0

嗨,我从提供商那里收到一条消息,说我的服务器是 ddos​​-botnet 的一部分。所以我调查了我的 docker 容器,发现了一些损坏的容器(jitsi-meet-web(https://github.com/jitsi/docker-jitsi-meet)、nextcloud(https://hub.docker.com/_/nextcloud ) 和一个 nginx 容器 ( https://hub.docker.com/_/nginx ))。有人试图通过 GET 请求注入不安全的 wordpress 文件。

我的问题是:这怎么可能,我能做些什么来防止这种情况再次发生?

Jira、Confluence 和 Oracle DB & Ords 的容器干净/良好。

我的服务器作为反向代理运行。

日志:

WIN64;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "184.164.70.7" 172.17.0.1 - - [16/Sep/2021:18:10:51 +0000] "GET /wp- content/config.bak.php HTTP/1.1" 404 556 "anonymousfox.co" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" " 184.164.70.7" 172.17.0.1 - - [16/Sep/2021:18:10:56 +0000] "GET /wp-includes/config.bak.php HTTP/1.1" 404 556 "anonymousfox.co" "Mozilla/ 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "184.164.70.7" 172.17.0.1 - - [16/Sep/2021:18:11:01 +0000] "GET /wp-content/themes/config.bak.php HTTP/1.1" 404 556 "anonymousfox.co" "Mozilla/5.0 (Windows NT 10.0; WIN64;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "184.164.70.7" 172.17.0.1 - - [16/Sep/2021:18:11:05 +0000] "GET /wp- content/plugins/config.bak.php HTTP/1.1" 404 556 "anonymousfox.co" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 " "184.164.70.7" 172.17.0.1 - - [16/Sep/2021:18:11:13 +0000] "GET /wp-includes/css/wp-config.php HTTP/1.1" 404 556 "anonymousfox.co " "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "184.164.70.7" 172.17.0.1 - - [16/Sep/2021:18 :11:17 +0000] "GET /wp-content/plugins/ubh/up.php HTTP/1.1" 404 556 "anonymousfox.co" "Mozilla/5.

198.98.55.220 - - [10/Oct/2021:09:13:11 +0000] "POST /ws/v1/cluster/apps/new-application HTTP/1.1" 404 154 "-" "python-requests/2.6. 0 CPython/2.6.6 Linux/2.6.32-754.35.1.el6.x86_64" "-" 172.17.0.1 - - [10/Oct/2021:09:15:43 +0000] "GET /wp-admin/ css/ HTTP/1.1" 404 556 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "23.146.241.19" 172.17 .0.1 - - [10/Oct/2021:09:15:55 +0000] "GET /.well-known/ HTTP/1.1" 404 556 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64 ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "23.146.241.19" 172.17.0.1 - - [10/Oct/2021:09:16:09 +0000] "GET /sites/default /文件/HTTP/1.1"404 556 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "23.146.241.19" 172.17.0.1 - - [10 /Oct/2021:09:16:30 +0000] "GET /admin/controller/extension/extension/ HTTP/1.1" 404 556 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ 537.36 (KHTML, 像 Gecko) Chrome/90.0.4430.85 Safari/537.36" "23.146.241.19" 172.17.0.1 - - [10/Oct/2021:09:16:41 +0000] "GET /uploads/ HTTP/1.1" 404 556 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "23.146.241.19" 172.17.0.1 - - [10 /Oct/2021:09:16:50 +0000] "GET /images/ HTTP/1.1" 404 556 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "23.146.241.19" 172.17.0.1 - - [10/Oct/2021:09:17 :02 +0000] "GET /files/ HTTP/1.1" 404 556 "binance.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/ 537.36" "23.146.241.19"

4

1 回答 1

0

很可能使用了 docker REST API 端口 2375。

https://www.bleepingcomputer.com/news/security/teamtnt-hackers-target-your-poorly-configured-docker-servers/

于 2021-11-11T13:44:53.027 回答