最近一台阿里云的虚拟主机经常性的会出现“过度消耗资源被关停”问题,该虚拟主机安装了WordPress程序,通过分析日志,发现资源耗尽前均收到了大量的404请求,约每分钟1000次,来源IP为全国各地不定,处理响应时间(日志最后一列)从最初的285698微秒到19498909微秒直至资源耗尽崩溃。访问的目标如下:
"GET /love.txt HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /main.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /lhsq.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /include/updateXmlSvr.class.php HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gec
"GET /map_api_snippet.txt HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101
"GET /muyu.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /20071215173556171.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/201001
"GET /help.txt HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7
"GET /uploadfaceok.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Fi
"GET /juewang.txt HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox
"GET /liun.htm HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /kest.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /gfy.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0
"GET /newup.asp HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7
"GET /lol.txt HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0
"GET /965245.TXT HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/
"GET /file.php HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /_.htm HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.
"GET /login.asp HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /manage.asp HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7
"GET /postocer.php HTTP/1.1" 404 4505 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefo
"GET /admit.asp HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /0cmd.asp HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0
"GET /down2.asp HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.
"GET /index1.asp HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7
"GET /qing.php HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0
"GET /xj.htm HTTP/1.1" 500 360 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
可以看出对方是在尝试扫描本虚拟主机是不是被上传了恶意程序,或者一些已知的漏洞。
按理说这种强度的扫描不会引起资源耗尽,但是由于WordPress的单一入口设计,使得404请求还是会进入index.php进行处理,导致了大量的资源消耗,具体参考文章:[为什么WordPress面对404攻击会如此脆弱]http://www.webhek.com/post/wordpress-404-attack.html
受文中启发,安装了W3 Total Cache,然后修改Browser Cache配置启用Do not process 404 errors for static objects with WordPress,通过日志我们发现有很多的url指向了asp文件,为了更好的防护,我们对W3 Total Cache进行配置:修改wp-content/plugins/w3-total-cache/inc/mime/other.php文件,最后添加一行'asp|aspx|cer|asa' => 'application/asp'