11

网站被恶意访问

 10 months ago
source link: https://seo.g2soft.net/2023/05/03/one-attack-from-spam.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

网站被恶意访问

作者:David Yin


最后更新于 2023年5月 3日 | 最初发布于 2023年5月 3日 | 分类: 偶尔八卦


今天发现,网站挂了,显示404,于是登录到服务器上,重启服务,大概好了几秒钟,就又挂了。于是估计就是某个网站被恶意访问了,或者说被攻击了。查看了 CPU 使用率,达到了100%。

本站是放在 Vultr 上的一个 VPS上,同时还有几个网站都在上面,那么到底是哪个网站被攻击了呢?

我对每个网站都有单独的访问日志记录,大概的看了一下,有一个网站的访问超过平时太多。

Screenshot 2023-05-03 152617.png

对就是 phpBB 简体中文网,phpBB的简体中文语言包是我一直在做的,为了方便他人使用,就建立了这个中文支持社区,用来发布新版本的语言包,以及完整安装包,回答一些问题。平时访问量很小的,大概一个月也就两三万的访问人次,然后网页访问量也就在二十万上下,而,就五月份这三四天,已经超过了一百七十万的页面访问量,太过分了。

具体看了一下日志文件,这些大量访问来源主要是从中国大陆,重庆,IP地址是 183.69.137.71这个网段的,有几十个 IP 地址吧,对我而言,一直很简单粗暴的,就是封掉了事,一般我是在 Nginx 的配置文件中封禁,但是因为 phpBBchinese 是用了 Cloudflare,就到 Cloudflare 的 Security 》 WAF 》 IP Access Rules 那边添加了一条规则。

Screenshot 2023-05-03 153425.png

添加完规则,重启了 Nginx Web 服务器,再来看CPU 使用率,一下子就安静了下来。

Screenshot 2023-05-03 153651.png

回过头来看,日志文件中显示,从四月二十九日开始,就不正常了。当时的数据量还小,网站并没有给搞挂掉,而今天上午就越来越大,CPU 一满,就完全没法访问了。

不知道哪位大神,没事干,来攻击这样一个与世无争,自得其乐的简体语言支持论坛。鉴于封禁是对整个网段进行的,一定会有误伤,只能抱歉了,这属于附带损伤。

下面晒一段访问日志,看看。在极短时间,相邻几个 IP 地址,用不同的 UserAgent,访问多个地址。

183.69.137.90 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=36&sid=1369bf1dc602a22cf69e5e17819256c9 HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./ucp.php?mode=privacy&sid=947f2ace9123fbc7154d97a42ddfffd9 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=13&sid=454924af7515f89b8af53ee00e47cae3 HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.0 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=36&sid=778a5ff6b9b638717f473b8f9924f656 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 10.0; rv:35.0) Gecko/20100101 Firefox/35.0"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=34&sid=3b7da61ed2d30eb531f07b4ed49796e3 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.9.168 Version/11.50"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./ucp.php?mode=resend_act&sid=d911a4459b14c8a48b4a97a63c13c2b3 HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./memberlist.php?mode=viewprofile&u=2216&sid=a1d91bafeed536ed67b1ff9cc90d5143 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=27&sid=7495e0cbb97e83a4b534701b494afe53 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewtopic.php?p=151&sid=f62ea109d657680d9bd9222f8cea6d8e HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./viewtopic.php?p=2762&sid=a64113cfbbd3bccf1a2a0395f404ee82 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./ucp.php?mode=terms&sid=870654ca79d30799628034876e2ef238 HTTP/2.0" 403 166 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=14&sid=0c5348a82ce05c2cd042565a9fbc81bd HTTP/2.0" 403 166 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.0 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=28&sid=ff9a53cd9f33e684518fe58ae91dfe0a HTTP/2.0" 403 106 - "Opera/9.80 (Macintosh; Intel Mac OS X 10_10; U; en) Presto/2.7.62 Version/11.00"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./search.php?search_id=unanswered&sid=ff388a0a2204e9444e59ad8ca741e244 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 6.1; Win64; x64; U; en) Presto/2.7.62 Version/11.00"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=18&sid=b0615d307e39f98aeb1befd0985680a7 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /app.php/privacy-policy?sid=f5329776c4ddffedee41c37eaf095fa7 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0) Gecko/20100101 Firefox/6.0"
183.69.137.85 [03/May/2023:15:13:08 -0700] "GET /app.php/privacy-policy?sid=93fa73e4005958cccee212c5c9a2f9e4 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.8.131 Version/11.11"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=2&sid=b4bf4317d306b9a78929af7d2ce72940 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 10.0; U; en) Presto/2.8.131 Version/11.11"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./search.php?search_id=active_topics&sid=50365189b358396f59af4875f1ab26a2 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./search.php?sid=48d4e2dcf7070dc3661ee77499c9b40f HTTP/2.0" 403 106 - "Opera/9.80 (Macintosh; Intel Mac OS X 10_10; U; en) Presto/2.2.15 Version/10.10"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=3&sid=1360a5d9b9c80d033de652bb602c4fb7 HTTP/2.0" 403 106 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:44.0) Gecko/20100101 Firefox/44.0"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewtopic.php?t=13&sid=2864f1ae412b2ca4ba8bb83d49ce3b1f&start=20 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
183.69.137.91 [03/May/2023:15:13:09 -0700] "GET /./viewtopic.php?p=3880&sid=c7514e3b9b3c85c462c29e94ecd9957b HTTP/2.0" 403 106 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:61.0) Gecko/20100101 Firefox/61.0"
183.69.137.89 [03/May/2023:15:13:09 -0700] "GET /./ucp.php?mode=register&sid=b9cca906993d89407c106024c4a98df1 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 10.0; U; en) Presto/2.2.15 Version/10.00"
183.69.137.80 [03/May/2023:15:13:09 -0700] "GET /./viewtopic.php?t=13&sid=a1d91bafeed536ed67b1ff9cc90d5143&start=10 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 10.0; rv:35.0) Gecko/20100101 Firefox/35.0"
183.69.137.90 [03/May/2023:15:13:09 -0700] "GET /./viewforum.php?f=32&sid=1fd2e89ccba44967ad3c099b4fd55e10 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 10.0; rv:57.0) Gecko/20100101 Firefox/57.0"

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK