发现服务器存在攻击现象udp端口扫描
近来发现服务器存在网络异常流量的问题,于是进行了网络的监控监控发现如下日志,问题如下:
1.由于对网络攻击不熟不知道这个算是udp flood攻击么?但是感觉更像UDP 端口扫描。
2.我服务器上有防火墙,并且配置规则只允许tcp指定的几个端口可以访问INPUT默认规则都是DROP ,为什么防火墙防不住这样的攻击呢?
先感谢大家,希望可以帮助回答谢谢
UDP/591: 1 packets, 1500 bytes total, 0.00 kbits/s; 1 packets, 1500 bytes incoming, 0.00 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/284: 2 packets, 3000 bytes total, 0.01 kbits/s; 2 packets, 3000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/389: 2 packets, 3000 bytes total, 0.01 kbits/s; 2 packets, 3000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/133: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/56: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.0
UDP/515: 6 packets, 9000 bytes total, 0.02 kbits/s; 6 packets, 9000 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/171: 1 packets, 1500 bytes total, 0.00 kbits/s; 1 packets, 1500 bytes incoming, 0.00 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/423: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/891: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/31: 6 packets, 9000 bytes total, 0.02 kbits/s; 6 packets, 9000 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.0
UDP/24: 6 packets, 9000 bytes total, 0.02 kbits/s; 6 packets, 9000 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.0
UDP/30: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.0
UDP/570: 6 packets, 9000 bytes total, 0.02 kbits/s; 6 packets, 9000 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/842: 3 packets, 4500 bytes total, 0.01 kbits/s; 3 packets, 4500 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/527: 8 packets, 12000 bytes total, 0.03 kbits/s; 8 packets, 12000 bytes incoming, 0.03 kbits/s; 0 packets, 0 bytes outgoing,
UDP/538: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/689: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/221: 2 packets, 3000 bytes total, 0.01 kbits/s; 2 packets, 3000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/19: 2 packets, 3000 bytes total, 0.01 kbits/s; 2 packets, 3000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.0
UDP/321: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/105: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/932: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/170: 2 packets, 3000 bytes total, 0.01 kbits/s; 2 packets, 3000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/296: 9 packets, 13500 bytes total, 0.03 kbits/s; 9 packets, 13500 bytes incoming, 0.03 kbits/s; 0 packets, 0 bytes outgoing,
UDP/10: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.0
UDP/571: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/818: 7 packets, 10500 bytes total, 0.02 kbits/s; 7 packets, 10500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing,
UDP/927: 3 packets, 4500 bytes total, 0.01 kbits/s; 3 packets, 4500 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/723: 3 packets, 4500 bytes total, 0.01 kbits/s; 3 packets, 4500 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/305: 1 packets, 1500 bytes total, 0.00 kbits/s; 1 packets, 1500 bytes incoming, 0.00 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/422: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/433: 6 packets, 9000 bytes total, 0.02 kbits/s; 6 packets, 9000 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/537: 8 packets, 12000 bytes total, 0.03 kbits/s; 8 packets, 12000 bytes incoming, 0.03 kbits/s; 0 packets, 0 bytes outgoing,
UDP/883: 6 packets, 9000 bytes total, 0.02 kbits/s; 6 packets, 9000 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/693: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/88: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.0
UDP/163: 1 packets, 1500 bytes total, 0.00 kbits/s; 1 packets, 1500 bytes incoming, 0.00 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/839: 5 packets, 7500 bytes total, 0.02 kbits/s; 5 packets, 7500 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/208: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/116: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/658: 6 packets, 9000 bytes total, 0.02 kbits/s; 6 packets, 9000 bytes incoming, 0.02 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/115: 2 packets, 3000 bytes total, 0.01 kbits/s; 2 packets, 3000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/161: 4 packets, 6000 bytes total, 0.01 kbits/s; 4 packets, 6000 bytes incoming, 0.01 kbits/s; 0 packets, 0 bytes outgoing, 0.
UDP/450: 1 packets, 1500 bytes total, 0.00 kbits/s; 1 packets, 1500 bytes incoming, 0.00 kbits/s; 0 packets, 0 bytes outgoing, 0.
本帖最后由 blackjack550 于 2012-06-20 13:46 编辑
防火墙配置如下:
已设隐藏 这个不太懂呢,偶用的瑞星防火墙,有攻击都给拦截了,也没去怎么看 换个瑞星防火墙试试看会不会好一些 回复 4# 中不央
瑞星防火墙保原地复活么。。 我不得不说已经解决了,问题来源于wordpress的网站模板在cache方面有漏洞可以使恶意代码写入,然后攻击方通过执行脚本控制对外进行攻击。发现以后及时删除了脚本,并且修改cache目录的目录权限就暂时缓解了。 你怎么确认是攻击的能详细说下吗? 本帖最后由 blackjack550 于 2012-08-21 11:03 编辑
mengchang 发表于 2012-08-17 11:08 static/image/common/back.gif
你怎么确认是攻击的能详细说下吗?
我的方法比较笨,首先确认服务器是否开了未知的端口,由于突发状况下可能也就是几分钟的时间,对其定期采样。iptraf之类的就可以
发现有开放的莫名其妙的udp端口,怀疑可能是udpflood
然后还是用iptraf对发生udpflood的时候的连接情况进行记录。
根据采样结果进行过滤与筛选发现连接都是攻击印度尼西亚的一个ip的。
然后就用ip地址反查网页中的文件内容,当然我是比较幸运的直接找到恶意脚本。同时发现了几个php的文件浏览脚本。
其实如果你的网站有日志宝,或者安全宝之类的服务倒是可以很方便的确认出网站是否有恶意脚本链接
希望对你有帮助 非常感谢你的回复学习了,我的qq 1091262364,希望以后有更多的机会向你学习
页:
[1]