这是一个创建于 2174 天前的主题,其中的信息可能已经有所发展或是发生改变。
和这个样,
https://www.v2ex.com/amp/t/540682
一个支付回调接口,按理是没有公开暴露的,但是有来至 180.163.220.4 的访问。而且 UA 一看就不是什么好东西。
HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN
REQUEST_DATA =>
SERVER_DATA =>
CONTEXT_DOCUMENT_ROOT => /home
CONTEXT_PREFIX =>
DOCUMENT_ROOT => /home/
GATEWAY_INTERFACE => CGI/1.1
H2PUSH => on
H2_PUSH => on
H2_PUSHED =>
H2_PUSHED_ON =>
H2_STREAM_ID => 1
H2_STREAM_TAG => 88-1
HTTP2 => on
HTTPS => on
HTTP_ACCEPT => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
HTTP_ACCEPT_ENCODING => gzip, deflate
HTTP_CACHE_CONTROL => no-cache
HTTP_HOST => store.
HTTP_PRAGMA => no-cache
HTTP_REFERER => http://baidu.com/
HTTP_UPGRADE_INSECURE_REQUESTS => 1
HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN
HTTP_X_HTTPS => 1
PATH => /bin:/usr/bin
PHP_INI_SCAN_DIR => /opt/cpanel/ea-php72/root/etc:/opt/cpanel/ea-php72/root/etc/php.d:.
QUERY_STRING =>
REDIRECT_STATUS => 200
REMOTE_ADDR => 180.163.220.4
REMOTE_PORT => 62746
REQUEST_METHOD => GET
REQUEST_SCHEME => https
REQUEST_URI => /return.php
SCRIPT_FILENAME => /home/_return.php
SCRIPT_NAME => return.php
SCRIPT_URI => return.php
SCRIPT_URL => return.php
SERVER_ADDR => 1.1.1.1
SERVER_ADMIN => webmaster@
SERVER_NAME => store.
SERVER_PORT => 443
SERVER_PROTOCOL => HTTP/2.0
SERVER_SIGNATURE =>
SERVER_SOFTWARE => Apache
SSL_TLS_SNI => store.
TZ => Etc/GMT
UNIQUE_ID => XcvtVa3jGRPKDQsSIU6Ytgdf3fd
PHP_SELF => return.php
REQUEST_TIME_FLOAT => 1573645653.3753
REQUEST_TIME => 1573645653
argv =>
argc => 0
分析发现在 11/13/2019 11:46 有人付款发生了回调,在 11/13/2019 11:47 有来至 180.163.220.4 的访问,为什么有用户付款后此 IP 就马上来抓取。
https://www.v2ex.com/amp/t/540682
一个支付回调接口,按理是没有公开暴露的,但是有来至 180.163.220.4 的访问。而且 UA 一看就不是什么好东西。
HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN
REQUEST_DATA =>
SERVER_DATA =>
CONTEXT_DOCUMENT_ROOT => /home
CONTEXT_PREFIX =>
DOCUMENT_ROOT => /home/
GATEWAY_INTERFACE => CGI/1.1
H2PUSH => on
H2_PUSH => on
H2_PUSHED =>
H2_PUSHED_ON =>
H2_STREAM_ID => 1
H2_STREAM_TAG => 88-1
HTTP2 => on
HTTPS => on
HTTP_ACCEPT => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
HTTP_ACCEPT_ENCODING => gzip, deflate
HTTP_CACHE_CONTROL => no-cache
HTTP_HOST => store.
HTTP_PRAGMA => no-cache
HTTP_REFERER => http://baidu.com/
HTTP_UPGRADE_INSECURE_REQUESTS => 1
HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN
HTTP_X_HTTPS => 1
PATH => /bin:/usr/bin
PHP_INI_SCAN_DIR => /opt/cpanel/ea-php72/root/etc:/opt/cpanel/ea-php72/root/etc/php.d:.
QUERY_STRING =>
REDIRECT_STATUS => 200
REMOTE_ADDR => 180.163.220.4
REMOTE_PORT => 62746
REQUEST_METHOD => GET
REQUEST_SCHEME => https
REQUEST_URI => /return.php
SCRIPT_FILENAME => /home/_return.php
SCRIPT_NAME => return.php
SCRIPT_URI => return.php
SCRIPT_URL => return.php
SERVER_ADDR => 1.1.1.1
SERVER_ADMIN => webmaster@
SERVER_NAME => store.
SERVER_PORT => 443
SERVER_PROTOCOL => HTTP/2.0
SERVER_SIGNATURE =>
SERVER_SOFTWARE => Apache
SSL_TLS_SNI => store.
TZ => Etc/GMT
UNIQUE_ID => XcvtVa3jGRPKDQsSIU6Ytgdf3fd
PHP_SELF => return.php
REQUEST_TIME_FLOAT => 1573645653.3753
REQUEST_TIME => 1573645653
argv =>
argc => 0
分析发现在 11/13/2019 11:46 有人付款发生了回调,在 11/13/2019 11:47 有来至 180.163.220.4 的访问,为什么有用户付款后此 IP 就马上来抓取。
5 条回复 • 2019-11-17 23:25:21 +08:00
 |
1
holinhot OP 我分析可能和用户使用的浏览器、或杀毒软件(如周红衣家的)有关,或插件。不然不可能 URL 地址会暴露。
|
|
2
holinhot OP 我看了用户付款的 UA:HTTP_USER_AGENT => Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
系统是 macos,但浏览器看不出来是啥,到底是 Chrome 还是 Safari,还是 360 浏览器伪装的 UA, 因为听说现在 360 浏览器已经不显示自己的 UA 了,至于为什么大家都懂吧 |
|
3
holinhot OP |
|
4
holinhot OP 180.163.220.8 上的网站
绑定过的域名如下: 2019-09-13-----2019-09-13dl.ludashi.com 2019-01-23-----2019-01-23dl.qhcdn.com 2018-03-19-----2018-03-27dl.360tpcdn.com 2017-03-28-----2017-05-16dl.360safe.com 这 ip 段基本是 360 的无疑 |
|
5
holinhot OP |
Select Language