站点日志和PHP保护
[英]Site Logs and PHP protection
问题描述
I was checking my logs and noticed the following 
我正在查看我的日志,并注意到以下内容
[Tue Apr 02 16:12:02 2013] [error] [client 31.181.33.208] File does not exist:/xxx/join.php+++++++++++++++++++++++++++++++++++++++++++++++++++Result:+\xed\xe5+\xed\xe0\xf8\xeb\xee\xf1\xfc+\xf4\xee\xf0\xec\xfb+\xe4\xeb\xff+\xee\xf2\xef\xf0\xe0\xe2\xea\xe8;, referer: http://www.edrobe.com/join.php+++++++++++++++++++++++++++++++++++++++++++++++++++Result:+%ed%e5+%ed%e0%f8%eb%ee%f1%fc+%f4%ee%f0%ec%fb+%e4%eb%ff+%ee%f2%ef%f0%e0%e2%ea%e8%3b
I have never seen anything like this. 我从未见过这样的事情。 Should I be worried? 我应该担心吗? is there anything i can do to prevent such code from being run on my site? 有什么办法可以阻止这些代码在我的网站上运行吗?
Thanks 谢谢
3 个解决方案
解决方案1
1 2013-04-03 12:30:27
The error indicates that someone was trying to hit /xxx/join.php and pass it some unusual data. 该错误表明有人试图点击/xxx/join.php并传递一些不寻常的数据。
The good news is: 好消息是:
That file doesn't exist so this action didn't really result in anything useful for them. 该文件不存在,因此该操作实际上并没有对它们产生任何有用的结果。
The bad news is: 坏消息是:
They'll likely try other things (as will others). 他们可能会尝试其他事情(和其他人一样)。
Things to consider 要考虑的事情
- Sanitizing user input is a good idea 消除用户输入是一个好主意
- Protecting folders where you allow uploads is a good idea (both with permissions and via your web server config). 保护允许上传的文件夹是一个好主意(具有权限和通过您的Web服务器配置)。
- You can also use a firewall to block traffic from this IP and/or a range of IPs. 您还可以使用防火墙阻止来自此IP和/或一系列IP的流量。
解决方案2
1 2013-04-03 12:35:15
The comment by 'dirt' is very bad advice. “污垢”的评论是非常糟糕的建议。
It's very difficult to validate input before it gets to your application logic - and by then the vulnerability which your example targets has already been exploited. 在输入到达应用程序逻辑之前验证输入是非常困难的 - 到那时,您的示例目标已经被利用的漏洞。 You should NEVER sanitize input (for multiple reasons) - either accept it or reject it - but you must always sanitize output. 你永远不应该清理输入(出于多种原因) - 要么接受它要么拒绝它 - 但你必须始终清理输出。
Mostly stuff you see in your logs is failed attempts at compromising your system (a successful attack doesn't leave evidence behind). 您在日志中看到的大部分内容都是尝试破坏您的系统失败(成功的攻击不会留下证据)。 But detecting failed attacks are a very useful way of preventing sucessful attacks - if you're running on Unix/Linux, fail2ban can monitor your logs for abnormalaities and inject firewall rules to block that client. 但是检测失败的攻击是防止成功攻击的一种非常有用的方法 - 如果你在Unix / Linux上运行, fail2ban可以监视你的日志是否存在异常,并注入防火墙规则来阻止该客户端。
Don't waste your time in a knee jerk response to a single incident. 不要把时间浪费在对单个事件的膝盖反射中。 If you're serious about the security of your site, then the best advice is to plan how to protect your site, plan how you will detect if you have been compromised and plan for how you get the service back on line after it has been compromised. 如果您对网站的安全性非常认真,那么最好的建议是规划如何保护您的网站,规划如何检测您是否已被入侵,并计划如何在服务被恢复后恢复服务损害。
There's a lot of useful stuff on setting up a secure server at SANS and OWASP . 在SANS和OWASP上设置安全服务器有很多有用的东西。 This should be essential reading for anyone plugging a server into the internet. 对于将服务器插入互联网的人来说, 这应该是必不可少的阅读。 Specifically for PHP, have a lok at Suhosin . 特别是对于PHP,在Suhosin有一个lok。
If you're on a shared host and only have access to .htaccess, then you have no security - all you can do is pester your service provider to implement proper security measures and re-upload your site when it gets defaced. 如果您在共享主机上并且只能访问.htaccess,那么您就没有安全性 - 所有您可以做的就是纠缠您的服务提供商以实施适当的安全措施,并在网站遭到污损时重新上传您的网站。
解决方案3
1 已采纳 2013-04-03 12:46:36
All you can do is protect your site as best possible. 您所能做的就是尽可能保护您的网站。 Unless you specifically are being targeted, an attacker will just move on to a less protected site. 除非您专门针对目标,否则攻击者将转移到受保护较少的网站。
Some recommendations: 一些建议:
Use regular expressions. 使用正则表达式。 This limits the possible input a user can submit. 这限制了用户可以提交的可能输入。 In the new HTML5 you can add a pattern parameter to your input tags. 在新的HTML5中,您可以为输入标记添加模式参数。 For example: 例如:
<input type="tel" name="phone" max="20" pattern="\d{3}[\-]\d{3}[\-]\d{4}">
HTML5 also has new input types, but these are not supported by all browsers yet, so it is good to include patterns. HTML5也有新的输入类型,但所有浏览器都不支持这些类型,所以包含模式是很好的。 HTML5Pattern.com has common patterns for various input types. HTML5Pattern.com具有各种输入类型的通用模式。 As you might have noticed, you can also limit the length of the input. 您可能已经注意到,您还可以限制输入的长度。 If you know the input cannot be longer than X characters, don't allow users to input more than X characters. 如果您知道输入不能超过X个字符,请不要让用户输入超过X个字符。
If your user input is being stored in a database, PHP database extensions have functions to escape strings . 如果您的用户输入存储在数据库中,则PHP数据库扩展具有转义字符串的功能。 Thus any special alt code characters or functions will not be executed but entered as a literal string. 因此,任何特殊的alt代码字符或函数都不会被执行,而是作为文字字符串输入。
For PostgreSQL: pg_escape_string() 对于PostgreSQL: pg_escape_string()
For MySQL: mysql_real_escape_string() 对于MySQL: mysql_real_escape_string()
Other functions exist such as stripslashes() that remove the slashes from input, thus disabling special character. 存在其他函数,例如stripslashes() ,用于从输入中删除斜杠,从而禁用特殊字符。
Follow the above and you've prevented: 按照上面的说法你已经阻止了:
- bad input from being submitted - 提交的输入错误
- submitted bad input invalidated - 提交的错误输入无效
- protected your database from SQL injections - 保护您的数据库免受SQL注入
You can also configure your server to block IP addresses that attacks are originating from. 您还可以将服务器配置为阻止攻击源自的IP地址。 If your server is on Linux, this reference guide (pdf) has very useful information. 如果您的服务器在Linux上,则此参考指南(pdf)具有非常有用的信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.