我们看到IP:84.55.41.57成功访问了WordPress管理界面 。
让我们看看这个IP地址的用户还做了什么,我们再次使用grep命令来筛选 。
root@secureserver :~#cat /var/log/apache2/access.log | grep 84.55.41.57
发现以下有趣的记录:
84.55.41.57 - - [17/Apr/2019:06:57:24 +0100] "GET /wordpress/wp-login.php HTTP/1.1" 200 1568 "-"
84.55.41.57 - - [17/Apr/2019:06:57:31 +0100] "POST /wordpress/wp-login.php HTTP/1.1" 302 1150 "http://www.example.com/wordpress/wp-login.php"
84.55.41.57 - - [17/Apr/2019:06:57:31 +0100] "GET /wordpress/wp-admin/ HTTP/1.1" 200 12905 "http://www.example.com/wordpress/wp-login.php"
84.55.41.57 - - [17/Apr/2019:07:00:32 +0100] "POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1" 200 454 "http://www.example.com/wordpress/wp-admin/"
84.55.41.57 - - [17/Apr/2019:07:00:58 +0100] "GET /wordpress/wp-admin/theme-editor.php HTTP/1.1" 200 20795 "http://www.example.com/wordpress/wp-admin/"
84.55.41.57 - - [17/Apr/2019:07:03:17 +0100] "GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentysixteen HTTP/1.1" 200 8092 "http://www.example.com/wordpress/wp-admin/theme-editor.php"
84.55.41.57 - - [17/Apr/2019:07:11:48 +0100] "GET /wordpress/wp-admin/plugin-install.php HTTP/ 1.1" 200 12459 "http://www.example.com/wordpress/wp- admin/ plugin-install.php?tab=upload "
84.55.41.57 - - [17/Apr/2019:07:16:06 +0100] " GET/wordpress/wp- admin/update.php? action= install- plugin& plugin= file-manager&_wpnonce= 3c6c8a7fca HTTP/ 1.1" 200 5698 "http://www.example.com/wordpress/wp- admin/ plugin-install.php?tab= search&s= file+permission "
84.55.41.57 - - [17/Apr/2019:07:18:19 +0100] " GET/wordpress/wp- admin/plugins.php? action= activate& plugin= file-manager% 2Ffile-manager.php&_wpnonce=bf932ee530 HTTP/ 1.1" 302 451 "http://www.example.com/wordpress/wp- admin/update.php? action= install- plugin& plugin= file-manager&_wpnonce= 3c6c8a7fca "
84.55.41.57 - - [17/Apr/2019:07:21:46 +0100] " GET/wordpress/wp- admin/ admin-ajax.php? action=connector&cmd=upload&target=l1_d3AtY29udGVudA& name% 5B% 5D=r57.php&FILES=&_= 1460873968131HTTP/ 1.1" 200 731 "http://www.example.com/wordpress/wp- admin/admin.php?page= file-manager_settings "
84.55.41.57 - - [17/Apr/2019:07:22:53 +0100] " GET/wordpress/wp- content/r57.php HTTP/ 1.1" 200 9036 "- "
84.55.41.57 - - [17/Apr/2019:07:32:24 +0100] " POST /wordpress/wp- content/r57.php? 14HTTP/ 1.1" 200 8030 "http://www.example.com/wordpress/wp- content/r57.php? 14"
84.55.41.57 - - [17/Apr/2019:07:29:21 +0100] " GET/wordpress/wp- content/r57.php? 29HTTP/ 1.1" 200 8391 "http://www.example.com/wordpress/wp- content/r57.php? 28"
84.55.41.57 - - [17/Apr/2019:07:57:31 +0100] " POST /wordpress/wp- admin/ admin-ajax.php HTTP/ 1.1" 200 949 "http://www.myw ebsite.com/wordpre ss/wp- admin/admin.php?page= file-manager_settings "
我们来进一步分析这些记录 。
攻击者访问了WordPress网站的登录页面:
84.55.41.57- GET/wordpress/wp-login.php 200
攻击者提交了登录表单(使用POST方法),并被重定向(302 HTTP状态代码) 。
84.55.41.57 - POST /wordpress/wp-login.php 302
攻击者被重定向到wp-admin(WordPress管理后台),这意味着攻击者已成功通过了身份验证 。
84.55.41.57- GET /wordpress/wp-admin/200
攻击者访问了网站的主题编辑器:
84.55.41.57- GET/wordpress/wp-admin/theme-editor.php 200
攻击者试图编辑404.php文件,攻击者经常使用这种方式将恶意代码写入文件,但由于缺少文件写入权限,所有并没有成功 。
84.55. 41.57- GET /wordpress/wp-admin/theme-editor.php? file= 404.php&theme= twentysixteen 200
攻击者访问了插件安装程序 。
84.55.41.57- GET/wordpress/wp-admin/plugin-install.php 200
攻击者安装并激活了file-manager插件 。
84.55.41.57 - GET /wordpress/wp-admin/update.php? action= install- plugin& plugin= file-manager &_wpnonce= 3c6c8a7fca 200
84.55.41.57- GET/wordpress/wp- admin/plugins.php? action= activate& plugin= file-manager% 2Ffile-manager.php&_wpnonce=bf932ee530 200
推荐阅读
- 珍稀干货!阿里 Web 音视频开发趟坑指南
- 电磁炉用什么锅 电磁炉使用注意事项
- 电磁炉有辐射吗 电磁炉使用注意事项
- 早孕试纸假阳性原因
- 测排卵试纸测早孕怎样使用
- HTTP是如何使用TCP连接
- Github入门使用指南
- 为什么每个人都在谈论 WebAssembly
- Nginx vs Apache两大web server比较
- Nginx 热部署和日志切割,你学会了吗?