Original link: https://seo.g2soft.net/2023/05/03/one-attack-from-spam.html
Today, I found that the website was down, showing 404, so I logged in to the server and restarted the service. After a few seconds, it hung up again. So it is estimated that a certain website has been maliciously visited, or attacked. Checked the CPU usage and it reached 100%.
This site is placed on a VPS on Vultr, and there are several websites on it, so which website was attacked?
I have a separate access log record for each website, and after a general look, there is a website that has too many visits than usual.
Yes, it is the phpBB Simplified Chinese website. I have been working on the Simplified Chinese language pack of phpBB. In order to facilitate others to use it, I established this Chinese support community to release new versions of the language pack, complete installation packages, and answer some questions. . Usually the number of visits is very small, about 20,000 to 30,000 visits a month, and then the number of web page visits is around 200,000. However, in the three or four days of May, it has exceeded 1.7 million Page views, too much.
I looked at the log files in detail. These large numbers of access sources are mainly from mainland China, Chongqing, and the IP address is the network segment of 183.69.137.71. There are dozens of IP addresses. For me, it has always been very simple and rude, that is I blocked it. Usually, I block it in the Nginx configuration file, but because phpBBchinese uses Cloudflare, I added a rule to Cloudflare’s Security > WAF > IP Access Rules.
After adding the rules, restart the Nginx web server, and then look at the CPU usage, it suddenly quieted down.
Looking back, the log file shows that it has been abnormal since April 29th. At that time, the amount of data was still small, and the website did not hang up, but this morning, it became larger and larger, and once the CPU was full, it was completely inaccessible.
I don’t know which master, who has nothing to do, came to attack such a simplified language support forum that is indifferent to the world and enjoys its own enjoyment. Since the ban is for the entire network segment, there must be accidental injury, I can only apologize, this is collateral damage.
Let’s take a look at the access log below. In a very short time, several adjacent IP addresses use different UserAgents to access multiple addresses.
183.69.137.89 [03/May/2023:15:13:53 -0700] "GET /./memberlist.php?mode=viewprofile&u=2562&sid=160a601fa11ebe08abcafc0b49fb52ed HTTP/2.0" 403 106 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:58.0) Gecko/20100101 Firefox/58.0"
183.69.137.89 [03/May/2023:15:13:53 -0700] "GET /./viewtopic.php?t=1286&sid=160a601fa11ebe08abcafc0b49fb52ed HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.0 Safari/537.36"
183.69.137.84 [03/May/2023:15:13:53 -0700] "GET /./memberlist.php?mode=viewprofile&u=101&sid=7637dc38140749a96a9008eae1e6a313 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36"
183.69.137.84 [03/May/2023:15:13:53 -0700] "GET /./viewforum.php?f=3&sid=ea868b3b5a93ab483ea9d26a311687b6 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:53 -0700] "GET /./viewforum.php?f=16&sid=6010618d31744fca05129cbaad4cc83c HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:53 -0700] "GET /./viewforum.php?f=16&sid=ee0cf9863a79c4a118d623e8fde6a640 HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:58.0) Gecko/20100101 Firefox/58.0"
183.69.137.87 [03/May/2023:15:13:54 -0700] "GET /./viewforum.php?f=34&sid=45ece1d6f1dbdafba61384d74f3e7906 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 10.0; U; en) Presto/2.8.131 Version/11.11"
183.69.137.87 [03/May/2023:15:13:54 -0700] "GET /./viewforum.php?f=33&sid=fad60502a1a9aea231a3f4b3ed02726d HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
183.69.137.89 [03/May/2023:15:13:54 -0700] "GET /./viewtopic.php?t=794&sid=6010618d31744fca05129cbaad4cc83c HTTP/2.0" 403 106 - "Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0"
183.69.137.87 [03/May/2023:15:13:54 -0700] "GET /./viewforum.php?f=6&sid=348af1a7ff5addbfa5a16ccfdb2ab799 HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"
183.69.137.84 [03/May/2023:15:13:54 -0700] "GET /app.php/help/faq?sid=d1ad87ceeb7e3e66a14d12b4881a11c3 HTTP/2.0" 403 106 - "Opera/9.80 (Windows NT 6.1; WOW64; U; en) Presto/2.2.15 Version/10.10"
183.69.137.89 [03/May/2023:15:13:55 -0700] "GET /./viewforum.php?f=34&sid=8e48beeeb54d318e689a3f88645d6532 HTTP/2.0" 403 106 - "Opera/9.80 (Macintosh; Intel Mac OS X 10_10; U; en) Presto/2.5.24 Version/10.54"
183.69.137.89 [03/May/2023:15:13:55 -0700] "GET /./viewforum.php?f=1&sid=c91f1abd90c9e2242e653a87d8269cc0 HTTP/2.0" 403 106 - "Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.5.24 Version/10.54"
183.69.137.84 [03/May/2023:15:13:55 -0700] "GET /./viewforum.php?f=19&sid=67eace8982be7e90bf027b4c18a1e9c3 HTTP/2.0" 403 166 - "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
183.69.137.87 [03/May/2023:15:13:55 -0700] "GET /./viewtopic.php?p=3942&sid=f6663db4b4acd7c4c7d69ca2ac0a8bfb HTTP/2.0" 403 166 - "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36"
This article is transferred from: https://seo.g2soft.net/2023/05/03/one-attack-from-spam.html
This site is only for collection, and the copyright belongs to the original author.