root@k:/var/log/nginx# more error.log
2010/09/19 07:13:59 [error] 13192#0: *1680109 open() "/dat/phone/R.asp" failed (2: No such file or directory), client: 124.237.
78.24, server: localhost, request: "GET http://g.ha99y.cn/R.asp?P=60.27.236.2:8080 HTTP/1.1", host: "g.ha99y.cn"
2010/09/19 09:48:21 [error] 13195#0: *1684270 open() "/dat/phone/R.asp" failed (2: No such file or directory), client: 124.237.
78.24, server: localhost, request: "GET http://g.ha99y.cn/R.asp?P=60.27.236.2:8080 HTTP/1.1", host: "g.ha99y.cn"
2010/09/19 04:41:48 [error] 13195#0: *1677639 open() "/dat/phone/R.asp" failed (2: No such file or direc
tory), client: 124.237.121.120, server: localhost, request: "GET http://g.ha99y.cn/R.asp?P=60.27.236.2:8
080 HTTP/1.1", host: "g.ha99y.cn"
就这2个IP地址发出请求
124.237.78.24河北省秦皇岛市 电信 (win2003 3389)
124.237.121.120河北省秦皇岛市 电信(win2003 3389)
g.ha99y.cn >> 60.191.151.90(该机运行winwebmail邮件服务)
nmap扫描:
Interesting ports on 124.237.78.24:
Not shown: 1706 closed ports
PORT STATE SERVICE VERSION
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.2039; SP4
3389/tcp open microsoft-rdp Microsoft Terminal Service
4444/tcp filtered krb524
No OS matches for host
Network Distance: 14 hops
Service Info: OS: Windows
Interesting ports on 124.237.121.120:
Not shown: 1704 closed ports
PORT STATE SERVICE VERSION
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.2039; SP4
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open microsoft-rdp Microsoft Terminal Service
4444/tcp filtered krb524
Device type: general purpose
Running (JUST GUESSING) : Microsoft Windows XP (85%)
Aggressive OS guesses: Microsoft Windows XP SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: OS: Windows
Interesting ports on 60.191.151.90:
Not shown: 1712 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp WinWebMail smtpd 3.7.1.1
80/tcp open http Microsoft IIS webserver 6.0
110/tcp open pop3 WinWebMail pop3d 3.7.1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|scanner|PBX
Running (JUST GUESSING) : Microsoft Windows 2003|XP (91%), HP embedded (90%), Vodavi embedded (88%)
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP SP2 (91%), HP 9100c Digital Sender scanner (90%), Vodavi XTS-IP PBX (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows
xscan扫描:
主机分析: 124.237.78.24 | ||
主机地址 | 端口/服务 | 服务漏洞 |
124.237.78.24 | Windows Terminal Services (3389/tcp) | 发现安全提示 |
124.237.78.24 | ms-sql-s (1433/tcp) | 发现安全提示 |
124.237.78.24 | netbios-ns (137/udp) | 发现安全提示 |
124.237.78.24 | msrdp (3389/tcp) | 发现安全警告 |
124.237.78.24 | mssql (1433/tcp) | 发现安全提示 |
安全漏洞及解决方案: 60.191.151.90 | ||
类型 | 端口/服务 | 安全漏洞及解决方案 |
提示 | smtp (25/tcp) | 开放服务 "SMTP"服务运行于该端口 BANNER信息 : 220 ESMTP on WinWebMail [3.7.1.1] ready. http://www.winwebmail.com NESSUS_ID : 10330 |
应该是网页代理扫描。参见http://www.freebsdchina.org/forum/viewtopic.php?p=249105&sid=d5f8d8498b5e688161f909a08734fe0d
我怀疑我的系统被入侵或是被攻击了,在APACHE的日志里有好多以下的记录,请高手帮我看看,多谢了.
124.237.121.106 - - [13/Jun/2010:00:43:26 +0800] "GET http://g.ha99y.com/R.asp?P=116.25.252.122:8080 HTTP/1.1" 200 21 "-" "-"
124.237.121.106 - - [13/Jun/2010:02:44:37 +0800] "GET http://g.ha99y.com/R.asp?P=119.122.73.142:8080 HTTP/1.1" 200 21 "-" "-"
124.237.121.106 - - [13/Jun/2010:02:44:45 +0800] "GET http://g.ha99y.com/R.asp?P=119.122.73.142:8080 HTTP/1.1" 200 21 "-" "-"
61.158.143.41 - - [13/Jun/2010:02:51:53 +0800] "GET http://www.baidu.com/ HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
124.237.121.106 - - [13/Jun/2010:04:10:57 +0800] "GET http://g.ha99y.com/R.asp?P=116.25.252.122:8080 HTTP/1.1" 200 21 "-" "-"
124.237.78.167 - - [13/Jun/2010:06:10:41 +0800] "GET http://g.ha99y.com/R.asp?P=119.122.73.142:8080 HTTP/1.1" 200 21 "-" "-"
124.237.121.106 - - [13/Jun/2010:07:38:08 +0800] "GET http://g.ha99y.com/R.asp?P=116.25.252.122:8080 HTTP/1.1" 200 21 "-" "-"
218.92.26.178 - - [13/Jun/2010:08:23:45 +0800] "GET http://pay.qq.com/ HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
而且还向百度等其他的网站发送请求.
另外有一个很百思不得其解的就是:http://g.happy.com/R.asp?P=119.122.73.142 它会把我的IP向另一个网页提交.我在想是不是我的系统里中了木马什么的.
说明一下,我的系统里安装有MYSQL,JSP和PHP,系统的版本是:
localhost# uname -a
FreeBSD localhost 7.2-RELEASE-p7 FreeBSD 7.2-RELEASE-p7 #0: Fri Feb 26 19:51:57 UTC 2010 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/MYGENERIC i386
我觉得这个应该不是服务器发出来的,应该是"客户端"那边传过来的数据,例如用TELNET等.
现在我比较困惑的是:
它那个"客户端"不停的向我服务器发送,而且还能附上我的IP地址,因为这台服务器没有固定的IP,使用的是的动态IP.
搜索引擎的蠕虫?
差不多了,据我近来的观察,这个ha99y.com应该是一个网页代理扫描来的,可以这么说吧,是一个扫描代理蠕虫.我想应该是这样的了.在此感谢各们高手的回复.谢谢