近段时间,我的独立服务器常被黑,求高手指点,服务器是2003的,iis,主要是php的站,mysql的服务器,被黑后,出现:
Hacked by PiRATEHUNTER // <a href="http://www.feyyazkurtulus.blogspot.com">feyyaz kurtulus</a><a href="http://www.feyyazkurtulus.blogspot.com">hacked by piratehunter</a>
然后生成好几个default.asp,default.cfm等文件,生成的index.php,index.html内容如下:
Hacked by PiRATEHUNTER // <a href="http://www.feyyazkurtulus.blogspot.com">feyyaz kurtulus</a><a href="http://www.feyyazkurtulus.blogspot.com">hacked by piratehunter</a>首页就是出现Hacked by PiRATEHUNTER ,我查询了我w3svc31,最后一次日志,
开始如下:
(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) 200 0 0
2013-01-19 00:42:59 W3SVC31 服务器地址 GET /index.html - 80 - 123.151.148.198 Sosospider+(+http://help.soso.com/webspider.htm) 200 0 0
2013-01-19 00:48:42 W3SVC31 服务器地址 GET /xianxuexuanchua2n/index.html - 80 - 66.249.75.201 Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) 200 0 0
2013-01-19 00:56:47 W3SVC31 服务器地址 GET /index.html - 80 - 123.151.148.198 Sosospider+(+http://help.soso.com/webspider.htm) 200 0 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2013-01-19 01:41:14
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
一直持续到:
#Version: 1.0
#Date: 2013-01-19 03:35:24
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2013-01-19 03:35:24 W3SVC31 服务器地址 GET /xxfb/tongzhigonggao/2013-01-17/1074.html - 80 - 173.199.119.59 Mozilla/5.0+(compatible;+AhrefsBot/4.0;++http://ahrefs.com/robot/) 200 0 0
求指点,万分感谢,主要还是针对我服务器上的官方网站!
Hacked by PiRATEHUNTER // <a href="http://www.feyyazkurtulus.blogspot.com">feyyaz kurtulus</a><a href="http://www.feyyazkurtulus.blogspot.com">hacked by piratehunter</a>
然后生成好几个default.asp,default.cfm等文件,生成的index.php,index.html内容如下:
Hacked by PiRATEHUNTER // <a href="http://www.feyyazkurtulus.blogspot.com">feyyaz kurtulus</a><a href="http://www.feyyazkurtulus.blogspot.com">hacked by piratehunter</a>首页就是出现Hacked by PiRATEHUNTER ,我查询了我w3svc31,最后一次日志,
开始如下:
(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) 200 0 0
2013-01-19 00:42:59 W3SVC31 服务器地址 GET /index.html - 80 - 123.151.148.198 Sosospider+(+http://help.soso.com/webspider.htm) 200 0 0
2013-01-19 00:48:42 W3SVC31 服务器地址 GET /xianxuexuanchua2n/index.html - 80 - 66.249.75.201 Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) 200 0 0
2013-01-19 00:56:47 W3SVC31 服务器地址 GET /index.html - 80 - 123.151.148.198 Sosospider+(+http://help.soso.com/webspider.htm) 200 0 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2013-01-19 01:41:14
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
一直持续到:
#Version: 1.0
#Date: 2013-01-19 03:35:24
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2013-01-19 03:35:24 W3SVC31 服务器地址 GET /xxfb/tongzhigonggao/2013-01-17/1074.html - 80 - 173.199.119.59 Mozilla/5.0+(compatible;+AhrefsBot/4.0;++http://ahrefs.com/robot/) 200 0 0
求指点,万分感谢,主要还是针对我服务器上的官方网站!
http://bbs.csdn.net/forums/WinNT2000XP2003
http://bbs.csdn.net/forums/WindowsSecurity如果数据库没被黑,应该不是telnet的
上面日志显示的只是爬虫机器人,你最好检查系统日志,看哪个不应该连接的端口有连接
2013-09-25 03:30:57 W3SVC2191442 61.191.55.4 GET /index.html - 80 - 113.135.129.106 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.1+(KHTML,+like+Gecko)+Chrome/21.0.1180.89+Safari/537.1 200 0 22
2013-09-25 03:31:07 W3SVC2191442 61.191.55.4 GET /a/byrd/2011/1029/91.html - 80 - 61.135.249.220 Mozilla/5.0+(compatible;+YoudaoBot/1.0;+http://www.youdao.com/help/webmaster/spider/;+) 200 0 22
2013-09-25 03:32:49 W3SVC2191442 61.191.55.4 GET /a/nxby25/2013/0622/4922.html - 80 - 183.60.214.121 Mozilla/5.0+(compatible;+EasouSpider;++http://www.easou.com/search/spider.html) 200 0 22
2013-09-25 03:33:07 W3SVC2191442 61.191.55.4 GET /news/css/5700/index.asp - 80 - 5.10.83.90 Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/) 404 0 22
2013-09-25 03:33:07 W3SVC2191442 61.191.55.4 GET /include/css/1607/index.asp - 80 - 5.10.83.90 Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/) 404 0 22
2013-09-25 03:33:07 W3SVC2191442 61.191.55.4 GET /member/css/6508/index.asp - 80 - 5.10.83.19 Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/) 404 0 22
2013-09-25 03:33:12 W3SVC2191442 61.191.55.4 GET /news/css/2068/index.asp - 80 - 5.10.83.19 Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/) 404 0 22
2013-09-25 03:33:13 W3SVC2191442 61.191.55.4 GET /include/css/3489/index.asp - 80 - 5.10.83.90 Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/) 404 0 64
2013-09-25 03:33:13 W3SVC2191442 61.191.55.4 GET /data/css/9732/index.asp - 80 - 5.10.83.13 Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/) 404 0 22