网站访问统计见到过这两个异常 IP 段吗

2019-11-17 22:53:28 +08:00
 holinhot
和这个样,
https://www.v2ex.com/amp/t/540682

一个支付回调接口,按理是没有公开暴露的,但是有来至 180.163.220.4 的访问。而且 UA 一看就不是什么好东西。

HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN


REQUEST_DATA =>
SERVER_DATA =>
CONTEXT_DOCUMENT_ROOT => /home
CONTEXT_PREFIX =>
DOCUMENT_ROOT => /home/
GATEWAY_INTERFACE => CGI/1.1
H2PUSH => on
H2_PUSH => on
H2_PUSHED =>
H2_PUSHED_ON =>
H2_STREAM_ID => 1
H2_STREAM_TAG => 88-1
HTTP2 => on
HTTPS => on
HTTP_ACCEPT => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
HTTP_ACCEPT_ENCODING => gzip, deflate
HTTP_CACHE_CONTROL => no-cache
HTTP_HOST => store.
HTTP_PRAGMA => no-cache
HTTP_REFERER => http://baidu.com/
HTTP_UPGRADE_INSECURE_REQUESTS => 1
HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN
HTTP_X_HTTPS => 1
PATH => /bin:/usr/bin
PHP_INI_SCAN_DIR => /opt/cpanel/ea-php72/root/etc:/opt/cpanel/ea-php72/root/etc/php.d:.
QUERY_STRING =>
REDIRECT_STATUS => 200
REMOTE_ADDR => 180.163.220.4
REMOTE_PORT => 62746
REQUEST_METHOD => GET
REQUEST_SCHEME => https
REQUEST_URI => /return.php
SCRIPT_FILENAME => /home/_return.php
SCRIPT_NAME => return.php
SCRIPT_URI => return.php
SCRIPT_URL => return.php
SERVER_ADDR => 1.1.1.1
SERVER_ADMIN => webmaster@
SERVER_NAME => store.
SERVER_PORT => 443
SERVER_PROTOCOL => HTTP/2.0
SERVER_SIGNATURE =>
SERVER_SOFTWARE => Apache
SSL_TLS_SNI => store.
TZ => Etc/GMT
UNIQUE_ID => XcvtVa3jGRPKDQsSIU6Ytgdf3fd
PHP_SELF => return.php
REQUEST_TIME_FLOAT => 1573645653.3753
REQUEST_TIME => 1573645653
argv =>
argc => 0

分析发现在 11/13/2019 11:46 有人付款发生了回调,在 11/13/2019 11:47 有来至 180.163.220.4 的访问,为什么有用户付款后此 IP 就马上来抓取。
4216 次点击
所在节点    信息安全
5 条回复
holinhot
2019-11-17 22:56:45 +08:00
我分析可能和用户使用的浏览器、或杀毒软件(如周红衣家的)有关,或插件。不然不可能 URL 地址会暴露。
holinhot
2019-11-17 23:00:03 +08:00
我看了用户付款的 UA:HTTP_USER_AGENT => Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
系统是 macos,但浏览器看不出来是啥,到底是 Chrome 还是 Safari,还是 360 浏览器伪装的 UA, 因为听说现在 360 浏览器已经不显示自己的 UA 了,至于为什么大家都懂吧
holinhot
2019-11-17 23:01:26 +08:00
@holinhot 刚找到这一篇文章,https://www.360zhijia.com/ask/461446.html
由此来看来 180.163.220.4 90%是 360 那 j2 在搞怪
holinhot
2019-11-17 23:06:02 +08:00
holinhot
2019-11-17 23:25:21 +08:00
已全部拉黑这个 b 玩意儿。
https://prnt.sc/py59xi
简单粗暴直接 ban 了 CT GROUP 这个 IDC 段 180.160.0.0/13

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/620470

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX