恶意IP伪造User Agent

发布于 2016-02-14 作者 [重庆SEO]

做SEO有时候需要分析WEB日志,分析日志有时候会发现一些各种有意思的内容,关于伪造UA的恶意IP访问算是其中一项,大多数情况下特征明显,然后可以直接封锁他,并且根据特征封锁其他特征。

最近的某个网站下的部分日志

202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:34 +0800]"GET /admin_login/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 780"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:34 +0800]"GET /admin_login/editor/editor/fckeditor.original.html HTTP/1.1" 410 777"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:35 +0800]"GET /admin_login/fck/editor/fckeditor.original.html HTTP/1.1" 410 774"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:35 +0800]"GET /admin_login/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 778"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:35 +0800]"GET /admin_login/edit/editor/fckeditor.original.html HTTP/1.1" 410 775"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:35 +0800]"GET /administrator/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 782"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:35 +0800]"GET /administrator/editor/editor/fckeditor.original.html HTTP/1.1" 410 779"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:36 +0800]"GET /administrator/fck/editor/fckeditor.original.html HTTP/1.1" 410 776"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:36 +0800]"GET /administrator/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 780"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:36 +0800]"GET /administrator/edit/editor/fckeditor.original.html HTTP/1.1" 410 777"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:36 +0800]"GET /include/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 776"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:36 +0800]"GET /include/editor/editor/fckeditor.original.html HTTP/1.1" 410 773"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:36 +0800]"GET /include/fck/editor/fckeditor.original.html HTTP/1.1" 410 770"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:37 +0800]"GET /include/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 774"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:37 +0800]"GET /include/edit/editor/fckeditor.original.html HTTP/1.1" 410 771"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:37 +0800]"GET /includes/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 777"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:37 +0800]"GET /includes/editor/editor/fckeditor.original.html HTTP/1.1" 410 774"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:37 +0800]"GET /includes/fck/editor/fckeditor.original.html HTTP/1.1" 410 771"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:38 +0800]"GET /includes/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 775"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:38 +0800]"GET /includes/edit/editor/fckeditor.original.html HTTP/1.1" 410 772"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:38 +0800]"GET /manager/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 776"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:38 +0800]"GET /manager/editor/editor/fckeditor.original.html HTTP/1.1" 410 773"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:39 +0800]"GET /manager/fck/editor/fckeditor.original.html HTTP/1.1" 410 770"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:39 +0800]"GET /manager/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 774"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:39 +0800]"GET /manager/edit/editor/fckeditor.original.html HTTP/1.1" 410 771"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:39 +0800]"GET /manage/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 775"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:39 +0800]"GET /manage/editor/editor/fckeditor.original.html HTTP/1.1" 410 772"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:40 +0800]"GET /manage/fck/editor/fckeditor.original.html HTTP/1.1" 410 769"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:40 +0800]"GET /manage/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 773"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:40 +0800]"GET /manage/edit/editor/fckeditor.original.html HTTP/1.1" 410 770"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:40 +0800]"GET /admin_/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 775"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:40 +0800]"GET /admin_/editor/editor/fckeditor.original.html HTTP/1.1" 410 772"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:40 +0800]"GET /admin_/fck/editor/fckeditor.original.html HTTP/1.1" 410 769"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:41 +0800]"GET /admin_/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 773"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:41 +0800]"GET /admin_/edit/editor/fckeditor.original.html HTTP/1.1" 410 770"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:41 +0800]"GET /admins/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 775"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:41 +0800]"GET /admins/editor/editor/fckeditor.original.html HTTP/1.1" 410 772"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:41 +0800]"GET /admins/fck/editor/fckeditor.original.html HTTP/1.1" 410 769"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:42 +0800]"GET /admins/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 773"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:42 +0800]"GET /admins/edit/editor/fckeditor.original.html HTTP/1.1" 410 770"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:42 +0800]"GET /webadmin/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 777"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:42 +0800]"GET /webadmin/editor/editor/fckeditor.original.html HTTP/1.1" 410 774"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:42 +0800]"GET /webadmin/fck/editor/fckeditor.original.html HTTP/1.1" 410 771"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:43 +0800]"GET /webadmin/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 775"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:43 +0800]"GET /webadmin/edit/editor/fckeditor.original.html HTTP/1.1" 410 772"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:43 +0800]"GET /admin/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 774"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:43 +0800]"GET /admin/editor/editor/fckeditor.original.html HTTP/1.1" 410 771"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:43 +0800]"GET /admin/fck/editor/fckeditor.original.html HTTP/1.1" 410 768"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:44 +0800]"GET /admin/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 772"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:44 +0800]"GET /admin/edit/editor/fckeditor.original.html HTTP/1.1" 410 769"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:44 +0800]"GET /fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 768"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:44 +0800]"GET /editor/editor/fckeditor.original.html HTTP/1.1" 410 765"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:44 +0800]"GET /fck/editor/fckeditor.original.html HTTP/1.1" 410 762"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:44 +0800]"GET /fckedit/editor/fckeditor.original.html HTTP/1.1" 410 766"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:45 +0800]"GET /edit/editor/fckeditor.original.html HTTP/1.1" 410 763"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:45 +0800]"GET /web/fckeditor/editor/fckeditor.original.html HTTP/1.1" 410 772"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:45 +0800]"GET /web/editor/editor/fckeditor.original.html HTTP/1.1" 410 769"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:45 +0800]"GET /web/fck/editor/fckeditor.original.html HTTP/1.1" 410 766"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:45 +0800]"GET /web/fckedit/editor/fckeditor.original.html HTTP/1.1" 410 770"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-"
202.75.55.176[马来西亚] - - [14/Feb/2016:03:35:46 +0800]"GET /web/edit/editor/fckeditor.original.html HTTP/1.1" 410 767"-""Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)""-" 
日志反映几点:
  • 202.75.55.176是恶意IP,关键是TMD还伪造百度蜘蛛。
  • fckeditor 某个版本或者所有版本可能存在漏洞
  • admin,manage等是敏感目录,最好不要存在这样的路径

其实你伪造个其他蜘蛛可能还好。因为百度是被直接屏蔽了的,那个网站不需要百度的流量。

对于这样的IP,怎么办,条件有限就写入apache或nginx进行屏蔽 返回404,403,410等状态码,但是会写入日志,也可以看到他的记录,条件允许就直接iptables屏蔽掉。因为是垃圾。要这样的垃圾日志也没什么用,真正需要IO的时候还能快一点。

针对本文,你愿意帮我打几个小怪吗?
点赞
说一说
打赏
支付宝支付支付宝
微信支付微信

多谢支持, 不妨留下些许线索!