2017年7月

access_log日志中得到的东西

前言

在以前的360的电话面试中,被问到了日志分析应急。想起以前分析access_log都是grep,然后回答的也是grep加规则来过滤。当然,我这傻逼回答肯定是错的。。。。面试官告诉我,攻击肯定都是被扫过的,所以可以通过awk进行分组,然后通过请求频率来判断源ip,再跟踪ip来进行分析。

正文

小型网站被黑的特点

首先awk太难理解了。。。我还是没理解清楚。。。

一般都是扫描器呀,并且扫描器一般都是head一下就够了,不用完全的请求资源,看下状态码就够了。所以分析的时候,可以用正则

re.findall(r'HEAD (.*?) HTTP',f.readlines())

去筛选东西,然后确实会发现很多记录。下面就是我今天在我日志上找到的别人扫sql-webadmin界面的地址。其实如果是python的扫描器,没定义user-agent,还可以通过记录的user-aget=python script入手。

mysql/admin/
mysql/sqlmanager/
mysql/mysqlmanager/
phpmyadmin/
phpMyadmin/
phpMyAdmin/
phpmyAdmin/
phpmyadmin2/
phpmyadmin3/
phpmyadmin4/
mysql/admin/
mysql/sqlmanager/
mysql/mysqlmanager/
phpmyadmin/
phpMyadmin/
phpMyAdmin/
phpmyAdmin/
phpmyadmin2/
phpmyadmin3/
phpmyadmin4/
2phpmyadmin/
phpmy/
phppma/
myadmin/
shopdb/
MyAdmin/
program/
PMA/
dbadmin/
pma/
db/
admin/
mysql/
database/
db/phpmyadmin/
db/phpMyAdmin/
sqlmanager/
mysqlmanager/
php-myadmin/
phpmy-admin/
mysqladmin/
mysql-admin/
admin/phpmyadmin/
admin/phpMyAdmin/
admin/sysadmin/
admin/sqladmin/
admin/db/
admin/web/
admin/pMA/
mysql/pma/
mysql/db/
mysql/web/
mysql/pMA/
sql/phpmanager/
sql/php-myadmin/
sql/phpmy-admin/
sql/sql/
sql/myadmin/
sql/webadmin/
sql/sqlweb/
sql/websql/
sql/webdb/
sql/sqladmin/
sql/sql-admin/
sql/phpmyadmin2/
sql/phpMyAdmin2/
sql/phpMyAdmin/
db/myadmin/
db/webadmin/
db/dbweb/
db/websql/
db/webdb/
db/dbadmin/
db/db-admin/
db/phpmyadmin3/
db/phpMyAdmin3/
db/phpMyAdmin-3/
administrator/phpmyadmin/
administrator/phpMyAdmin/
administrator/db/
administrator/web/
administrator/pma/
administrator/PMA/
administrator/admin/
phpMyAdmin2/
phpMyAdmin3/
phpMyAdmin4/
phpMyAdmin-3/
php-my-admin/
PMA2012/
pma2012/
PMA2011/
pma2011/
phpmanager/
mysql/admin/
mysql/sqlmanager/
mysql/mysqlmanager/
phpmyadmin/
phpMyadmin/
phpMyAdmin/
phpmyAdmin/
phpmyadmin2/
phpmyadmin3/
phpmyadmin4/
2phpmyadmin/
phpmy/
phppma/
myadmin/
shopdb/
MyAdmin/
program/
PMA/
dbadmin/
pma/
db/
admin/
mysql/
database/
db/phpmyadmin/
db/phpMyAdmin/
sqlmanager/
mysqlmanager/
php-myadmin/
phpmy-admin/
mysqladmin/
mysql-admin/
admin/phpmyadmin/
admin/phpMyAdmin/
admin/sysadmin/
admin/sqladmin/
admin/db/
admin/web/
admin/pMA/
mysql/pma/
mysql/db/
mysql/web/
mysql/pMA/
sql/phpmanager/
sql/php-myadmin/
sql/phpmy-admin/
sql/sql/
sql/myadmin/
sql/webadmin/
sql/sqlweb/
sql/websql/
sql/webdb/
sql/sqladmin/
sql/sql-admin/
sql/phpmyadmin2/
sql/phpMyAdmin2/
sql/phpMyAdmin/
db/myadmin/
db/webadmin/
db/dbweb/
db/websql/
db/webdb/
db/dbadmin/
db/db-admin/
db/phpmyadmin3/
db/phpMyAdmin3/
db/phpMyAdmin-3/
administrator/phpmyadmin/
administrator/phpMyAdmin/
administrator/db/
administrator/web/
administrator/pma/
administrator/PMA/
administrator/admin/
