网站被恶意访问

今天发现,网站挂了,显示404,于是登录到服务器上,重启服务,大概好了几秒钟,就又挂了。于是估计就是某个网站被恶意访问了,或者说被攻击了。查看了 CPU 使用率,达到了100%。

本站是放在 Vultr 上的一个 VPS上,同时还有几个网站都在上面,那么到底是哪个网站被攻击了呢?

我对每个网站都有单独的访问日志记录,大概的看了一下,有一个网站的访问超过平时太多。

Screenshot 2023-05-03 152617.png对就是 phpBB 简体中文网,phpBB的简体中文语言包是我一直在做的,为了方便他人使用,就建立了这个中文支持社区,用来发布新版本的语言包,以及完整安装包,回答一些问题。平时访问量很小的,大概一个月也就两三万的访问人次,然后网页访问量也就在二十万上下,而,就五月份这三四天,已经超过了一百七十万的页面访问量,太过分了。

具体看了一下日志文件,这些大量访问来源主要是从中国大陆,重庆,IP地址是 183.69.137.71这个网段的,有几十个 IP 地址吧,对我而言,一直很简单粗暴的,就是封掉了事,一般我是在 Nginx 的配置文件中封禁,但是因为 phpBBchinese 是用了 Cloudflare,就到 Cloudflare 的 Security 》 WAF 》 IP Access Rules 那边添加了一条规则。

Screenshot 2023-05-03 153425.png

添加完规则,重启了 Nginx Web 服务器,再来看CPU 使用率,一下子就安静了下来。

Screenshot 2023-05-03 153651.png

回过头来看,日志文件中显示,从四月二十九日开始,就不正常了。当时的数据量还小,网站并没有给搞挂掉,而今天上午就越来越大,CPU 一满,就完全没法访问了。

不知道哪位大神,没事干,来攻击这样一个与世无争,自得其乐的简体语言支持论坛。鉴于封禁是对整个网段进行的,一定会有误伤,只能抱歉了,这属于附带损伤。

下面晒一段访问日志,看看。在极短时间,相邻几个 IP 地址,用不同的 UserAgent,访问多个地址。

183.69.137.90 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=36&sid=1369bf1dc602a22cf69e5e17819256c9 HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./ucp.php?mode=privacy&sid=947f2ace9123fbc7154d97a42ddfffd9 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=13&sid=454924af7515f89b8af53ee00e47cae3 HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.0 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=36&sid=778a5ff6b9b638717f473b8f9924f656 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 10.0; rv:35.0) Gecko/20100101 Firefox/35.0"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=34&sid=3b7da61ed2d30eb531f07b4ed49796e3 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.9.168 Version/11.50"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./ucp.php?mode=resend_act&sid=d911a4459b14c8a48b4a97a63c13c2b3 HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./memberlist.php?mode=viewprofile&u=2216&sid=a1d91bafeed536ed67b1ff9cc90d5143 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=27&sid=7495e0cbb97e83a4b534701b494afe53 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewtopic.php?p=151&sid=f62ea109d657680d9bd9222f8cea6d8e HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./viewtopic.php?p=2762&sid=a64113cfbbd3bccf1a2a0395f404ee82 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./ucp.php?mode=terms&sid=870654ca79d30799628034876e2ef238 HTTP/2.0" 403 166 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=14&sid=0c5348a82ce05c2cd042565a9fbc81bd HTTP/2.0" 403 166 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.0 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=28&sid=ff9a53cd9f33e684518fe58ae91dfe0a HTTP/2.0" 403 106 - "Opera/9.80 (Macintosh; Intel Mac OS X 10_10; U; en) Presto/2.7.62 Version/11.00"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./search.php?search_id=unanswered&sid=ff388a0a2204e9444e59ad8ca741e244 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 6.1; Win64; x64; U; en) Presto/2.7.62 Version/11.00"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=18&sid=b0615d307e39f98aeb1befd0985680a7 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
183.69.137.80 [03/May/2023:15:13:08 -0700] "GET /app.php/privacy-policy?sid=f5329776c4ddffedee41c37eaf095fa7 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0) Gecko/20100101 Firefox/6.0"
183.69.137.85 [03/May/2023:15:13:08 -0700] "GET /app.php/privacy-policy?sid=93fa73e4005958cccee212c5c9a2f9e4 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.8.131 Version/11.11"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=2&sid=b4bf4317d306b9a78929af7d2ce72940 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 10.0; U; en) Presto/2.8.131 Version/11.11"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./search.php?search_id=active_topics&sid=50365189b358396f59af4875f1ab26a2 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
183.69.137.86 [03/May/2023:15:13:08 -0700] "GET /./search.php?sid=48d4e2dcf7070dc3661ee77499c9b40f HTTP/2.0" 403 106 - "Opera/9.80 (Macintosh; Intel Mac OS X 10_10; U; en) Presto/2.2.15 Version/10.10"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewforum.php?f=3&sid=1360a5d9b9c80d033de652bb602c4fb7 HTTP/2.0" 403 106 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:44.0) Gecko/20100101 Firefox/44.0"
183.69.137.89 [03/May/2023:15:13:08 -0700] "GET /./viewtopic.php?t=13&sid=2864f1ae412b2ca4ba8bb83d49ce3b1f&start=20 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
183.69.137.91 [03/May/2023:15:13:09 -0700] "GET /./viewtopic.php?p=3880&sid=c7514e3b9b3c85c462c29e94ecd9957b HTTP/2.0" 403 106 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:61.0) Gecko/20100101 Firefox/61.0"
183.69.137.89 [03/May/2023:15:13:09 -0700] "GET /./ucp.php?mode=register&sid=b9cca906993d89407c106024c4a98df1 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 10.0; U; en) Presto/2.2.15 Version/10.00"
183.69.137.80 [03/May/2023:15:13:09 -0700] "GET /./viewtopic.php?t=13&sid=a1d91bafeed536ed67b1ff9cc90d5143&start=10 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 10.0; rv:35.0) Gecko/20100101 Firefox/35.0"
183.69.137.90 [03/May/2023:15:13:09 -0700] "GET /./viewforum.php?f=32&sid=1fd2e89ccba44967ad3c099b4fd55e10 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 10.0; rv:57.0) Gecko/20100101 Firefox/57.0"

文章来源:

Author:David Yin
link:https://seo.g2soft.net/2023/05/03/one-attack-from-spam.html