一次WEB日志的反渗透分析

某次某客户网站中了后门,后门路径为:/home/wwwroot/default/Public/Uploadify/demo.php, demo.php是典型的一句话webshell,他是怎么上传到网站的呢?原因很多,可能是系统漏洞,提权上传的,这样的话直接用rootkit好了,没必要留个一句话后门,首先这种想法就排除了,另外就是可能因为弱口令或者上传漏洞等WEB漏洞上传的,这种可能性是最大的,如果通过渗透测试找到这个漏洞的话,会花很大的时间和精力,还有可以反渗透,理论上来讲反渗透肯定是可以查到缘故的,但是有时反渗透往往查不到,甚至很复杂,需要间接的去查也是有可能的。这次选择了反渗透查写入webshell的原因。

下载好日志access.log最近30天的日志,webshell的时间只可以借鉴,可以修改webshell时间的,不能以webshell时间为准。开始看了最近一个周的日志,没找到缘故,于是找了最近一个月的日志,才有眉目了。

//在日志中搜索demo.php发现有35个地方,都有demo.php

138.128.212.179 – – [16/Jul/2016:00:23:00 +0800] “GET /Public/js/demo.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//通过这里看到,实际中的webshell地址不是这个,继续找下一个demo.php访问日志,

138.128.212.179 – – [16/Jul/2016:00:21:06 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 404 1331 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0″

//找到这条了,这条日志是攻击者在访问webshell的日志,但是webshell返回404,说明这个文件不存在,可能是攻击者在测试是否成功写入webshell了。

//再次重新搜索?demo.php HTTP/1.1” 200 这样是webshell没有被删除的时候,找到21次访问记录,根据ip看下攻击者的轨迹(IP:138.128.212.179)
138.128.212.179 – – [12/Jul/2016:19:02:18 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0” //Public/uploadify.php文件不存在 404
138.128.212.179 – – [12/Jul/2016:19:02:22 +0800] “GET /Public/uploadf.php HTTP/1.1” 200 13 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0” ?//Public/uploadif.php文件存在 200
138.128.212.179 – – [12/Jul/2016:19:02:26 +0800] “GET /Public/ HTTP/1.1” 403 273 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:31 +0800] “GET /Uploads/ HTTP/1.1” 403 274 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:36 +0800] “GET /Uploads/Pic/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:39 +0800] “GET /Uploads/ HTTP/1.1” 403 274 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:41 +0800] “GET / HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:41 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:42 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//貌似找到/Public/uploadify.php这个上传文件了哦,攻击者在找上传目录;

138.128.212.179 – – [14/Jul/2016:18:41:14 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:16 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:16 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:18 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:19 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:21 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:21 +0800] “GET /1.log HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:23 +0800] “GET /public/upimg.htm?and+1=1+and+”=’ HTTP/1.1″ 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:23 +0800] “GET /public/upimg.htm HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:24 +0800] “GET /Public/upimg.htm HTTP/1.1” 200 744 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:24 +0800] “GET /public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:25 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:28 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:28 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:31 +0800] “GET /ajax.php HTTP/1.1” 200 54 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:32 +0800] “GET /Home/Login/loginadmin HTTP/1.1” 200 948 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:32 +0800] “GET /phpMyAdmin/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:34 +0800] “GET /pm/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:35 +0800] “GET /phpinfo.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:35 +0800] “GET /Bak_data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /Public/UEditor/ueditor.all.js HTTP/1.1” 404 162 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /Data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:37 +0800] “GET /db/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:37 +0800] “GET /Db/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:38 +0800] “GET /iProber.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:38 +0800] “GET /Public/3mz.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:39 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:39 +0800] “GET /Public/main1.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:40 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”

//上面日志为攻击者在用python脚本扫描,木发现扫出什么敏感信息

138.128.212.179 – – [14/Jul/2016:18:52:21 +0800] “GET /User/Runtime/Logs/Home/16_07_14.log HTTP/1.1” 200 535770 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//这条信息是有用的,当thinkphp开启调试模式,记录日志时,默认会在这个目录下创建日志文件,而日志文件名为年_月_日,可以把日志下载下来,这里日志已经被攻击者下载了。下载看了下,是一份错误日志。