phpMyAdmin2/
phpMyAdmin3/
phpMyAdmin4/
phpMyAdmin-3/
php-my-admin/
PMA2012/
pma2012/
PMA2011/
pma2011/
phpmanager/
mysql/admin/
mysql/sqlmanager/
mysql/mysqlmanager/
phpmyadmin/
phpMyadmin/
phpMyAdmin/
phpmyAdmin/
phpmyadmin2/
phpmyadmin3/
phpmyadmin4/
2phpmyadmin/
phpmy/
phppma/
myadmin/
shopdb/
MyAdmin/
program/
PMA/
dbadmin/
pma/
db/
admin/
mysql/
database/
db/phpmyadmin/
db/phpMyAdmin/
sqlmanager/
mysqlmanager/
phpmy-admin/
mysqladmin/
mysql-admin/
admin/phpmyadmin/
admin/phpMyAdmin/
admin/sysadmin/
admin/sqladmin/
admin/db/
admin/web/
admin/pMA/
mysql/pma/
mysql/db/
mysql/web/
mysql/pMA/
sql/phpmanager/
sql/php-myadmin/
sql/phpmy-admin/
sql/sql/
sql/myadmin/
sql/webadmin/
sql/websql/
sql/webdb/
sql/sqladmin/
sql/sql-admin/
sql/phpmyadmin2/
sql/phpMyAdmin2/
sql/phpMyAdmin/
db/myadmin/
db/webadmin/
db/dbweb/
db/websql/
db/webdb/
db/dbadmin/
db/phpmyadmin3/
db/phpMyAdmin3/
db/phpMyAdmin-3/
administrator/phpmyadmin/
administrator/phpMyAdmin/
administrator/db/
administrator/web/
administrator/pma/
administrator/PMA/
administrator/admin/
phpMyAdmin2/
phpMyAdmin3/
phpMyAdmin4/
phpMyAdmin-3/
php-my-admin/
PMA2012/
pma2012/
PMA2011/
pma2011/
phpmanager/
mysql/admin/
mysql/sqlmanager/
mysql/mysqlmanager/
phpmyadmin/
phpMyadmin/
phpMyAdmin/
phpmyAdmin/
phpmyadmin2/
phpmyadmin3/
phpmyadmin4/
2phpmyadmin/
wp-content/plugins/portable-phpmyadmin/wp-pma-mod/
phpmy/
phppma/
myadmin/
shopdb/
MyAdmin/
program/
PMA/
dbadmin/
pma/
db/
admin/
mysql/
database/
db/phpmyadmin/
db/phpMyAdmin/
sqlmanager/
mysqlmanager/
php-myadmin/
phpmy-admin/
mysqladmin/
mysql-admin/
admin/phpmyadmin/
admin/phpMyAdmin/
admin/sysadmin/
admin/sqladmin/
admin/db/
admin/web/
admin/pMA/
mysql/pma/
mysql/db/
mysql/web/
mysql/pMA/
sql/phpmanager/
sql/php-myadmin/
sql/phpmy-admin/
sql/sql/
sql/myadmin/
sql/webadmin/
sql/sqlweb/
sql/websql/
sql/webdb/
sql/sqladmin/
sql/sql-admin/
sql/phpmyadmin2/
sql/phpMyAdmin2/
sql/phpMyAdmin/
db/myadmin/
db/webadmin/
db/dbweb/
db/websql/
db/webdb/
db/dbadmin/
db/db-admin/
db/phpmyadmin3/
db/phpMyAdmin3/
db/phpMyAdmin-3/
administrator/phpmyadmin/
administrator/phpMyAdmin/
administrator/db/
administrator/web/
administrator/pma/
administrator/PMA/
administrator/admin/
phpMyAdmin2/
phpMyAdmin3/
phpMyAdmin4/
phpMyAdmin-3/
php-my-admin/
PMA2011/
PMA2012/
PMA2013/
PMA2014/
PMA2015/
PMA2016/
PMA2017/
PMA2018/
pma2011/
pma2012/
pma2013/
pma2014/
pma2015/
pma2016/
pma2017/
pma2018/
phpmyadmin2011/
phpmyadmin2012/
phpmyadmin2013/
phpmyadmin2014/
phpmyadmin2015/
phpmyadmin2016/
phpmyadmin2017/
phpmyadmin2018/
phpmanager/
mysql/admin/
mysql/sqlmanager/
mysql/mysqlmanager/
phpmyadmin/
phpMyadmin/
phpMyAdmin/
phpmyAdmin/
phpmyadmin2/
