赶紧检查你的 access.log,看看有没有被恶意解析

2019-07-23 17:41:21 +08:00
 zjb861107

起因是我的腾讯云小鸡突然访问巨慢,今天登上去看了下发现磁盘空间满了,其中 nginx 的 access.log 就占了 33G。
大量 log 都是类似下面这种:

121.238.181.104 - - [23/Jul/2019:17:06:15 +0800] "GET /otsmobile/app/mgs/mgw.htm?operationType=com.cars.otsmobile.queryLeftTicket&requestData=%5B%7B%22train_date%22%3A%2220190728%22%2C%22purpose_codes%22%3A%2200%22%2C%22from_station%22%3A%22CZH%22%2C%22to_station%22%3A%22ZDN%22%2C%22station_train_code%22%3A%22%22%2C%22start_time_begin%22%3A%220000%22%2C%22start_time_end%22%3A%222400%22%2C%22train_headers%22%3A%22QB%23%22%2C%22train_flag%22%3A%22%22%2C%22seat_type%22%3A%22%22%2C%22seatBack_Type%22%3A%22%22%2C%22ticket_num%22%3A%22%22%2C%22dfpStr%22%3A%22Kkc-ypSI1MmN1-xm-shsDUoFhTpNRYwoDt4q0o7Zk6yal4RFOLPEZAlkgnKaxuVWMv1gm6vaJhCzOYwvXS_KxtVXYf7foWgHKybovOoVfeGnPNUrJK4GXuUXX-S2GxNE8z-Fmdr3aGNPwBWlpePKTibGpcEuA89D%22%2C%22baseDTO%22%3A%7B%22check_code%22%3A%2299976ef2a5f0c45ca0cba6957f5add03%22%2C%22device_no%22%3A%22XTWYw2mjkUQzMGMfFr5qoFiY%22%2C%22mobile_no%22%3A%22%22%2C%22os_type%22%3A%22a%22%2C%22time_str%22%3A%2220190723170615%22%2C%22user_name%22%3A%22%22%2C%22version_no%22%3A%224.2.10%22%7D%7D%5D&ts=1563872775032&sign=2f8b45dd42d0544d64a9f7af81b1f706 HTTP/1.1" 444 0 "-" "Go-http-client/1.1"
110.218.205.25 - - [23/Jul/2019:17:06:15 +0800] "GET /otsmobile/app/mgs/mgw.htm?operationType=com.cars.otsmobile.queryLeftTicket&requestData=%5B%7B%22train_date%22%3A%2220190724%22%2C%22purpose_codes%22%3A%2200%22%2C%22from_station%22%3A%22ZYJ%22%2C%22to_station%22%3A%22LZJ%22%2C%22station_train_code%22%3A%22%22%2C%22start_time_begin%22%3A%220000%22%2C%22start_time_end%22%3A%222400%22%2C%22train_headers%22%3A%22QB%23%22%2C%22train_flag%22%3A%22%22%2C%22seat_type%22%3A%22%22%2C%22seatBack_Type%22%3A%22%22%2C%22ticket_num%22%3A%22%22%2C%22dfpStr%22%3A%22eXNvnG_dhMV52v1v7hCA8Ny47hOWo89M7Hoxg1n45OyJJ8VqnBs2AiD0lUcJSiUzEimLKNWtIYeVYr06VX2tsUA6mfgpUyNrFWaDouCRYGzmn_r138y27EC4oa-v8yK6dZHsGVGZ2F5ji4-ax4plmpGKyJGjFwvo%22%2C%22baseDTO%22%3A%7B%22check_code%22%3A%224e3333eb814f961347a92b05457a25e3%22%2C%22device_no%22%3A%22XTWYwANleQwzMHXUqoMlBfdk%22%2C%22mobile_no%22%3A%22%22%2C%22os_type%22%3A%22a%22%2C%22time_str%22%3A%2220190723170615%22%2C%22user_name%22%3A%22%22%2C%22version_no%22%3A%224.2.10%22%7D%7D%5D&ts=1563872775144&sign=9caf0e8903ead8174a45e6532f8f7404 HTTP/1.1" 444 0 "-" "Go-http-client/1.1"

所有的请求都指向/otsmobile/app/mgs/mgw.htm

借助搜索引擎,我发现了有文章介绍类似情况: http://niliu.me/articles/367.html

参照此文我在 nginx 的配置中添加了:

server {
     listen 443 default_server;
     server_name _;
     ssl on;
     return 444;
}

瞬间服务器就变得流畅了。
ps:确定 444 生效以后,我又添加了access_log off;,防止 log 过大。

3420 次点击
所在节点    分享发现
9 条回复
VD
2019-07-23 19:21:08 +08:00
你确定,443 端口下,没有证书,这个能返回 444 生效?
GM
2019-07-23 19:43:08 +08:00
@VD 用 443 提供 http 服务,没毛病。
ruimz
2019-07-23 19:47:10 +08:00
就算 443 口不能提供 ssl 下的 444 返回,哪怕是错误,也完成了初始目标
VD
2019-07-23 20:33:42 +08:00
@GM 你没看到他配置中的 ssl on ?

@ruimz 楼主说,确定 444 生效了,所以有些不解。
Vegetable
2019-07-23 20:46:45 +08:00
你这是 12306 查询余票的参数,然后 ua 是 go-http-client。
看起来是哪个抢票软件的请求发到你这里来了。
sizhe
2019-07-24 09:12:49 +08:00
为啥不设置 404... 简单粗暴,迷惑性强

不过被攻击真的无可奈何,把 log 关了也不太好啊。最好是在路由层直接堵了。
zjb861107
2019-07-24 10:17:13 +08:00
@VD 我没有放完整配置。另外还有个:
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}


这样是不是能说得通了?
VD
2019-07-24 10:32:49 +08:00
@zjb861107 http 的 server_name 没写吧?
然后 301 跳转到 https 后呢,没有 ssl,如何返回 444 ?你确定返回 444 了?
chen90902
2019-07-24 10:49:07 +08:00
我是直接把 80 的访问给 ban 了,然后 443 的访问返回 444,只有通过域名才可以访问。
域名有 DNS 商做防护,一般就不怕了~

栗子:
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate example.pem;
ssl_certificate_key example_key.pem;
return 444;
}

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/585515

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX