今天偶然发现网站上几个文章的阅读量异常,几个小众的内容阅读量惊人。 怀疑是被恶意扫描了,于是查看了一下 Nginx access log 中的 IP 统计。
access.log IP 统计
今天的访问记录:
$ awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -n 10
47121 103.148.58.45
804 66.249.79.239
540 66.249.79.241
422 209.159.145.46
422 162.241.123.164
413 65.108.227.178
413 162.241.62.60
299 65.108.125.120
270 198.71.236.34
264 66.249.79.243
昨天的访问记录:
$ awk '{print $1}' /var/log/nginx/access.log.1 | sort | uniq -c | sort -nr | head -n 10
158657 103.148.58.45
1433 66.249.79.239
840 150.158.212.68
757 66.249.79.241
522 64.124.8.55
480 64.124.8.35
432 66.249.79.243
394 64.124.8.28
253 172.104.100.241
241 64.124.8.27
103.148.58.45 这个 IP 访问量出奇的离谱。
恶意请求特征
103.148.58.45 - - [12/Dec/2022:10:14:02 +0800] "GET /golang-upgraded-version-113-to-114?from=random%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%28CONCAT%28%27qkbkq%27%2C%27EXDgLPuczm%27%29%2C%27qqzqq%27%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20ihuT HTTP/1.1" 200 9341 "-" "sqlmap/1.6.12#stable 15:00 2022/12/12(https://sqlmap.org)" "2.91"
从请求 URL 看,非常像是 SQL 注入工具。
按照请求头里的标识搜了一下,果然是
https://sqlmap.org/
sqlmap 是一个自动化的 SQL 注入漏洞检测工具。支持的数据库种类还挺多。 用来作为项目的漏洞测试工具不错。
封掉恶意 IP
在阿里云管理后台 - 云服务器 - ECS安全组,添加一条拒绝访问规则:
授权策略 优先级 协议类型 端口范围 授权对象 描述 创建时间 操作
注意把优先级设置成最高的 1,否则不生效。
TODO
我不太理解为啥会有人闲的去扫描一个博客的漏洞 。。。
不过,我还是觉得要是网站上能有一个实时显示 IP 统计的页面会很方便。准备把这个功能加入到 golang 新版博客程序中。
微信关注我哦 👍
我是来自山东烟台的一名开发者,有感兴趣的话题,或者软件开发需求,欢迎加微信 zhongwei 聊聊, 查看更多联系方式