Linode VPS 自己的IP SQL注入攻击自己？！

Thinking

咨询军哥，我使用Linode 日本的VPS。这两天查看网站日志发现一个奇怪的问题：不定期的会有一些SQL注入式攻击，但是奇怪的是攻击IP竟然是VPS自己的，这个应该怎样处理？总不可能屏蔽自己的IP吧？！=================================================
日志部分内容如下：
XX.XX.XX.XX - - [18/Nov/2014:17:54:43 +0800] "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'%20AND%20(SELECT%205768%20FROM(SELECT%20COUNT(*),CONCAT(0x3a7674703a,(SELECT%20(CASE%20WHEN%20(5768=5768)%20THEN%201%20ELSE%200%20END)),0x3a7776713a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%20%20AND%20\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - [18/Nov/2014:17:55:05 +0800] "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C')%20AND%20EXTRACTVALUE(6827,CONCAT(0x5c,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(6827=6827)%20THEN%201%20ELSE%200%20END)),0x3a7776713a))%20%20AND%20(\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - [18/Nov/2014:17:55:06 +0800] "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'))%20AND%20EXTRACTVALUE(6827,CONCAT(0x5c,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(6827=6827)%20THEN%201%20ELSE%200%20END)),0x3a7776713a))%20%20AND%20((\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - [18/Nov/2014:17:55:09 +0800] "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'%20AND%20EXTRACTVALUE(6827,CONCAT(0x5c,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(6827=6827)%20THEN%201%20ELSE%200%20END)),0x3a7776713a))%20%20AND%20\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - [18/Nov/2014:17:55:13 +0800] "GET /wp-content/uploads/2014/10/AT5045-1.jpg%\x5C'))%20AND%20EXTRACTVALUE(8324,CONCAT(0x5c,0x3a616f683a,(SELECT%20(CASE%20WHEN%20(8324=8324)%20THEN%201%20ELSE%200%20END)),0x3a7965663a))%20%20AND%20((\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - [18/Nov/2014:17:55:13 +0800] "GET /wp-content/uploads/2014/10/AT5045-1.jpg%\x5C'%20AND%20EXTRACTVALUE(8324,CONCAT(0x5c,0x3a616f683a,(SELECT%20(CASE%20WHEN%20(8324=8324)%20THEN%201%20ELSE%200%20END)),0x3a7965663a))%20%20AND%20\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - [18/Nov/2014:17:55:35 +0800] "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C')%20AND%20UPDATEXML(1283,CONCAT(0x2e,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(1283=1283)%20THEN%201%20ELSE%200%20END)),0x3a7776713a),5291)%20%20AND%20(\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -
XX.XX.XX.XX - - [18/Nov/2014:17:55:35 +0800] "GET /wp-content/uploads/2014/11/2014-11-06_00-32-49.jpg%\x5C'))%20AND%20UPDATEXML(1283,CONCAT(0x2e,0x3a7674703a,(SELECT%20(CASE%20WHEN%20(1283=1283)%20THEN%201%20ELSE%200%20END)),0x3a7776713a),5291)%20%20AND%20((\x5C'%\x5C'=\x5C' HTTP/1.1" 400 166 "-" "-" -

……
================================================
上面加粗的部分就是本机VPS的IP。

请教军哥和诸位高手，难道是我的VPS中毒了（可是使用安全狗及360网站卫士检查无毒），或者是VPS所在的母机中毒了？还是其它原因？
该如何排查，如何处理？
很着急，先谢谢了。

licess

1.          if ($request_uri ~* "(cost\()|(concat\()") {
   
2.                  return 444;
   
3.          }
   
4.          if ($request_uri ~* "[+|(%20)]union[+|(%20)]") {
   
5.                  return 444;
   
6.          }
   
7.          if ($request_uri ~* "[+|(%20)]and[+|(%20)]") {
   
8.                  return 444;
   
9.          }
   
10.          if ($request_uri ~* "[+|(%20)]select[+|(%20)]") {
    
11.                  return 444;
    
12.          }

复制代码

ip可以伪造，可以通过上述代码在nginx中进行屏蔽注入的代码执行

Thinking

多谢军哥，我试试看。