首页   注册   登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Coding
V2EX  ›  信息安全

网站访问统计见到过这两个异常 IP 段吗

  •  
  •   holinhot · 28 天前 · 867 次点击
    和这个样,
    https://www.v2ex.com/amp/t/540682

    一个支付回调接口,按理是没有公开暴露的,但是有来至 180.163.220.4 的访问。而且 UA 一看就不是什么好东西。

    HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN


    REQUEST_DATA =>
    SERVER_DATA =>
    CONTEXT_DOCUMENT_ROOT => /home
    CONTEXT_PREFIX =>
    DOCUMENT_ROOT => /home/
    GATEWAY_INTERFACE => CGI/1.1
    H2PUSH => on
    H2_PUSH => on
    H2_PUSHED =>
    H2_PUSHED_ON =>
    H2_STREAM_ID => 1
    H2_STREAM_TAG => 88-1
    HTTP2 => on
    HTTPS => on
    HTTP_ACCEPT => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    HTTP_ACCEPT_ENCODING => gzip, deflate
    HTTP_CACHE_CONTROL => no-cache
    HTTP_HOST => store.
    HTTP_PRAGMA => no-cache
    HTTP_REFERER => http://baidu.com/
    HTTP_UPGRADE_INSECURE_REQUESTS => 1
    HTTP_USER_AGENT => Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mobile Safari/537.36 AliApp(DingTalk/4.5.11) com.alibaba.android.rimet/10487439 Channel/227200 language/zh-CN
    HTTP_X_HTTPS => 1
    PATH => /bin:/usr/bin
    PHP_INI_SCAN_DIR => /opt/cpanel/ea-php72/root/etc:/opt/cpanel/ea-php72/root/etc/php.d:.
    QUERY_STRING =>
    REDIRECT_STATUS => 200
    REMOTE_ADDR => 180.163.220.4
    REMOTE_PORT => 62746
    REQUEST_METHOD => GET
    REQUEST_SCHEME => https
    REQUEST_URI => /return.php
    SCRIPT_FILENAME => /home/_return.php
    SCRIPT_NAME => return.php
    SCRIPT_URI => return.php
    SCRIPT_URL => return.php
    SERVER_ADDR => 1.1.1.1
    SERVER_ADMIN => [email protected]
    SERVER_NAME => store.
    SERVER_PORT => 443
    SERVER_PROTOCOL => HTTP/2.0
    SERVER_SIGNATURE =>
    SERVER_SOFTWARE => Apache
    SSL_TLS_SNI => store.
    TZ => Etc/GMT
    UNIQUE_ID => XcvtVa3jGRPKDQsSIU6Ytgdf3fd
    PHP_SELF => return.php
    REQUEST_TIME_FLOAT => 1573645653.3753
    REQUEST_TIME => 1573645653
    argv =>
    argc => 0

    分析发现在 11/13/2019 11:46 有人付款发生了回调,在 11/13/2019 11:47 有来至 180.163.220.4 的访问,为什么有用户付款后此 IP 就马上来抓取。
    5 回复  |  直到 2019-11-17 23:25:21 +08:00
        1
    holinhot   28 天前
    我分析可能和用户使用的浏览器、或杀毒软件(如周红衣家的)有关,或插件。不然不可能 URL 地址会暴露。
        2
    holinhot   28 天前
    我看了用户付款的 UA:HTTP_USER_AGENT => Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
    系统是 macos,但浏览器看不出来是啥,到底是 Chrome 还是 Safari,还是 360 浏览器伪装的 UA, 因为听说现在 360 浏览器已经不显示自己的 UA 了,至于为什么大家都懂吧
        3
    holinhot   28 天前
    @holinhot 刚找到这一篇文章,https://www.360zhijia.com/ask/461446.html
    由此来看来 180.163.220.4 90%是 360 那 j2 在搞怪
        4
    holinhot   28 天前
        5
    holinhot   28 天前
    已全部拉黑这个 b 玩意儿。
    https://prnt.sc/py59xi
    简单粗暴直接 ban 了 CT GROUP 这个 IDC 段 180.160.0.0/13
    关于   ·   FAQ   ·   API   ·   我们的愿景   ·   广告投放   ·   感谢   ·   实用小工具   ·   2812 人在线   最高记录 5043   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.3 · 22ms · UTC 12:24 · PVG 20:24 · LAX 04:24 · JFK 07:24
    ♥ Do have faith in what you're doing.