|
我在家里搭了一套服务器,向电信申请了动态公网 IP ,通过 DDNS 绑在一个域名上,用的高位端口,开了防火墙,用 Lucky 做反代。
然后我开了一个 AList 服务给我自己挂载网盘用,服务从未公开给任何人。
但是最近通过 LOG 文件发现,有人通过很多的肉鸡服务器,一直访问我 AList 目录下一个狂飙的资源(而且在我发现这个事情之后我第一时间删除了这个资源,但还是持续访问(肯定是无法成功访问的)):
2025/01/17 00:33:07
{"ExtInfo":{"ClientIP":"27.10.81.218 中国|重庆|重庆市|联通","Host":"alist.mywebsite.com:20404","Method":"GET","URL":"/d/夸克/来自:分享/狂飙/狂飙.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"},"level":"info","msg":"Upgrade [] Connection[keep-alive]"}
2025/01/17 00:33:07
{"ExtInfo":{"ClientIP":"27.10.81.218 中国|重庆|重庆市|联通","Host":"alist.mywebsite.com:20404","Method":"GET","URL":"/d/夸克/来自:分享/狂飙/狂飙.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"},"level":"info","msg":"[alist.mywebsite.com] access target url [http://192.168.0.209:5244/d/%E5%A4%B8%E5%85%8B/%E6%9D%A5%E8%87%AA%EF%BC%9A%E5%88%86%E4%BA%AB/%E7%8B%82%E9%A3%99/%E7%8B%82%E9%A3%99.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0]"}
2025/01/16 23:53:56
{"ExtInfo":{"ClientIP":"59.51.225.47 中国|贵州省|铜仁|电信","Host":"alist.mywebsite.com:20404","Method":"GET","URL":"/d/夸克/来自:分享/狂飙/狂飙.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0","UserAgent":"Mozilla/5.0 (Linux; Android) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"},"level":"info","msg":"Upgrade [] Connection[Keep-Alive]"}
2025/01/16 23:53:56
{"ExtInfo":{"ClientIP":"59.51.225.47 中国|贵州省|铜仁|电信","Host":"alist.mywebsite.com:20404","Method":"GET","URL":"/d/夸克/来自:分享/狂飙/狂飙.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0","UserAgent":"Mozilla/5.0 (Linux; Android) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"},"level":"info","msg":"[alist.mywebsite.com] access target url [http://192.168.0.209:5244/d/%E5%A4%B8%E5%85%8B/%E6%9D%A5%E8%87%AA%EF%BC%9A%E5%88%86%E4%BA%AB/%E7%8B%82%E9%A3%99/%E7%8B%82%E9%A3%99.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0]"}
2025/01/16 21:30:45
{"ExtInfo":{"ClientIP":"115.239.40.115 中国|浙江省|嘉兴市|电信","Host":"alist.mywebsite.com:20404","Method":"GET","URL":"/d/夸克/来自:分享/狂飙/狂飙.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0","UserAgent":"Mozilla/5.0 (Linux; Android) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"},"level":"info","msg":"[alist.mywebsite.com] access target url [http://192.168.0.209:5244/d/%E5%A4%B8%E5%85%8B/%E6%9D%A5%E8%87%AA%EF%BC%9A%E5%88%86%E4%BA%AB/%E7%8B%82%E9%A3%99/%E7%8B%82%E9%A3%99.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0]"}
2025/01/16 21:29:48
{"ExtInfo":{"ClientIP":"115.239.40.115 中国|浙江省|嘉兴市|电信","Host":"alist.mywebsite.com:20404","Method":"GET","URL":"/d/夸克/来自:分享/狂飙/狂飙.2023.E13.WEB-DL.4K.H265.AAC-HDCTV.mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0","UserAgent":"Mozilla/5.0 (Linux; Android) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"},"level":"info","msg":"Upgrade [] Connection[Keep-Alive]"}
这个地址分布于全国各地,每天持续更换 ip 攻击,一小时几百次访问,我不得不开白名单,这也影响了我自己使用。
我有两个疑问想问问各位大佬:
- 他是怎么知道我这个具体狂飙资源的地址的,我可以保证我从未分享过给任何人,但是我用过网易爆米花这款 app 并且挂载了我的 AList 的 WebDAV (目前早已卸载,并且只在手机使用 ios 客户端),这是我能想到的唯一可能获取到我具体内容的方式了,要么就是爬虫?空间搜索引擎可以做到吗?
- 他持续访问我这个资源(为什么只有狂飙这一集?),能做到 AList 漏洞攻击到我的内网吗?这是什么攻击方式?我排查正常的访问没有后面这串
mp4?sign=ab4a9131bAVolZvK1S0PYMpOwpf3y3HXhrDVUGG5MLc=:0,如果这是我的登录密钥,对方又是如何找到的?而且这样难道可以拿到我的写入权限?
还请各位赐教,谢谢。
| 
