V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
582033
V2EX  ›  站长

这种情况是被DDOS了么

  •  
  •   582033 · 2014-01-26 10:59:37 +08:00 · 6974 次点击
    这是一个创建于 3936 天前的主题,其中的信息可能已经有所发展或是发生改变。
    用iftop 现在能看到这么个信息,如图, http://urlc.cn/g/yd6io6tu ,

    难道被DDOS了?

    求分析,求解决
    11 条回复    1970-01-01 08:00:00 +08:00
    kmvan
        1
    kmvan  
       2014-01-26 11:12:06 +08:00   ❤️ 1
    有何异常?
    582033
        2
    582033  
    OP
       2014-01-26 11:16:06 +08:00
    检测到连接IP有725个,带宽打到峰值。
    Livid
        3
    Livid  
    MOD
       2014-01-26 11:22:09 +08:00
    这种情况你应该看 web server 的 log
    582033
        4
    582033  
    OP
       2014-01-26 11:40:22 +08:00
    @Livid 请指教.. 怎么看是否有异常呢


    error.log 可以看到如下类似信息
    2014/01/26 11:36:12 [error] 14532#0: unexpected response for www.espam.co.kr
    2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir
    2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir
    2014/01/26 11:37:38 [error] 14533#0: DNS error (16: Unknown error), query id:14222
    2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com
    2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com
    2014/01/26 11:38:32 [error] 14533#0: unexpected response for www.portlandcvb.com
    2014/01/26 11:38:41 [error] 14532#0: unexpected response for www.zb1213.com
    2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com
    2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com
    2014/01/26 11:38:55 [error] 14533#0: unexpected response for steady-laughing.com
    Livid
        5
    Livid  
    MOD
       2014-01-26 11:43:22 +08:00
    @582033 看看 access.log
    582033
        6
    582033  
    OP
       2014-01-26 11:52:21 +08:00
    @Livid 日志没有大量增加



    114.80.109.30 - - [26/Jan/2014:11:41:26 +0800] "POST /api/manyou/my.php HTTP/1.0" 200 154 "http://www.bgjsy.com/api/manyou/my.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"
    113.13.131.36 - - [26/Jan/2014:11:41:27 +0800] "POST /member.php?mod=register&inajax=1 HTTP/1.1" 200 1042 "http://www.bgjsy.com/member.php?mod=register&inajax=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
    46.161.41.24 - - [26/Jan/2014:11:42:22 +0800] "GET /search.php?mod=forum&srchtxt=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE&formhash=5f7a996e&searchsubmit=true&source=hotsearch HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]"
    46.161.41.24 - - [26/Jan/2014:11:42:23 +0800] "GET /search.php?mod=forum&searchid=4&orderby=lastpost&ascdesc=desc&searchsubmit=yes&kw=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE HTTP/1.1" 200 7330 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]"
    117.80.175.69 - - [26/Jan/2014:11:42:38 +0800] "GET / HTTP/1.1" 301 5 "http://www.bgjsy.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"

    42.96.185.104 - - [26/Jan/2014:11:47:58 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
    42.96.185.104 - - [26/Jan/2014:11:48:20 +0800] "GET /?topic=%E6%88%91%E6%83%B3%E5%95%8F%E6%8D%B7%E6%98%9F%E8%88%AA%E7%A9%BA%E9%9A%A8%E8%BA%AB%E8%A1%8C%E6%9D%8E%E7%9A%84%E9%99%90%E5%88%B6 HTTP/1.1" 200 4701 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b1) Gecko/20091014 Firefox/3.6b1 GTB5"
    221.215.66.58 - - [26/Jan/2014:11:48:38 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
    42.96.185.104 - - [26/Jan/2014:11:48:52 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
    212.2.229.35 - - [26/Jan/2014:11:48:55 +0800] "CONNECT oauth.vk.com:443 HTTP/1.0" 400 172 "-" "-"
    42.96.185.104 - - [26/Jan/2014:11:49:46 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
    221.215.66.58 - - [26/Jan/2014:11:50:25 +0800] "GET /tongji/5.html HTTP/1.0" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
    42.96.185.104 - - [26/Jan/2014:11:50:57 +0800] "GET /tongji/5.html HTTP/1.1" 404 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
    42.96.185.104 - - [26/Jan/2014:11:51:00 +0800] "GET /apple/iphone4renzituoguijiaotao/ HTTP/1.1" 404 142 "http://www.guokey.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
    cst4you
        7
    cst4you  
       2014-01-26 12:21:35 +08:00 via Android
    会不会是爬虫
    tywtyw2002
        8
    tywtyw2002  
       2014-01-26 13:46:02 +08:00
    一个棒子网站?

    ddos 才4m,这流量太小了, 你grep一下log。


    tcpdump抓包看看
    magicsilence
        9
    magicsilence  
       2014-01-26 13:53:57 +08:00   ❤️ 1
    iptraf 看看
    582033
        10
    582033  
    OP
       2014-01-26 14:38:31 +08:00
    @tywtyw2002 限定的带宽就是4m,已经是峰值了..
    582033
        11
    582033  
    OP
       2014-01-26 18:02:44 +08:00
    @magicsilence
    @cst4you
    @tywtyw2002
    @Livid

    感谢楼上各位,原来是自己用的一个没加密码的http代理被盗用了,而且没有输出日志,难怪没看到快速增长的log,再次感谢。
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1368 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 23:39 · PVG 07:39 · LAX 15:39 · JFK 18:39
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.