什么是muieblackcat?

我最近在一个小型的.NET MVC网站上安装了ELMAH,并不断收到错误报告

System.Web.HttpException: A public action method 'muieblackcat' was not found on controller... 

这显然是尝试访问不存在的页面。 但为什么有尝试访问此页面?

这是一个攻击还是只是一个机器人扫描,看看我是否被感染? 什么是“muieblackcat”,为什么有尝试访问这个url?

这只是一个找矿脚本。 所做的请求通常是以下的请求,如果你的服务器全部404错误,你没有什么可担心的。

 111.221.1.140 - - [20/Nov/2013:10:15:56 +0000] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:55 +0000] "GET //websql/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:55 +0000] "GET //web/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:54 +0000] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:53 +0000] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:51 +0000] "GET //scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:50 +0000] "GET //pma/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:49 +0000] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:48 +0000] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:47 +0000] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:47 +0000] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:46 +0000] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:45 +0000] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:44 +0000] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:44 +0000] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:43 +0000] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:42 +0000] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:41 +0000] "GET //mysql/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:41 +0000] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:40 +0000] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:39 +0000] "GET //db/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:38 +0000] "GET //admin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:37 +0000] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:36 +0000] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:35 +0000] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-" 111.221.1.140 - - [20/Nov/2013:10:15:34 +0000] "GET /muieblackcat HTTP/1.1" 404 1787 "-" "-" 

muieblackcat是脚本/机器人,据说是乌克兰血统,试图利用PHP漏洞或configuration错误。 请参阅SUC027:Muieblackcat setup.phpnetworking扫描仪/机器人了解更多详情。

如果你不使用PHP,并已经停用mod_php ,那么你是安全的。 然而,/ muieblackcat的请求可能意味着该bot已经,也许成功,访问您的网站。 我build议你仔细检查你的configuration和网页内容(如果可能的话,清除所有信息并重新安装)。

另一方面,始发IP地址可能是无用的。 大多数攻击来自未感染的Windows用户。

根据每日更新摘要6/24/2011Emerging Threat Pro博客),这是一个正在寻找你的服务器中的一些违规的扫描仪; 这绝对是你应该阻止的入侵者。 寻找你的访问日志,你应该得到它的IP地址。

我做另一种方式:redirect他们在他们的IP在相同的URI

有些像:

 redirect301 = http://hackerIP/muieblackcat 

我认为服务器发送301redirect比每次生成404页面更容易。