今天所做的努力
都是在为明天积蓄力量

网站被镜像后期溯源查找镜像来源1

之前网站被镜像虽然处理了:怎么处理网站被镜像,无法获取采集来源ip,通过js进行跳转防采集,但是还是很不甘心,在想能不能找到他抓取来源的ip。
先检测一下域名whois查看是哪里注册的,域名所有者是谁?
在https://x.threatbook.cn 上检查了一下

域名:calfiz.com
注册商:成都西部数码
注册时间:2019-04-06 22:14:29

域名是新注册,并且开启了域名保护,没法查看更多信息,暂时放弃。


查看对应的解析,如下

;; QUESTION SECTION:
;www.calfiz.com.                        IN      A

;; ANSWER SECTION:
www.calfiz.com.         60      IN      A       154.206.127.6

;; AUTHORITY SECTION:
calfiz.com.             1906    IN      NS      juming.dnsdun.com.
calfiz.com.             1906    IN      NS      juming.dnsdun.net.

看了一下来自港台,不排除是cdnip,查看访问一下是宝塔默认页面,
使用namp扫一下他服务器开放了哪些端口

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-16 06:27 UTC
Nmap scan report for 154.206.127.6
Host is up (0.20s latency).

PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   closed   ssh
23/tcp   filtered telnet
80/tcp   open     http
110/tcp  filtered pop3
143/tcp  filtered imap
443/tcp  filtered https
3389/tcp filtered ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

继续观察镜像网站http://www.calfiz.com/ 查看到对应的文章是我最新的文章,最新文章就是昨天15日发布的,那么他访问镜像采集我网站日志肯定是在我发布这篇文章之后,同时查看到还镜像采集了http://www.calfiz.com/sitemap.html 网站地图,一般情况下很少会访问地图。处于网站安全,网站都是一直开启网站日志的,看样子可以通过网站日志抓住他的尾巴。

查看了一下对应的15日日志有访问sitemap的部分

113.57.114.108 - - [15/Jul/2019:21:24:11 +0800] "GET /sitemap HTTP/1.1" 200 17077 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
103.119.129.255 - - [15/Jul/2019:17:48:13 +0800] "GET /sitemap HTTP/1.1" 200 17077 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
103.119.129.255 - - [15/Jul/2019:17:48:09 +0800] "GET /wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.lnmpweb.cn%2Fsitemap& HTTP/1.1" 200 2277 "https://www.lnmpweb.cn/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.lnmpweb.cn%2Fsitemap&" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
103.119.129.255 - - [15/Jul/2019:17:48:09 +0800] "GET /sitemap HTTP/1.1" 200 17077 "https://www.lnmpweb.cn/sitemap" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
103.119.129.255 - - [15/Jul/2019:17:48:09 +0800] "GET /wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.lnmpweb.cn%2Fsitemap HTTP/1.1" 200 2277 "https://www.lnmpweb.cn/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.lnmpweb.cn%2Fsitemap" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
103.119.129.255 - - [15/Jul/2019:17:46:16 +0800] "GET /sitemap HTTP/1.1" 200 17077 "https://www.lnmpweb.cn/sitemap" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
113.118.201.14 - - [15/Jul/2019:16:45:11 +0800] "GET /sitemap HTTP/1.1" 200 17077 "http://lnmpweb.cn" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
66.249.69.172 - - [15/Jul/2019:16:32:59 +0800] "GET /sitemap.php HTTP/1.1" 200 77660 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
39.104.162.180 - - [15/Jul/2019:15:10:22 +0800] "GET /sitemap HTTP/1.1" 200 17024 "https://www.lnmpweb.cn/sitemap" "WordPress/5.2.2; https://www.lnmpweb.cn"
60.255.40.130 - - [15/Jul/2019:14:46:03 +0800] "GET /sitemap HTTP/1.1" 200 17024 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
60.255.40.130 - - [15/Jul/2019:14:45:53 +0800] "GET /sitemap HTTP/1.1" 200 17024 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
39.104.162.180 - - [15/Jul/2019:04:40:11 +0800] "GET /sitemap HTTP/1.1" 200 17024 "https://www.lnmpweb.cn/sitemap" "WordPress/5.2.2; https://www.lnmpweb.cn"
60.255.40.130 - - [15/Jul/2019:02:47:01 +0800] "GET /sitemap HTTP/1.1" 200 17025 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
60.255.40.130 - - [15/Jul/2019:02:46:53 +0800] "GET /sitemap HTTP/1.1" 200 17025 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"

回去了一下那篇文章的发布日期是2019年7月15日 16:07 那么对应的访问的记录应该是在下午16点之后。 查看时间点的日志,查看到对应的大量访问查看到大量103.119.129.255ip请求。

 tac www.lnmpweb.cn.log  | grep 15/Jul| awk {'print $1'} | sort |uniq -c | sort -nr

结果:

   2265 103.119.129.255
    962 39.104.162.180
    506 119.118.30.171
    488 123.191.141.193
    437 60.255.40.130
    172 46.4.73.114
    140 154.214.255.52
    126 40.87.81.18
     85 113.57.114.108

可以确定对应的采集就是来自这个ip 103.119.129.255,查了一下这个ip是属于suniway.net,不管其他的,先屏蔽这个ip再说,如果会社工可以接着继续查一下。

赞(0)
未经允许不得转载:流觞 » 网站被镜像后期溯源查找镜像来源1
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址