服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 访问日志中的NGINx – 301 HTTP错误
Intereting Posts
DNS设置指向不带“www”的domain.com到ENOM上的另一个IP地址 Ubuntu 10.04服务器延迟POST到mySQL时 工头:如何testing部署是在裸马塔尔还是在Libvirt? 授予帐户对Active Directory用户对象上的特定属性的写入权限 使用mysqldump备份远程数据库 Nginx + apache2的ubuntu服务器与数百名访问者坠毁 如何使Cisco Pix转发到特定的端口? 无法通过命令行从本地主机loginmysql 如何在Debian / Ubuntu上设置可引导的RAID1的RAID1? PCI合规SSL证书不能被信任失败 Postfixdynamicsmtp_helo_name Bitbucket无法在Ubuntu 16.04 LTS上启动 SQL Server实例服务无法启动 CentOS yum缺less依赖关系kernel> =但内核已经> = 可以在postgres上检查运行时可用的内核吗?

访问日志中的NGINx – 301 HTTP错误

这个问题可能与此有关: https : //stackoverflow.com/questions/39097554/how-do-i-prevent-code-injection-attack-on-nginx – 虽然我的问题有点不同。

此外,这个问题似乎是相似的,虽然要求不同的事情: 在Ubuntu 14.04上通过Nginx的奇怪的URL请求,恶意用户试图做什么?

我在我的nginx access.log中出现了奇怪的日志行: 

xxx.xxx.xxx.xxx - - [24/Aug/2016:05:49:59 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 178 "-" "-"

所以如果我把整个这个URL和解码它,我得到这个: 

 //cgi-bin/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -d auto_prepend_file=php://input -n

所以有人显然是在尝试一些狡猾的东西,我不太明白,因为我正在运行python,而不是php应用程序。 我很想知道这里发生了什么。

如果我尝试在我的某个部署上进行testing,如下所示: 

 curl -X POST http://my.site.example.com//%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

我得到: 

 The resource could not be found. /cgi-bin/php

虽然访问日志有点不同: 

 xxx.xxx.xxx.xxx - - [24/Aug/2016:15:05:11 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 404 164 "-" "curl/7.50.1"

错误代码是404 – 不是301。

我找不到如何攻击者得到301而不是404?

这只是一个猜测,因为你的nginxconfiguration没有任何信息。

您正在向http://my.site.example.com发出CURL请求。 但是,攻击者可能已经向http://ip.address发送了请求。

因此请求可能在nginxconfiguration中碰到不同的虚拟服务器,因此响应是不同的。

为了给出更准确的答案,我们需要看到完整的nginxconfiguration。