V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
holinhot
V2EX  ›  信息安全

网站访问统计见到过这两个异常 IP 段吗

  •  
  •   holinhot · 2019-11-17 22:53:28 +08:00 · 4041 次点击
    这是一个创建于 1593 天前的主题,其中的信息可能已经有所发展或是发生改变。
    和这个样,
    https://www.v2ex.com/amp/t/540682

    一个支付回调接口,按理是没有公开暴露的,但是有来至 180.163.220.4 的访问。而且 UA 一看就不是什么好东西。

    HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN


    REQUEST_DATA =>
    SERVER_DATA =>
    CONTEXT_DOCUMENT_ROOT => /home
    CONTEXT_PREFIX =>
    DOCUMENT_ROOT => /home/
    GATEWAY_INTERFACE => CGI/1.1
    H2PUSH => on
    H2_PUSH => on
    H2_PUSHED =>
    H2_PUSHED_ON =>
    H2_STREAM_ID => 1
    H2_STREAM_TAG => 88-1
    HTTP2 => on
    HTTPS => on
    HTTP_ACCEPT => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    HTTP_ACCEPT_ENCODING => gzip, deflate
    HTTP_CACHE_CONTROL => no-cache
    HTTP_HOST => store.
    HTTP_PRAGMA => no-cache
    HTTP_REFERER => http://baidu.com/
    HTTP_UPGRADE_INSECURE_REQUESTS => 1
    HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN
    HTTP_X_HTTPS => 1
    PATH => /bin:/usr/bin
    PHP_INI_SCAN_DIR => /opt/cpanel/ea-php72/root/etc:/opt/cpanel/ea-php72/root/etc/php.d:.
    QUERY_STRING =>
    REDIRECT_STATUS => 200
    REMOTE_ADDR => 180.163.220.4
    REMOTE_PORT => 62746
    REQUEST_METHOD => GET
    REQUEST_SCHEME => https
    REQUEST_URI => /return.php
    SCRIPT_FILENAME => /home/_return.php
    SCRIPT_NAME => return.php
    SCRIPT_URI => return.php
    SCRIPT_URL => return.php
    SERVER_ADDR => 1.1.1.1
    SERVER_ADMIN => webmaster@
    SERVER_NAME => store.
    SERVER_PORT => 443
    SERVER_PROTOCOL => HTTP/2.0
    SERVER_SIGNATURE =>
    SERVER_SOFTWARE => Apache
    SSL_TLS_SNI => store.
    TZ => Etc/GMT
    UNIQUE_ID => XcvtVa3jGRPKDQsSIU6Ytgdf3fd
    PHP_SELF => return.php
    REQUEST_TIME_FLOAT => 1573645653.3753
    REQUEST_TIME => 1573645653
    argv =>
    argc => 0

    分析发现在 11/13/2019 11:46 有人付款发生了回调,在 11/13/2019 11:47 有来至 180.163.220.4 的访问,为什么有用户付款后此 IP 就马上来抓取。
    5 条回复    2019-11-17 23:25:21 +08:00
    holinhot
        1
    holinhot  
    OP
       2019-11-17 22:56:45 +08:00
    我分析可能和用户使用的浏览器、或杀毒软件(如周红衣家的)有关,或插件。不然不可能 URL 地址会暴露。
    holinhot
        2
    holinhot  
    OP
       2019-11-17 23:00:03 +08:00
    我看了用户付款的 UA:HTTP_USER_AGENT => Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
    系统是 macos,但浏览器看不出来是啥,到底是 Chrome 还是 Safari,还是 360 浏览器伪装的 UA, 因为听说现在 360 浏览器已经不显示自己的 UA 了,至于为什么大家都懂吧
    holinhot
        3
    holinhot  
    OP
       2019-11-17 23:01:26 +08:00
    @holinhot 刚找到这一篇文章,https://www.360zhijia.com/ask/461446.html
    由此来看来 180.163.220.4 90%是 360 那 j2 在搞怪
    holinhot
        4
    holinhot  
    OP
       2019-11-17 23:06:02 +08:00
    holinhot
        5
    holinhot  
    OP
       2019-11-17 23:25:21 +08:00
    已全部拉黑这个 b 玩意儿。
    https://prnt.sc/py59xi
    简单粗暴直接 ban 了 CT GROUP 这个 IDC 段 180.160.0.0/13
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   我们的愿景   ·   实用小工具   ·   5235 人在线   最高记录 6543   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 31ms · UTC 09:25 · PVG 17:25 · LAX 02:25 · JFK 05:25
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.