不得不防

分类: 代码, 笔记 | 标签: , | 日期:2009-09-13 | 1 views

今天下午后台查看浏览记录,感觉让人很无语。是所谓黑客太菜还是无聊的人太多。

222.208.183.49 – – [11/Sep/2009:02:19:36 +0800] “GET /ixhktmdqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:38 +0800] “GET /tmdqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:39 +0800] “GET /tmdqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:39 +0800] “GET /eltrqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:40 +0800] “GET /qq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:44 +0800] “GET /qq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:44 +0800] “GET /wdtgjinhuQQ2007.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:45 +0800] “GET /jinhuQQ2007.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:46 +0800] “GET /jinhuQQ2007.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:47 +0800] “GET /emkyjinhuQQ.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:47 +0800] “GET /jinhuQQ.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:48 +0800] “GET /jinhuQQ.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:52 +0800] “GET /qndnqq2008jh.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:53 +0800] “GET /qq2008jh.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:54 +0800] “GET /qq2008jh.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:54 +0800] “GET /fbidqq.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:55 +0800] “GET /qq.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:56 +0800] “GET /qq.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:57 +0800] “GET /zwivlog.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:57 +0800] “GET /log.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:58 +0800] “GET /log.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:19:59 +0800] “GET /czpmpass.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:20:00 +0800] “GET /pass.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:20:00 +0800] “GET /pass.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:20:01 +0800] “GET /hqedpassword.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:20:02 +0800] “GET /password.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
222.208.183.49 – – [11/Sep/2009:02:20:02 +0800] “GET /password.txt HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″

大量的类似扫描实在是太多了,还有高频次的对不存在的mp3文件的访问。幸好我早已删除掉。下面是一堆恶意的IP,迫使我不得不启用Wp-Blockyou的插件来禁止这些IP访问本站,不得不这么做。

221.234.72.2
125.124.202.63
220.201.5.73
58.40.68.192
61.57.132.181
116.226.75.203
218.85.159.127
61.229.154.26
222.35.159.217
117.26.223.138
61.227.2.77
119.6.33.28
218.75.242.226
58.45.227.151
121.37.51.59
116.205.111.225
122.74.126.69
125.127.219.103
122.224.39.11
117.32.78.66
121.26.55.151
59.40.127.88
124.236.28.195
60.28.129.145
58.83.252.144
220.173.139.228
122.237.141.199
60.191.73.186
60.191.73.186
220.176.67.174
61.227.209.184
125.115.242.1
123.6.92.71
125.78.150.118
210.83.225.75
60.191.247.177
222.208.183.49
59.172.198.147
58.49.196.251
122.94.239.159
122.74.20.247
58.17.243.134
123.195.5.216
117.90.101.225
121.26.62.28
222.216.40.135
117.86.142.32
58.45.231.113
61.176.243.233
122.224.51.72
59.35.201.8
125.34.85.253
222.90.76.164
222.179.234.135
125.34.85.253
122.234.183.226
123.12.135.129

后来想了想,这么做也没用。用作扫描的IP几乎一天一变,这样不是办法。查看log文件,发现恶意IP的user agent几乎都是只有一段”Mozilla/4.0″。

因此在htaccess中禁止user agent符合上面条件的所有访问,正常的访问者应该是不会被ban的。我自己测试正常。

还有一些IP用IE6的user agent来频繁读取mp3,因此将所有对mp3的访问做重定向到一个crash ie6的网址。如果好奇你也可以试试,猛击这里进入,确认你已经做好了准备。(IE7和IE8不会崩溃)

下面是加入的htaccess代码

#forbidden hack scan
RewriteCond %{HTTP_user_agent} ^Mozilla/4.0$    [NC]
RewriteRule http://127.0.0.1 [L]

#forbidden reading mp3
RewriteCond %{REQUEST_URI} .*\.(.*mp3|wma)$    [NC]
RewriteRule http://immike.net/scripts/ie_crash.html [L]

你也许会喜欢的日志

2人发表了评论  ↓发表评论↓

  • 博主,

    请教,用什么后台查看浏览记录?最近碰到讨厌的503,不知道从哪里着手。

    谢谢

    paul

    222.208.183.49 – – [11/Sep/2009:02:19:36 +0800] “GET /ixhktmdqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
    222.208.183.49 – – [11/Sep/2009:02:19:38 +0800] “GET /tmdqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
    222.208.183.49 – – [11/Sep/2009:02:19:39 +0800] “GET /tmdqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
    222.208.183.49 – – [11/Sep/2009:02:19:39 +0800] “GET /eltrqq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
    222.208.183.49 – – [11/Sep/2009:02:19:40 +0800] “GET /qq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
    222.208.183.49 – – [11/Sep/2009:02:19:44 +0800] “GET /qq.asp HTTP/1.1″ 404 14097 “-” “Mozilla/4.0″
    222.208.183.49 – – [11/Sep/2009:02:19:44 +0800] “GET /wdtgjinhuQQ2007.txt HTTP/1.1″ 404 14097 “-”

    [回复]

    lx 回复:
    九月 28th, 2009 at 3:55 上午

    看你的网站空间提供商为你提供的平台了,美国主机下用的比较多的有cpanel,DM的自主开发的后台,国内的有swsoft,也许有些空间商不提供这种访问查看记录。你可以安装WP插件statepress来记录。

    [回复]

    paul @ 2009年09月24日

    回复

[ Ctrl+Enter提交 ]

使用新浪微博登陆