138.128.212.179 – – [14/Jul/2016:18:52:50 +0800] “GET /User/Runtime/Logs/Home/16_07_13.log HTTP/1.1” 200 429903 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:52:58 +0800] “GET /User/Runtime/Logs/Home/16_07_12.log HTTP/1.1” 200 27181 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:53:05 +0800] “GET /User/Runtime/Logs/Home/16_07_11.log HTTP/1.1” 200 452102 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:53:20 +0800] “GET /User/Runtime/Logs/Home/16_07_10.log HTTP/1.1” 200 431381 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:54:56 +0800] “GET /User/Runtime/Logs/Home/16_07_09.log HTTP/1.1” 200 433395 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:16 +0800] “GET /User/Runtime/Logs/Home/16_07_08.log HTTP/1.1” 200 462788 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:23 +0800] “GET /User/Runtime/Logs/Home/16_07_07.log HTTP/1.1” 200 433154 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:27 +0800] “GET /User/Runtime/Logs/Home/16_07_06.log HTTP/1.1” 200 441394 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:30 +0800] “GET /User/Runtime/Logs/Home/16_07_05.log HTTP/1.1” 200 459486 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:46 +0800] “GET /User/Runtime/Logs/Home/16_07_04.log HTTP/1.1” 200 664894 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:57:04 +0800] “GET /User/Runtime/Logs/Home/16_07_03.log HTTP/1.1” 200 1438415 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:04 +0800] “GET /User/Runtime/Logs/Home/16_07_02.log HTTP/1.1” 200 1966718 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:31 +0800] “GET /User/Runtime/Logs/Home/16_07_01.log HTTP/1.1” 200 428610 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:36 +0800] “GET /User/Runtime/Logs/Home/16_06_30.log HTTP/1.1” 200 522384 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:37 +0800] “GET /User/Runtime/Logs/Home/16_06_29.log HTTP/1.1” 200 77195 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:38 +0800] “GET /User/Runtime/Logs/Home/16_06_28.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:38 +0800] “GET /User/Runtime/Logs/Home/16_06_27.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:39 +0800] “GET /User/Runtime/Logs/Home/16_06_26.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:39 +0800] “GET /User/Runtime/Logs/Home/16_06_25.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:01:02:53 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:54 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:56 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:56 +0800] “GET /1.log HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:57 +0800] “GET /public/upimg.htm?and+1=1+and+”=’ HTTP/1.1″ 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:57 +0800] “GET /public/upimg.htm HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /Public/upimg.htm HTTP/1.1” 200 744 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:59 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:59 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:00 +0800] “GET /ajax.php HTTP/1.1” 200 54 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:00 +0800] “GET /Home/Login/loginadmin HTTP/1.1” 200 948 “-” “python-requests/2.10.0”
223.104.91.228 – – [15/Jul/2016:01:03:00 +0800] “POST /Home/Index/tgbzcl HTTP/1.1” 200 86 “http://www.slbvip.com/Home/Index/home1” “Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/13F69 UCBrowser/10.9.15.793 Mobile”
138.128.212.179 – – [15/Jul/2016:01:03:01 +0800] “GET /phpMyAdmin/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:01 +0800] “GET /pm/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:02 +0800] “GET /phpinfo.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:02 +0800] “GET /Bak_data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
//看到这里都是python脚本在扫描,只扫描出了错误日志,其他的没有用的信息;

138.128.212.179 – – [15/Jul/2016:17:21:34 +0800] “GET /favicon.ico HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:21:55 +0800] “POST /Home/Common/uploadFace HTTP/1.1″ 200 59 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:22:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 51 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 119 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:27 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 115 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:33 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 1526 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:36 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 112 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:45 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 1037 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:00 +0800] “GET /Public/uploadifiy.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:23:21 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 748 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 420 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:26 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 250 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:34 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:35 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 290 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:41 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:48 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:49 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 785 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//通过上面来看?/Home/Common/uploadFace 方法存在一个任意文件上传漏洞;攻击者在这里上传的文件,post访问都为200,不存在应该是返回404状态的;

138.128.212.179 – – [15/Jul/2016:17:24:36 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 119 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:40 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:43 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 112 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:51 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 110 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:53 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 13 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:59 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 254 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//攻击者成功上传了demo.php 后门webshell了,之前开始上传的时候没有指定上传目录,这里上传到指定目录了,可见上传功能参数应该包括上传路径和文件名;

