最近两天随便瞟了两眼机器的负载,发现飙升到了0.6了,我的博客一向访问人很少,即便是1CPU1G的配置,负载也不会这么高的。仔细看了apache的access日志。发现大量的访问xmlrpc.php的请求。
167.114.89.173 - - [22/Nov/2015:04:52:29 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:33 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:39 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:52:41 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:52:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.168 - - [22/Nov/2015:04:52:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:51 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 192.99.196.123 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.168 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.168 - - [22/Nov/2015:04:52:58 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:53:04 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 167.114.89.173 - - [22/Nov/2015:04:53:07 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" |
之前也看到过类似的请求,第一眼看到User-Agent包含Googlebot/2.1,http://www.google.com/bot.html等关键字,以为是google的爬虫,没有太留意。今天仔细看了下,发现并非如此,这样的访问是大量连续存在的,而且存在多个ip地址。都是POST请求到xmlrpc.php。抓包看内容完全一样的。百度下ip大都是芬兰啊,加拿大等国外的,也没有迹象表明是google的ip。google爬虫也应该不是这样的行为,所以果断屏蔽。之前使用虚拟机,只能在apache和php层。这次使用的独立主机,最直接的的方式就是在防火墙上屏蔽它们。
首先统计下,当前日志里有哪些这样的ip:
#>grep xmlrpc.php zhaoyanblog.com-access_log |awk '{print $1}'| sort |uniq -c 61 103.24.105.228 12 158.69.159.211 15051 158.69.159.223 21941 167.114.89.168 21512 167.114.89.173 31182 192.99.196.123 38 46.148.16.114 37 46.148.17.90 212 68.180.229.113 21 92.63.87.97 |
为了防止错杀,先把这些数量多的ip屏蔽掉,举例:
iptables -I INPUT -s 167.114.89.168 -j DROP
除非注明,赵岩的博客文章均为原创,转载请以链接形式标明本文地址
本文地址:https://zhaoyanblog.com/archives/862.html