Linode VPS 自己的IP SQL注入攻击自己?!
咨询军哥,我使用Linode 日本的VPS。这两天查看网站日志发现一个奇怪的问题:不定期的会有一些SQL注入式攻击,但是奇怪的是攻击IP竟然是VPS自己的,这个应该怎样处理?总不可能屏蔽自己的IP吧?!=================================================日志部分内容如下:
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'%20AND%20(SELECT%205768%20FROM(SELECT%20COUNT(*),CONCAT(0x3a7674703a,(SELECT%20(CASE%20WHEN%20(5768=5768)%20THEN%201%20ELSE%200%20END)),0x3a7776713a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20%20AND%20\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C')%20AND%20EXTRACTVALUE(6827,CONCAT(0x5c,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(6827=6827)%20THEN%201%20ELSE%200%20END)),0x3a7776713a))%20%20AND%20(\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'))%20AND%20EXTRACTVALUE(6827,CONCAT(0x5c,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(6827=6827)%20THEN%201%20ELSE%200%20END)),0x3a7776713a))%20%20AND%20((\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'%20AND%20EXTRACTVALUE(6827,CONCAT(0x5c,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(6827=6827)%20THEN%201%20ELSE%200%20END)),0x3a7776713a))%20%20AND%20\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/10/AT5045-1.jpg%\x5C'))%20AND%20EXTRACTVALUE(8324,CONCAT(0x5c,0x3a616f683a,(SELECT%20(CASE%20WHEN%20(8324=8324)%20THEN%201%20ELSE%200%20END)),0x3a7965663a))%20%20AND%20((\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/10/AT5045-1.jpg%\x5C'%20AND%20EXTRACTVALUE(8324,CONCAT(0x5c,0x3a616f683a,(SELECT%20(CASE%20WHEN%20(8324=8324)%20THEN%201%20ELSE%200%20END)),0x3a7965663a))%20%20AND%20\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C')%20AND%20UPDATEXML(1283,CONCAT(0x2e,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(1283=1283)%20THEN%201%20ELSE%200%20END)),0x3a7776713a),5291)%20%20AND%20(\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'))%20AND%20UPDATEXML(1283,CONCAT(0x2e,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(1283=1283)%20THEN%201%20ELSE%200%20END)),0x3a7776713a),5291)%20%20AND%20((\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
……
================================================
上面加粗的部分就是本机VPS的IP。
请教军哥和诸位高手,难道是我的VPS中毒了(可是使用安全狗及360网站卫士检查无毒),或者是VPS所在的母机中毒了?还是其它原因?
该如何排查,如何处理?
很着急,先谢谢了。 if ($request_uri ~* "(cost\()|(concat\()") {
return 444;
}
if ($request_uri ~* "[+|(%20)]union[+|(%20)]") {
return 444;
}
if ($request_uri ~* "[+|(%20)]and[+|(%20)]") {
return 444;
}
if ($request_uri ~* "[+|(%20)]select[+|(%20)]") {
return 444;
}ip可以伪造,可以通过上述代码在nginx中进行屏蔽注入的代码执行 多谢军哥,我试试看。
页:
[1]