Httpd 访问日志显示奇怪的 bingbot答案

【问题标题】：Httpd Access Log shows strange bingbotHttpd 访问日志显示奇怪的 bingbot
【发布时间】：2013-10-24 22:29:00
【问题描述】：

我在云 (ec2) 中设置了一个服务器，托管了我所有的 WordPress 网站。

我今天注意到该网站遭到黑客攻击..

109.87.118.222 - - [16/Oct/2013:13:10:31 -0400] "POST /wp-login.php HTTP/1.0" 200 3954 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1 ; rv:19.0) Gecko/20100101 Firefox/19.0" 5.15.198.184 - - [16/Oct/2013:13:10:31 -0400] "POST /wp-login.php HTTP/1.0" 200 3926 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv: 19.0) 壁虎/20100101 火狐/19.0" 42.116.170.247 - - [16/Oct/2013:13:10:32 -0400] "POST /wp-login.php HTTP/1.0" 200 3954 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv: 19.0) 壁虎/20100101 火狐/19.0" 93.78.138.185 - - [16/Oct/2013:13:10:33 -0400] "POST /wp-login.php HTTP/1.0" 200 3954 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv: 19.0) 壁虎/20100101 火狐/19.0" 2.95.13.35 - - [16/Oct/2013:13:10:33 -0400] "POST /wp-login.php HTTP/1.0" 200 3940 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv: 19.0) 壁虎/20100101 火狐/19.0" 93.80.123.137 - - [16/Oct/2013:13:10:34 -0400] "POST /wp-login.php HTTP/1.0" 200 3940 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv: 19.0) 壁虎/20100101 火狐/19.0" 79.181.39.227 - - [16/Oct/2013:13:10:34 -0400] "POST /wp-login.php HTTP/1.0" 200 3933 "http://smartmoneystrategies.net/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv: 19.0) 壁虎/20100101 火狐/19.0"

我想我通过添加登录锁定来捕获 IP 地址来修复攻击。

但我也在那里找到了一大堆……

157.56.92.164 - - [16/Oct/2013:09:57:12 -0400] "GET /search.php/?q=bethanny+franklin+haircut&ht=1 HTTP/1.1" 200 11475 "-" " Mozilla/5.0（兼容；bingbot/2.0；+http://www.bing.com/bingbot.htm）" 157.56.92.164 - - [16/Oct/2013:09:57:13 -0400] "GET /search.php/?ht=1&q=address+label+coupon+codes HTTP/1.1" 200 11475 "-" "Mozilla /5.0（兼容；bingbot/2.0；+http://www.bing.com/bingbot.htm）" 157.56.92.164 - - [16/Oct/2013:09:57:13 -0400] "GET /search.php/?q=Martell+Gay+Bryce&ht=1 HTTP/1.1" 200 11475 "-" "Mozilla/5.0 （兼容；bingbot/2.0；+http://www.bing.com/bingbot.htm）" 157.56.92.164 - - [16/Oct/2013:09:57:14 -0400] "GET /search.php/?ht=1&q=monterey+fashions+coat HTTP/1.1" 200 11475 "-" "Mozilla/5.0 （兼容；bingbot/2.0；+http://www.bing.com/bingbot.htm）" 157.56.92.164 - - [16/Oct/2013:09:57:14 -0400] "GET /search.php/?ht=1&q=SUPERPREP+ELITE+semi+pro+team HTTP/1.1" 200 11475 "-" “Mozilla/5.0（兼容；bingbot/2.0；+http://www.bing.com/bingbot.htm）” 157.56.92.164 - - [16/Oct/2013:09:57:15 -0400] "GET /search.php/?ht=1&q=rines+para+jeep+cheroki HTTP/1.1" 200 11475 "-" "Mozilla /5.0（兼容；bingbot/2.0；+http://www.bing.com/bingbot.htm）" 157.56.92.164 - - [16/Oct/2013:09:57:15 -0400] "GET /search.php/?ht=1&q=outdoor+pro+staff+opportunity HTTP/1.1" 200 11475 "-" "Mozilla /5.0（兼容；bingbot/2.0；+http://www.bing.com/bingbot.htm）"

这些是什么？

【问题讨论】：

标签： wordpress access-log bingbot

【解决方案1】：

也遇到了这些问题，他们实际上成功地彻底关闭了我们的网络服务器。似乎是自 4 月以来一直针对 WordPress 网站的僵尸网络暴力密码攻击，尽管它最近似乎又恢复了。我将以下内容添加到我们的 .htaccess 文件中，这似乎成功了（显然您需要更改域和 IP 地址（单个或范围供您自己使用）：

# BEGIN DDoS block
# Blocks "example.com/wp-login.php" referer without https?://
# And blocks all non-company addresses from wp-login.php
RewriteCond %{HTTP_REFERER} ^example\.com/wp-login\.php$
RewriteRule .* - [F]

<Files ~ "^wp-login.php">
<Limit POST>
    deny from all
    Allow from XXX.XXX.XXX.XXX
</Limit>
</Files>

<FilesMatch "^wp-login.php$">
Order Deny,Allow
    Allow from XXX.XXX.XXX.XXX
    Deny from all
</FilesMatch>

【讨论】：

这是个好主意，但似乎我必须为每个 IP 地址输入一个条目。到目前为止，我已经记录了 34 个 IP 地址。所以我所做的是在服务器上编写了一个脚本，如果一个 ip 在 6 秒内有 4 次错误的登录尝试，它将把 IP 地址添加到 iptables。似乎对我有用。