继 WordPress 主题扫描之后又出现了插件扫描

日志如下:

[Tue Feb 14 16:32:15 2012] [error] [client 91.196.216.59] File does not exist: /var/www/blog.dword1511.info/wp-content/plugins/ANNOtype

这次攻击者很聪明,他没有一次把所有有问题的插件扫描完,而是只扫了一个,不容易被发现,也不容易全军覆没。

不过第一次扫 themes 的 IP 正是这个 IP ,91.196.216.59 。如果这不是台肉机的话(犯这种错误有点严重)……

dword@dword1511:~$ nslookup 91.196.216.59 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53
** server can’t find 59.216.196.91.in-addr.arpa: SERVFAIL

你想解析居然 SERVFAIL 了,有问题。

dword@dword1511:~$ traceroute 91.196.216.59
traceroute to 91.196.216.59 (91.196.216.59), 30 hops max, 60 byte packets
[……]
4 10gigabitethernet1-2.core1.lon1.he.net (72.52.92.242) 134.037 ms 133.980 ms 134.297 ms
5 1Gbrnlinx-ex.citytelecom.ru (195.66.225.48) 147.495 ms 148.049 ms 148.552 ms
6 te4-2-740-altera.spb.citytelecom.ru (217.65.1.229) 183.476 ms 174.466 ms 174.116 ms
7 te4-4-adelaida.spb.citytelecom.ru (217.65.1.201) 175.722 ms 175.790 ms 175.708 ms
8 62.152.42.134 (62.152.42.134) 174.795 ms 174.794 ms 174.778 ms
9 91.196.216.59 (91.196.216.59) 216.566 ms 217.322 ms *

貌似来自黑客大国俄罗斯。

dword@dword1511:~$ whois 91.196.216.59
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘91.196.216.0 – 91.196.219.255’
inetnum: 91.196.216.0 – 91.196.219.255
netname: SPETSENERGO-NET
descr: SpetsEnergo Ltd.
country: RU
org: ORG-SL138-RIPE
admin-c: KDS23-RIPE
tech-c: KDS23-RIPE
remarks: SPAM issues: abuse@specenergo2.ru
remarks: Network security issues: abuse@specenergo2.ru
remarks: General and other information: info@specenergo2.ru
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: MNT-SPETSENERGO
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-SPETSENERGO
mnt-domains: MNT-SPETSENERGO
source: RIPE # Filtered

organisation: ORG-SL138-RIPE
org-name: SpetsEnergo Ltd.
tech-c: KDS23-RIPE
admin-c: KDS23-RIPE
remarks: SPAM issues: abuse@specenergo2.ru
remarks: Network security issues: abuse@specenergo2.ru
remarks: General and other information: info@specenergo2.ru
org-type: OTHER
address: Russia, 127422, Moscow, Timiryazevskaya st, 11
mnt-ref: MNT-SPETSENERGO
mnt-by: MNT-SPETSENERGO
source: RIPE # Filtered

person: Kruchkov Dmitry Sergeevich
address: Russia, 127422, Moscow, Timiryazevskaya st, 11
abuse-mailbox: abuse@specenergo2.ru
phone: +7 916 959 2268
nic-hdl: KDS23-RIPE
source: RIPE # Filtered
mnt-by: MNT-SPETSENERGO

% Information related to ‘91.196.216.0/22AS43239’

route: 91.196.216.0/22
descr: SPETSENERGO
origin: AS43239
mnt-by: MNT-SPETSENERGO
source: RIPE # Filtered

确实是俄罗斯的,不过对那边的运营商不熟悉。

后来 Google 了一下,这个 IP 曾经注册过 N 多免费的域名,而且有过各种架设 malware 的历史,早就臭名昭著了。

PS:顺便吐槽下 58.218.199.227 这个 IP ,江苏电信的,总想把我的机器当 HTTP 代理使唤。不排除是某哔—— 的扫描器。

《继 WordPress 主题扫描之后又出现了插件扫描》上的一个想法

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据