x,
结果发现,这几个ip都是我们公司广场公用的wifi出口ip地址,属于安全地址,不是私人的IP地址,很大程度上排除了从外部恶意攻击我们网站的可能性。接下来就需要重点分析,为什么会有这么多的URL记录。
仔细排查来源为1xx.xx.xx.185的日志记录,发现有很多$http_user_agent为空的记录,大概90%的记录都是如此,看记录如下:
1xx.xx.xx.185, 10.2xx.xx1.xx0 - [10/Oct/2014:10:52:11 +0800] "POST /mobileWeb/square/queryCounts.htm? HTTP/1.1" 200 82 "-" "-" "1xx.xx.xx.185"upsteam: 110.xx7.1.22:7100
猜测是否不是手机app访问的记录?只有自己停掉wifi,用手机的4G网络,去登录我们的移动app应用,操作完,点击了几下赞,访问了一些页面,操作时间2分钟,然后使用自己的移动4Gip地址“2xx.10x.5.129”去检索下nginx下的mobileweb的记录,4台nginx记录,每一台40个左右url访问,4台就是160个记录,下面是一台的记录
[root@wgq_idc_web_1_22 logs]# more mobileweb_access.log |grep "2xx.10x.5.129"
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:01 +0800] "POST /mobileWeb/userMobileCenter/queryUserNameAndIconByIds.htm? HTTP/1.1" 200 20 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.21:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:37 +0800] "POST /mobileWeb/square/queryCounts.htm? HTTP/1.1" 200 82 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:42 +0800] "POST /mobileWeb/square/query.htm? HTTP/1.1" 200 9485 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:42 +0800] "POST /mobileWeb/square/query.htm? HTTP/1.1" 200 9485 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:49 +0800] "POST /mobileWeb/square/clickSupport.htm? HTTP/1.1" 200 46 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.21:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:51 +0800] "POST /mobileWeb/square/clickSupport.htm? HTTP/1.1" 200 46 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:54 +0800] "POST /mobileWeb/square/clickSupport.htm? HTTP/1.1" 200 46 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.21:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:55 +0800] "POST /mobileWeb/square/query.htm? HTTP/1.1" 200 4831 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:54:57 +0800] "POST /mobileWeb/userMobileCenter/queryUserNameAndIconByIds.htm? HTTP/1.1" 200 20 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:55:03 +0800] "POST /mobileWeb/mobile/getCartItemNum.htm? HTTP/1.1" 200 114 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:55:04 +0800] "POST /mobileWeb/version/queryVersion.htm? HTTP/1.1" 200 160 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:55:06 +0800] "POST /mobileWeb/mobile/getCartItemNum.htm? HTTP/1.1" 200 114 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:55:06 +0800] "POST /mobileWeb/mobile/loadCart.htm? HTTP/1.1" 200 940 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:55:07 +0800] "POST /mobileWeb/mobile/getCartItemNum.htm? HTTP/1.1" 200 114 "-" "-" "2xx.10x.5.129"upsteam: 110.xx7.1.22:7100
2xx.10x.5.129, 10.2xx.xx1.xx0 - [16/Oct/2014:14:55:07 +0800] "POST /mobileWeb/square/queryCounts.htm? HTTP/1.1" 200 82 "-" "-" "2xx.10x.5.129"upst