phpmyadmin3/
phpmyadmin4/
2phpmyadmin/
wp-content/plugins/portable-phpmyadmin/wp-pma-mod/
phpmy/
phppma/
myadmin/
shopdb/
MyAdmin/
program/
PMA/
dbadmin/
pma/
db/
admin/
mysql/
database/
db/phpmyadmin/
db/phpMyAdmin/
sqlmanager/
mysqlmanager/
php-myadmin/
phpmy-admin/
mysqladmin/
mysql-admin/
admin/phpmyadmin/
admin/phpMyAdmin/
admin/sysadmin/
admin/sqladmin/
admin/db/
admin/web/
admin/pMA/
mysql/pma/
mysql/db/
mysql/web/
mysql/pMA/
sql/phpmanager/
sql/php-myadmin/
sql/phpmy-admin/
sql/sql/
sql/myadmin/
sql/webadmin/
sql/sqlweb/
sql/websql/
sql/webdb/
sql/sqladmin/
sql/sql-admin/
sql/phpmyadmin2/
sql/phpMyAdmin2/
sql/phpMyAdmin/
db/myadmin/
db/webadmin/
db/dbweb/
db/websql/
db/webdb/
db/dbadmin/
db/db-admin/
db/phpmyadmin3/
db/phpMyAdmin3/
db/phpMyAdmin-3/
administrator/phpmyadmin/
administrator/phpMyAdmin/
administrator/db/
administrator/web/
administrator/pma/
administrator/PMA/
administrator/admin/
phpMyAdmin2/
phpMyAdmin3/
phpMyAdmin4/
phpMyAdmin-3/
php-my-admin/
PMA2011/
PMA2012/
PMA2013/
PMA2014/
PMA2015/
PMA2016/
PMA2017/
PMA2018/
pma2011/
pma2012/
pma2013/
pma2014/
pma2015/
pma2016/
pma2017/
pma2018/
phpmyadmin2011/
phpmyadmin2012/
phpmyadmin2013/
phpmyadmin2014/
phpmyadmin2015/
phpmyadmin2016/
phpmyadmin2017/
phpmyadmin2018/
phpmanager/
mysql/admin/
mysql/sqlmanager/
mysql/mysqlmanager/
phpmyadmin/
phpMyadmin/
phpMyAdmin/
phpmyAdmin/
phpmyadmin2/
phpmyadmin3/
phpmyadmin4/
2phpmyadmin/
wp-content/plugins/portable-phpmyadmin/wp-pma-mod/
phpmy/
phppma/
myadmin/
shopdb/
MyAdmin/
program/
PMA/
dbadmin/
pma/
db/
admin/
mysql/
database/
db/phpmyadmin/
db/phpMyAdmin/
sqlmanager/
mysqlmanager/
php-myadmin/
phpmy-admin/
mysqladmin/
mysql-admin/
admin/phpmyadmin/
admin/phpMyAdmin/
admin/sysadmin/
admin/sqladmin/
admin/db/
admin/web/
admin/pMA/
mysql/pma/
mysql/db/
mysql/web/
mysql/pMA/
sql/phpmanager/
sql/php-myadmin/
sql/phpmy-admin/
sql/sql/
sql/myadmin/
sql/webadmin/
sql/sqlweb/
sql/websql/
sql/webdb/
sql/sqladmin/
sql/sql-admin/
sql/phpmyadmin2/
sql/phpMyAdmin2/
sql/phpMyAdmin/
db/myadmin/
db/webadmin/
db/dbweb/
db/websql/
db/webdb/
db/dbadmin/
db/db-admin/
db/phpmyadmin3/
db/phpMyAdmin3/
db/phpMyAdmin-3/
administrator/phpmyadmin/
administrator/phpMyAdmin/
administrator/db/
administrator/web/
administrator/pma/
administrator/PMA/
administrator/admin/
phpMyAdmin2/
phpMyAdmin3/
phpMyAdmin4/
phpMyAdmin-3/
php-my-admin/
PMA2011/
PMA2012/
PMA2013/
PMA2014/
PMA2015/
PMA2016/
PMA2017/
PMA2018/
pma2011/
pma2012/
pma2013/
pma2014/
pma2015/
pma2016/
pma2017/
pma2018/
phpmyadmin2011/
phpmyadmin2012/
phpmyadmin2013/
phpmyadmin2014/
phpmyadmin2015/
phpmyadmin2016/
phpmyadmin2017/
phpmyadmin2018/
phpmanager/

未完待续。