正常的输出结果类似于这样POST /ajax/validator.php HTTP/1.1POST /api_redirect.php HTTP/1.1GET /team/57085.html HTTP/1.1POST /order/pay.php HTTP/1.1GET /static/goodsimg/20140324/1_47.jpg HTTP/1.1GET /static/theme/qq/css/index.css HTTP/1.1GET /static/js/index.js HTTP/1.1GET /static/js/customize.js HTTP/1.1GET /ajax/loginjs.php?type=topbar& HTTP/1.1GET /static/js/jquery.js HTTP/1.1GET /ajax/load_team_time.php?team_id=57085 HTTP/1.1GET /static/theme/qq/css/index.css HTTP/1.1GET /static/js/lazyload/jquery.lazyload.min.js HTTP/1.1GET /static/js/MSIE.PNG.js HTTP/1.1GET /static/js/index.js HTTP/1.1GET /static/js/customize.js HTTP/1.1GET /ajax/loginjs.php?type=topbar& HTTP/1.1GET /static/theme/qq/css/i/logo.jpg HTTP/1.1GET /static/theme/qq/css/i/logos.png HTTP/1.1GET /static/theme/qq/css/i/hot.gif HTTP/1.1GET /static/theme/qq/css/i/brand.gif HTTP/1.1GET /static/theme/qq/css/i/new.gif HTTP/1.1GET /static/js/jquery.js HTTP/1.1GET /static/theme/qq/css/i/logo.jpg HTTP/1.1正常命令结果以静态文件为主,比如css,js,各种图片。如果是被攻击,会出现大量固定的地址,比如攻击的是首页,会有大量的“GET / HTTP/1.1”,或者有一定特征的地址,比如攻击的如果是Discuz论坛,那么可能会出现大量的“/thread-随机数字-1-1.html”这样的地址。第二条命令:
tcpdump -s0 -A -n -i any | grep^User-Agent输出结果类似于下面:User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)这个是查看客户端的useragent,正常的结果中,是各种各样的useragent。大多数攻击使用的是固定的useragent,也就是会看到同一个useragent在刷屏。随机的useragent只见过一次,但是给搞成了类似于这样“axd5m8usy”,还是可以分辨出来。第三条命令:
tcpdump -s0 -A -n -i any | grep ^Host如果机器上的网站太多,可以用上面的命令找出是哪个网站在被大量请求输出结果类似于下面这样Host:www.server110.comHost:www.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.comHost: upload.server110.comHost: upload.server110.comHost:www.server110.com一般系统不会默认安装tcpdump命令centos安装方法:yum install -y tcpdumpdebian/ubuntu安装方法:apt-get install -y tcpdump很多小白用户不懂得如何设置日志,查看日志,使用上面的命令则简单的多,复制到命令行上运行即可。
XIDC作为一家专业的服务器提供商,我们自豪地为您提供香港、美国、日本、韩国、新加坡和台湾等地的服务器接入服务。这些服务器已经成功接入了CN2线路,确保您能够享受到稳定高速的网络连接。
为了满足不同行业客户的需求,我们提供了多样化的配置选择。无论您是个人用户还是企业客户,我们都能为您提供最适合的解决方案。我们的服务器配置涵盖了各种需求,从个人博客到大型企业应用,都能得到满足。
除了优质的服务器接入服务,我们还致力于提供优质的售后服务。我们拥有一支专业的技术团队,他们将全力保障您的服务器稳定运行和数据安全。无论是系统故障还是网络问题,我们都将及时响应并提供解决方案。
为了让您更加放心,我们还提供真机测试服务。如果您对我们的服务器不满意,我们将不收取任何费用。我们相信,只有您满意才是我们最大的成功。
欢迎您访问我们的官网: https://www.xidc.xyz ,了解更多关于我们服务器的信息。无论您是寻找稳定高速的网络连接,还是需要专业的技术支持,XIDC都将是您的最佳选择。让我们携手共创美好未来!申请测试TG: @AmmKiss