这种情况是被DDOS了么

2014-01-26 10:59:37 +08:00
 582033
用iftop 现在能看到这么个信息,如图, http://urlc.cn/g/yd6io6tu ,

难道被DDOS了?

求分析,求解决
7000 次点击
所在节点    站长
11 条回复
kmvan
2014-01-26 11:12:06 +08:00
有何异常?
582033
2014-01-26 11:16:06 +08:00
检测到连接IP有725个,带宽打到峰值。
Livid
2014-01-26 11:22:09 +08:00
这种情况你应该看 web server 的 log
582033
2014-01-26 11:40:22 +08:00
@Livid 请指教.. 怎么看是否有异常呢


error.log 可以看到如下类似信息
2014/01/26 11:36:12 [error] 14532#0: unexpected response for www.espam.co.kr
2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir
2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir
2014/01/26 11:37:38 [error] 14533#0: DNS error (16: Unknown error), query id:14222
2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com
2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com
2014/01/26 11:38:32 [error] 14533#0: unexpected response for www.portlandcvb.com
2014/01/26 11:38:41 [error] 14532#0: unexpected response for www.zb1213.com
2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com
2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com
2014/01/26 11:38:55 [error] 14533#0: unexpected response for steady-laughing.com
Livid
2014-01-26 11:43:22 +08:00
@582033 看看 access.log
582033
2014-01-26 11:52:21 +08:00
@Livid 日志没有大量增加



114.80.109.30 - - [26/Jan/2014:11:41:26 +0800] "POST /api/manyou/my.php HTTP/1.0" 200 154 "http://www.bgjsy.com/api/manyou/my.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"
113.13.131.36 - - [26/Jan/2014:11:41:27 +0800] "POST /member.php?mod=register&inajax=1 HTTP/1.1" 200 1042 "http://www.bgjsy.com/member.php?mod=register&inajax=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
46.161.41.24 - - [26/Jan/2014:11:42:22 +0800] "GET /search.php?mod=forum&srchtxt=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE&formhash=5f7a996e&searchsubmit=true&source=hotsearch HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]"
46.161.41.24 - - [26/Jan/2014:11:42:23 +0800] "GET /search.php?mod=forum&searchid=4&orderby=lastpost&ascdesc=desc&searchsubmit=yes&kw=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE HTTP/1.1" 200 7330 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]"
117.80.175.69 - - [26/Jan/2014:11:42:38 +0800] "GET / HTTP/1.1" 301 5 "http://www.bgjsy.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"

42.96.185.104 - - [26/Jan/2014:11:47:58 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:48:20 +0800] "GET /?topic=%E6%88%91%E6%83%B3%E5%95%8F%E6%8D%B7%E6%98%9F%E8%88%AA%E7%A9%BA%E9%9A%A8%E8%BA%AB%E8%A1%8C%E6%9D%8E%E7%9A%84%E9%99%90%E5%88%B6 HTTP/1.1" 200 4701 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b1) Gecko/20091014 Firefox/3.6b1 GTB5"
221.215.66.58 - - [26/Jan/2014:11:48:38 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:48:52 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
212.2.229.35 - - [26/Jan/2014:11:48:55 +0800] "CONNECT oauth.vk.com:443 HTTP/1.0" 400 172 "-" "-"
42.96.185.104 - - [26/Jan/2014:11:49:46 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
221.215.66.58 - - [26/Jan/2014:11:50:25 +0800] "GET /tongji/5.html HTTP/1.0" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:50:57 +0800] "GET /tongji/5.html HTTP/1.1" 404 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:51:00 +0800] "GET /apple/iphone4renzituoguijiaotao/ HTTP/1.1" 404 142 "http://www.guokey.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
cst4you
2014-01-26 12:21:35 +08:00
会不会是爬虫
tywtyw2002
2014-01-26 13:46:02 +08:00
一个棒子网站?

ddos 才4m,这流量太小了, 你grep一下log。


tcpdump抓包看看
magicsilence
2014-01-26 13:53:57 +08:00
iptraf 看看
582033
2014-01-26 14:38:31 +08:00
@tywtyw2002 限定的带宽就是4m,已经是峰值了..
582033
2014-01-26 18:02:44 +08:00
@magicsilence
@cst4you
@tywtyw2002
@Livid

感谢楼上各位,原来是自己用的一个没加密码的http代理被盗用了,而且没有输出日志,难怪没看到快速增长的log,再次感谢。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/98380

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX