The author summarized some problems about CC script attacks and some solutions to prevent CC script attacks. Friends in need can refer to it.
1. Log in to the VPS control panel and be ready to restart the VPS at any time.
2. Close the Web Server first. Excessive load will make it difficult to perform subsequent operations, or even prevent you from logging in to SSH.
3. Just in case, remove the set Web Server system from automatically running after startup.
(If you are unable to log in to the system, and the load after restarting is too high and you cannot log in just after booting up, you can contact the administrator to block the IP or 80 port of the VPS on the mother machine, log in to the system using the virtual console on the mother machine, and then Perform operations 2&3 and then unblock)
Two, find out the attacker IP
1. Create the file ip.php in the root directory of the website and write the following content.
The code is as follows |
Copy code |
代码如下 |
复制代码 |
$real_ip = getenv('HTTP_X_FORWARDED_FOR');
if(isset($real_ip)){
shell_exec("echo $real_ip >> real_ip.txt");
shell_exec("echo $_SERVER['REMOTE_ADDR'] >> proxy.txt");
}else{
shell_exec("echo $_SERVER['REMOTE_ADDR'] >> ips.txt");
}
echo '服务器受到攻击,正在收集攻击源,请在5分钟后访问本站,5分钟内多次访问本站有可能会被当作攻击源封掉IP。谢谢合作!';
?>
|
$real_ip = getenv('HTTP_X_FORWARDED_FOR');
if(isset($real_ip)){
代码如下 |
复制代码 |
rewrite (.*) /ip.php;
Lighttpd规则:
url.rewrite = (
"^/(.+)/?$" => "/ip.php"
)
|
shell_exec("echo $real_ip >> real_ip.txt");
shell_exec("echo $_SERVER['REMOTE_ADDR'] >> proxy.txt");
}else{
shell_exec("echo $_SERVER['REMOTE_ADDR'] >> ips.txt");
}
echo 'The server is under attack and the source of the attack is being collected. Please visit this site in 5 minutes. Visiting this site multiple times within 5 minutes may be used as an attack source and the IP address will be blocked. Thank you for your cooperation! ';
代码如下 |
复制代码 |
shell_exec("echo $_SERVER['HTTP_HOST'] >> domain.txt");
|
?>
2. Set up pseudo-static and rewrite all visits to the website to ip.php.
Nginx rules:
The code is as follows |
Copy code |
rewrite (.*) /ip.php;
Lighttpd rules:
url.rewrite = (
"^/(.+)/?$" => "/ip.php"
)
|
3. Start Web Server to start collecting IPs
After completing settings 1 and 2, start the Web Server and start recording IP information.
The collection time is recommended to be 3 to 5 minutes before shutting down the Web Server again.
real_ip.txt, more than 80% of the IPs saved in this file are the same. This IP is the IP of the platform where the attacker carries out the attack.
proxy.txt, this file stores the IP address of the proxy server called by the attacker and needs to be blocked.
ips.txt, what is recorded here is the IP that does not show the characteristics of the proxy server. Based on the number of visits, it is judged whether it is the source of the attack.
3. Supplement to the previous paragraph
If WEB logs are enabled on the VPS, you can check the growth rate of the log files to determine which site is under attack.
If logging is not enabled and the number of sites is small, it is also convenient to temporarily enable logging.
If logging is not enabled and there are too many sites, you can use a temporary Web Server configuration file without binding a virtual host and set a default site. Then add the following line to ip.php
The code is as follows |
Copy code |
shell_exec("echo $_SERVER['HTTP_HOST' ] >> domain.txt");
|
Domain.txt will store visited domain names, and sites attacked by CC will account for the vast majority of them.
Four, start blocking IP
Create the file ban.php
The code is as follows
代码如下 |
复制代码 |
$threshold = 10;
$ips = array_count_values(file('ips.txt'));
$ban_num = 0;
foreach($ips as $ip=>$num){
if($num > $threshold){
$ip = trim($ip);
$cmd = "iptables -I INPUT -p tcp --dport 80 -s $ip -j DROP";
shell_exec($cmd);
echo "$ip baned!n";
$ban_num ++;
}
}
$proxy_arr = array_unique(file('proxy.txt'));
foreach($proxy_arr as $proxy){
proxy = trim($proxy);
$cmd = "iptables -I INPUT -p tcp --dport 80 -s $proxy -j DROP";
shell_exec($cmd);
echo "$proxy baned!n";
$ban_num ++;
}
echo "total: $ban_num ipsn";
?>
|
|
Copy code
|
$threshold = 10;
| $ips = array_count_values(file('ips.txt'));
$ban_num = 0;
foreach($ips as $ip=>$num){
if($num > $threshold){
$ip = trim($ip);
$cmd = "iptables -I INPUT -p tcp --dport 80 -s $ip -j DROP";
shell_exec($cmd);
echo "$ip banned!n";
$ban_num ++;
}
} $proxy_arr = array_unique(file('proxy.txt'));
foreach($proxy_arr as $proxy){
proxy = trim($proxy);
$cmd = "iptables -I INPUT -p tcp --dport 80 -s $proxy -j DROP";
shell_exec($cmd);
echo "$proxy banned!n";
$ban_num ++;
}
echo "total: $ban_num ipsn";
?>
Execute the script with the following command (make sure the php command is in PATH)
php ban.php
This script relies on the results saved in ips.txt in the second paragraph. When the number of IP visits recorded in it exceeds 10, it will be blocked as an attack source. If it is a proxy server, it will be blocked directly without judging the number of times.
After blocking the IP, restore all website settings to normal, and the site can continue to operate normally.
http://www.bkjia.com/PHPjc/629653.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629653.htmlTechArticleThe author summarized some issues about CC script attacks and some solutions to prevent CC script attacks. If necessary, Friends can refer to it. 1. Log in to the VPS control panel and be ready to restart at any time...
|