win2003“自动”关机？

 

 

中午，一朋友打电话说，他的win2003服务器自动关机了。问清楚电源没问题后我莫名其妙，好好的机器怎么可能会关机。

 

登录服务器一看，上面真是乱七八糟，什么nginx、apache都有，web目录好几个。直奔事件查看器查看，里面有很多醒目的mysql错误，但这肯定不是问题原因。登录日志里也没异常登录，系统日志里也没严重错误，好吧，我可以基本肯定日志被人清理过了。

 

问他们服务器几点关机的，说不知道，但是凌晨2点时候应该是正常的。我看了下apache的错误日志：

 

 

[Sat Feb 25 05:36:41 2012] [error] [client 116.77.33.59] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sat Feb 25 05:36:47 2012] [error] [client 222.52.118.157] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Sat Feb 25 05:50:43 2012] [error] [client 223.198.130.154] File does not exist: E:/web***/**/**, referer: http://www.627s.com/?id=13
[Sat Feb 25 05:50:49 2012] [error] [client 223.198.130.154] File does not exist: E:/web***/footbg.png, referer: http://www.627s.com/?id=13
[Sat Feb 25 12:20:53 2012] [warn] pid file D:/Program Files/phpStudy/Apache2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
PHP Deprecated:  Directive 'register_globals' is deprecated in PHP 5.3 and greater in Unknown on line 0
<br />
<b>Deprecated</b>:  Directive 'register_globals' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />
[Sat Feb 25 12:20:54 2012] [notice] Apache/2.2.21 (Win32) PHP/5.3.8 configured -- resuming normal operations
[Sat Feb 25 12:20:54 2012] [notice] Server built: Sep  9 2011 10:26:10
[Sat Feb 25 12:20:54 2012] [notice] Parent: Created child process 1552
PHP Deprecated:  Directive 'register_globals' is deprecated in PHP 5.3 and greater in Unknown on line 0
<br />
<b>Deprecated</b>:  Directive 'register_globals' is deprecated in PHP 5.3 and greater in <b>Unknown</b> on line <b>0</b><br />
[Sat Feb 25 12:20:54 2012] [notice] Child 1552: Child process is running
[Sat Feb 25 12:20:54 2012] [notice] Child 1552: Acquired the start mutex.

 

 

 

很明显，web服务在5点50分时候还在正常服务，12点20又启动的机器。然后我对照了一下事件查看器里记录，在12点20之前没有当天的任何日志记录，并且昨天的日志也有部分被删除。由此可以百分百断定，系统日志是被人清除了。系统也可能是被入侵了。

 

然而后面的几个web日志让我有点疑惑：

 

Sat Feb 25 12:54:35 2012] [error] [client 49.81.37.173] (22)Invalid argument: Cannot map GET /\xc1\xe9\xb5\xdb\xb2\xb9\xb6\xa1.rar HTTP/1.1 to file, referer: http://www.**.com/
[Sat Feb 25 12:54:46 2012] [error] [client 49.81.37.173] (22)Invalid argument: Cannot map GET /\xc1\xe9\xb5\xdb\xb2\xb9\xb6\xa1.rar HTTP/1.1 to file, referer: http://www.**.com/
[Sat Feb 25 12:54:56 2012] [error] [client 49.81.37.173] (22)Invalid argument: Cannot map GET /\xc1\xe9\xb5\xdb\xb2\xb9\xb6\xa1.rar HTTP/1.1 to file, referer: http://www.**.com/
[Sat Feb 25 12:55:07 2012] [error] [client 49.81.37.173] (22)Invalid argument: Cannot map GET /\xc1\xe9\xb5\xdb\xb2\xb9\xb6\xa1.rar HTTP/1.1 to file, referer: http://www.**.com/
[Sat Feb 25 12:55:20 2012] [error] [client 49.81.37.173] (22)Invalid argument: Cannot map GET /\xc1\xe9\xb5\xdb\xb2\xb9\xb6\xa1.rar HTTP/1.1 to file, referer: http://www.**.com/
[Sat Feb 25 12:55:39 2012] [error] [client 49.81.37.173] (22)Invalid argument: Cannot map GET /\xc1\xe9\xb5\xdb\xb2\xb9\xb6\xa1.rar HTTP/1.1 to file, referer: http://www.**.com/
[Sat Feb 25 12:57:20 2012] [error] [client 49.81.37.173] (22)Invalid argument: Cannot map GET /\xc1\xe9\xb5\xdb\xb2\xb9\xb6\xa1.rar HTTP/1.1 to file, referer: http://www.**.com/

 

反正知道攻击者和**.com这个网站有关系，至于是搞的什么，我就不清楚了。

至于一开始说的自动关机，不知道什么原因，或者是黑客不小心误点，或许黑客删除日志痕迹的软件需要关机，或许他不小心运行了什么高级玩意，都未可知。但可以肯定的是，这机器已经归人家管理了。