +0800] "POST /q.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:27 +0800] "POST /qaq.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"

Lo llamo sospechoso porque la aplicación alojada allí ni siquiera está escrita en php . Estaba pensando en bloquear la dirección IP, pero tengo dudas porque podría ser una IP dinámica y se asignará de nuevo a un usuario legítimo y se bloquearán.

Cualquier consejo sobre cómo lidiar con esto, lo apreciaré enormemente.

nginx

pregunta zer09 28.07.2018 - 09:17

fuente

0 respuestas

Lea otras preguntas en las etiquetas nginx

¿Cuándo se usaría un hash de contraseña en lugar de un KDF? Aerosol bloqueado por EDR