问题描述
背景故事:最近有人莫名其妙地入侵的Xenforo安装链接到我的服务器,并注入了不断地循环PHP的邮件()脚本。它发送成千上万的电子邮件来自域内到外面的世界,结束了让我的域名从所有主要的电子邮件ISP的黑名单的。我还没有注意到,即使它发生。我发现这个文件,它在某种程度上注入缓存和论坛skin_cache目录,并删除它们,并成立一个永久重定向(使用PHP的标题重定向)到反垃圾邮件的收割现场。
Backstory: Recently someone somehow compromised a Xenforo installation linked to my server and injected a endlessly looping php mail() script. It sent thousands of emails from within the domain to the outside world, ending up getting my domain blacklisted from all of the major email ISP's before I had even noticed it was happening. I found the file, which was somehow injected into a cache and skin_cache directory of the forum, and removed them and set up a permanent redirect (using a php header redirect) to an anti-spam harvesting site.
当前问题:我现在看到POST请求上述垃圾邮件脚本的稳定和永无止境的流。每次IP的不同,而且似乎永远不会停止的到来。这已被发生了两个以上一周。正因如此,我的Apache是杏的MaxClients的设置和运行到内存的问题,并开始关闭其他进程进行补偿。
Current problem: I now am seeing a steady and never-ending flow of POST requests to aforementioned spam scripts. The IP's are different every time, and seem to never stop coming. This has been happening for over a two weeks. So much so that my apache is maxing out its MaxClients setting and running into memory problems, and starting to shut down other processes to compensate.
这是什么显示在日志中高达
190.40.7.126 - - [28/Mar/2013:18:58:30 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
190.104.19.189 - - [28/Mar/2013:18:58:39 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
78.251.159.173 - - [28/Mar/2013:18:58:57 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
219.78.213.10 - - [28/Mar/2013:18:59:09 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
69.123.20.137 - - [28/Mar/2013:18:59:09 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
2.234.181.7 - - [28/Mar/2013:18:59:37 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
187.207.223.67 - - [28/Mar/2013:18:59:44 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
24.242.122.42 - - [28/Mar/2013:19:01:56 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
213.49.254.102 - - [28/Mar/2013:19:02:32 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
82.247.48.152 - - [28/Mar/2013:19:02:38 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
41.135.146.136 - - [28/Mar/2013:19:02:43 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
91.187.93.36 - - [28/Mar/2013:19:03:04 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
194.90.37.132 - - [28/Mar/2013:19:03:40 -0500] "POST /forum/cache/sslFDoB.php HTTP/1.1" 200 3889 "-" "Mozilla/5.0"
我需要的最佳方式建议去处理这个问题。简单地重定向或404'ing他们是不会停止服务器上的资源使用情况。也有这么多不同的IP的在这样一个恒定的速率,它是很难看到是否有任何重复的IP的都没有。他们都似乎是随机的范围和不同来源。我真的不知道,如果这些都是假的请求,或真正损害客户受害者某种形式的垃圾邮件XSS或病毒。
I need suggestions on the best way to go about handling this problem. Simply redirecting or 404'ing them isn't going to stop the resource usage on the server. There are also so many different IP's at such a constant rate that it's hard to see if there are any duplicate IP's at all. They are all seeming to be on random ranges and of different origins. I'm honestly not sure if these are fake requests, or genuinely compromised clients victim to a spamming xss or virus of some sort.
难道是合理的,想出了一个办法,禁止该请求的文件动态,使他们无法重试任何IP?我需要建议和帮助,这吧。
Would it be reasonable to come up with a way to ban any IP that requests that file dynamically so they can't retry? I need suggestions and help with this please.
推荐答案
这可能是因为该URL的恶意脚本被分配到一个僵尸网络,这是试图使用你的网络服务器作为滩头。这些请求最终会消退,因为它不是有利可图僵尸网络继续请求脚本不起作用。
It's likely that the URL to the malicious script was distributed to a botnet, which is trying to use your webserver as a beach head. The requests will eventually subside as it's not profitable for the botnet to continue requesting a script that doesn't function.
快速和简单的解决办法:在&LT添加;地点> 块到Apache的配置或重写规则,将忽略这些请求
The quick and easy fix: Add a <Location> block to your Apache configuration or a rewrite rule which will ignore these requests.
的厚颜无耻,杂乱无章的方法:基于iptables的速率限制。 的iptables -A INPUT -p tcp的--dport 80 -m --limit限60次/ min -j ACCEPT 有下列拒绝规则可能有所帮助,但是它也可能会阻止合法交通,包括搜索引擎索引和合法的机器人。
The brazen, haphazard method: Use iptables based rate limiting. iptables -A INPUT -p tcp --dport 80 -m limit --limit 60/min -j ACCEPT with a following rejection rule might help, though it may also block legit traffic, including search engine indexers and legitimate bots.
更好的解决方案:实现Web应用防火墙,比如Apache的的mod_security 。可以添加额外的规则相匹配的传入请求和黑名单它们,或任何其它合适的副作用
The better solution: Implement a web application firewall like Apache's mod_security. You can add an additional rule to match the incoming requests and blacklist them, or any other suitable side-effect.
无论你采取哪一种方案,我高度怀疑,404错误伤害你的服务器上的资源使用情况。你需要考虑的其他因素:
Regardless of which option you take, I highly doubt that 404 errors are harming the resource usage on your server. You need to consider other factors:
- 您的PHP脚本可能会造成一些显著的性能/效率问题。
- 您的Apache配置可能不进行优化,以处理更大的通信量。
- 您的服务器被攻破,你现在有一个更大的问题需要解决。
您可能还需要考虑把Apache的Nginx的背后作为反向代理后端。根据不同的病因,使用Apache服务器(如清漆)面前的一个HTTP缓存可以在你的服务器上的负载降低到一个相对稳定的因素,而不是改变一个的。
You may also want to consider putting Apache behind Nginx as a reverse-proxy backend. Depending on the cause, using an HTTP cache in front of your Apache server (like Varnish) could reduce the load on your server to a relatively constant factor instead of a varying one.
TL; DR :这要看情况。您的服务器可能已经被错误配置或损害。
TL;DR: It depends. Your server has probably been mis-configured or compromised.
这篇关于阿帕奇/ Linux的服务器动态阻止传入POST请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!