网站被人用 sqlmap 工具恶意扫描

今天偶然发现网站上几个文章的阅读量异常，几个小众的内容阅读量惊人。 怀疑是被恶意扫描了，于是查看了一下 Nginx access log 中的 IP 统计。

access.log IP 统计

今天的访问记录：

$ awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -n 10
  47121 103.148.58.45
    804 66.249.79.239
    540 66.249.79.241
    422 209.159.145.46
    422 162.241.123.164
    413 65.108.227.178
    413 162.241.62.60
    299 65.108.125.120
    270 198.71.236.34
    264 66.249.79.243

昨天的访问记录：

$ awk '{print $1}' /var/log/nginx/access.log.1 | sort | uniq -c | sort -nr | head -n 10
 158657 103.148.58.45
   1433 66.249.79.239
    840 150.158.212.68
    757 66.249.79.241
    522 64.124.8.55
    480 64.124.8.35
    432 66.249.79.243
    394 64.124.8.28
    253 172.104.100.241
    241 64.124.8.27

103.148.58.45 这个 IP 访问量出奇的离谱。

恶意请求特征

103.148.58.45 - - [12/Dec/2022:10:14:02 +0800] "GET /golang-upgraded-version-113-to-114?from=random%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%28CONCAT%28%27qkbkq%27%2C%27EXDgLPuczm%27%29%2C%27qqzqq%27%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20ihuT HTTP/1.1" 200 9341 "-" "sqlmap/1.6.12#stable 15:00 2022/12/12(https://sqlmap.org)" "2.91"

从请求 URL 看，非常像是 SQL 注入工具。

按照请求头里的标识搜了一下，果然是

https://sqlmap.org/

sqlmap 是一个自动化的 SQL 注入漏洞检测工具。支持的数据库种类还挺多。 用来作为项目的漏洞测试工具不错。

封掉恶意 IP

在阿里云管理后台 - 云服务器 - ECS安全组，添加一条拒绝访问规则：

授权策略 优先级 协议类型 端口范围 授权对象 描述 创建时间 操作

注意把优先级设置成最高的 1，否则不生效。

TODO

我不太理解为啥会有人闲的去扫描一个博客的漏洞 。。。

不过，我还是觉得要是网站上能有一个实时显示 IP 统计的页面会很方便。准备把这个功能加入到 golang 新版博客程序中。

关于作者 🌱

我是来自山东烟台的一名开发者，有敢兴趣的话题，或者软件开发需求，欢迎加微信 zhongwei 聊聊， 查看更多联系方式