1
kmvan 2014-01-26 11:12:06 +08:00 1
有何异常?
|
2
582033 OP 检测到连接IP有725个,带宽打到峰值。
|
3
Livid MOD 这种情况你应该看 web server 的 log
|
4
582033 OP @Livid 请指教.. 怎么看是否有异常呢
error.log 可以看到如下类似信息 2014/01/26 11:36:12 [error] 14532#0: unexpected response for www.espam.co.kr 2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir 2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir 2014/01/26 11:37:38 [error] 14533#0: DNS error (16: Unknown error), query id:14222 2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com 2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com 2014/01/26 11:38:32 [error] 14533#0: unexpected response for www.portlandcvb.com 2014/01/26 11:38:41 [error] 14532#0: unexpected response for www.zb1213.com 2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com 2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com 2014/01/26 11:38:55 [error] 14533#0: unexpected response for steady-laughing.com |
6
582033 OP @Livid 日志没有大量增加
114.80.109.30 - - [26/Jan/2014:11:41:26 +0800] "POST /api/manyou/my.php HTTP/1.0" 200 154 "http://www.bgjsy.com/api/manyou/my.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9" 113.13.131.36 - - [26/Jan/2014:11:41:27 +0800] "POST /member.php?mod=register&inajax=1 HTTP/1.1" 200 1042 "http://www.bgjsy.com/member.php?mod=register&inajax=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" 46.161.41.24 - - [26/Jan/2014:11:42:22 +0800] "GET /search.php?mod=forum&srchtxt=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE&formhash=5f7a996e&searchsubmit=true&source=hotsearch HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]" 46.161.41.24 - - [26/Jan/2014:11:42:23 +0800] "GET /search.php?mod=forum&searchid=4&orderby=lastpost&ascdesc=desc&searchsubmit=yes&kw=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE HTTP/1.1" 200 7330 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]" 117.80.175.69 - - [26/Jan/2014:11:42:38 +0800] "GET / HTTP/1.1" 301 5 "http://www.bgjsy.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" 42.96.185.104 - - [26/Jan/2014:11:47:58 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 42.96.185.104 - - [26/Jan/2014:11:48:20 +0800] "GET /?topic=%E6%88%91%E6%83%B3%E5%95%8F%E6%8D%B7%E6%98%9F%E8%88%AA%E7%A9%BA%E9%9A%A8%E8%BA%AB%E8%A1%8C%E6%9D%8E%E7%9A%84%E9%99%90%E5%88%B6 HTTP/1.1" 200 4701 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b1) Gecko/20091014 Firefox/3.6b1 GTB5" 221.215.66.58 - - [26/Jan/2014:11:48:38 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 42.96.185.104 - - [26/Jan/2014:11:48:52 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 212.2.229.35 - - [26/Jan/2014:11:48:55 +0800] "CONNECT oauth.vk.com:443 HTTP/1.0" 400 172 "-" "-" 42.96.185.104 - - [26/Jan/2014:11:49:46 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 221.215.66.58 - - [26/Jan/2014:11:50:25 +0800] "GET /tongji/5.html HTTP/1.0" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 42.96.185.104 - - [26/Jan/2014:11:50:57 +0800] "GET /tongji/5.html HTTP/1.1" 404 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 42.96.185.104 - - [26/Jan/2014:11:51:00 +0800] "GET /apple/iphone4renzituoguijiaotao/ HTTP/1.1" 404 142 "http://www.guokey.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50" |
7
cst4you 2014-01-26 12:21:35 +08:00 via Android
会不会是爬虫
|
8
tywtyw2002 2014-01-26 13:46:02 +08:00
一个棒子网站?
ddos 才4m,这流量太小了, 你grep一下log。 tcpdump抓包看看 |
9
magicsilence 2014-01-26 13:53:57 +08:00 1
iptraf 看看
|
10
582033 OP @tywtyw2002 限定的带宽就是4m,已经是峰值了..
|
11
582033 OP @magicsilence
@cst4you @tywtyw2002 @Livid 感谢楼上各位,原来是自己用的一个没加密码的http代理被盗用了,而且没有输出日志,难怪没看到快速增长的log,再次感谢。 |