138.128.212.179 – – [16/Jul/2016:00:14:31 +0800] “GET /Public/Uploadify/demo.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:31 +0800] “GET /favicon.ico HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:43 +0800] “GET /Public/Ueditor/php/upload.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:44 +0800] “GET /Public/Ueditor/php/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:46 +0800] “GET /Public/Ueditor/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:47 +0800] “GET /Public/ HTTP/1.1” 403 273 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//中间攻击者用后门不晓得做过那些事情,这里还请求过/Public/Ueditor/php/upload.php文件,是404状态,不晓得是客户删除了,还是有防护软件攻击者没上传成功呢。

138.128.212.179 – – [16/Jul/2016:00:15:28 +0800] “GET /Home/Login/loginadmin/account/819432780@qq.com/password/e61d6ad4e829e87c9c3791d161f8522c HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//看到一条这个记录,说明他是用这个账户登陆的,应该在后台直接把攻击者账户删掉,封禁IP,也可以加攻击者QQ聊聊。

138.128.212.179 – – [16/Jul/2016:00:16:04 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 59 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//上面黑客的webshell被删掉了,又要来上传了

138.128.212.179 – – [16/Jul/2016:00:16:33 +0800] “POST /Uploads/Pic/2016-07-16/57890c445c548.php HTTP/1.1” 200 32 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//webshell上传成功了

138.128.212.179 – – [16/Jul/2016:00:16:43 +0800] “GET /Uploads/Pic/2016-07-16/57890c445c548.php HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//黑客开始访问了,貌似出现问题了? 不能正常访问?

138.128.212.179 – – [16/Jul/2016:00:17:02 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 60 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:17:11 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [16/Jul/2016:00:17:21 +0800] “GET /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又上传了一个vbak文件,可能是被杀掉了,返回405状态码,想绕过防护吧。

138.128.212.179 – – [16/Jul/2016:00:17:46 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 57 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:17:52 +0800] “GET /Uploads/Pic/2016-07-16/57890caaf344c.1 HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又改了个后缀名

138.128.212.179 – – [16/Jul/2016:00:18:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 404 1331 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//访问demo.php 页面不存在

138.128.212.179 – – [16/Jul/2016:00:18:53 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [16/Jul/2016:00:18:58 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//访问上传的webshell,返回405状态

138.128.212.179 – – [16/Jul/2016:00:23:29 +0800] “GET /Public/kindeditor/php/upload.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又被黑客找到一个上传点

138.128.212.179 – – [16/Jul/2016:00:23:51 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 144 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:23:52 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 290 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:23:53 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 1526 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:24:01 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 6514 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

//尝试上传了数次,还是没有绕过去。

138.128.212.179 – – [19/Jul/2016:16:21:46 +0800] “GET /Uploads/146891188257179.jpg HTTP/1.1” 200 150958 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:21:55 +0800] “GET /Uploads/146890768218257.png HTTP/1.1” 200 78289 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:01 +0800] “GET /Uploads/146890724044584.png HTTP/1.1” 200 87084 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:10 +0800] “GET /Uploads/146890703177801.jpg HTTP/1.1” 200 44256 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:16 +0800] “GET /Uploads/146890694154072.png HTTP/1.1” 200 81028 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:22 +0800] “GET /Uploads/146890667880773.png HTTP/1.1” 200 69520 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:30 +0800] “GET /Uploads/146890663744137.png HTTP/1.1” 200 100128 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:37 +0800] “GET /Uploads/146890655699351.png HTTP/1.1” 200 135056 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:44 +0800] “GET /Uploads/146890646027724.png HTTP/1.1” 200 103372 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:50 +0800] “GET /Uploads/146890637216135.png HTTP/1.1” 200 108561 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:55 +0800] “GET /Uploads/146890628924480.png HTTP/1.1” 200 104940 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:00 +0800] “GET /Uploads/146890463858741.png HTTP/1.1” 200 82636 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:06 +0800] “GET /Uploads/146890438128119.jpg HTTP/1.1” 200 182931 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:16 +0800] “GET /Uploads/146890436882884.jpg HTTP/1.1” 200 182931 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:32 +0800] “GET /Uploads/146890420781045.png HTTP/1.1” 200 126604 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:43 +0800] “GET /Uploads/146890419983679.jpg HTTP/1.1” 200 51284 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:53 +0800] “GET /Uploads/146890362678175.png HTTP/1.1” 200 85621 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:24:00 +0800] “GET /Uploads/146890345652557.png HTTP/1.1” 200 83409 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:24:35 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 186 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

//上面黑客上传的图片,如果图片中包括恶意代码也执行不了,除非借助解析漏洞;
//最后黑客又扫了扫,然后就没有日志了,到此反渗透日志分析到此结束咯。