军哥在吗,麻烦帮我看一下是神马情况。我网站好像被攻击
今天网站服务器CPU突然百分百,数据发送异常,接收数据正常。流量大概没10分钟涨1G,这个情况是不是被攻击了?应该查看哪些日志来分析是否被攻击或者攻击者的IP?
[ 本帖最后由 408904199 于 2012-4-24 04:10 编辑 ] netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 看一下
回复 2# 的帖子
netstat -ntu08.171.196.76:80 108.171.209.238:60239 ESTA BLISHED
tcp 0 0 108.171.196.76:80 108.171.209.238:58447 TIME _WAIT
tcp 0 2966 108.171.196.76:80 108.171.209.238:58959 FIN_ WAIT1
tcp 0 0 108.171.196.76:80 108.171.209.238:59215 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:59726 TIME _WAIT
tcp 0 1518 108.171.196.76:80 108.171.209.238:59470 FIN_ WAIT1
tcp 0 0 108.171.196.76:80 108.171.209.238:59982 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:57422 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:58190 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:58702 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:59214 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:58958 TIME _WAIT
tcp 1 5324 108.171.196.76:80 221.3.133.236:28336 CLOS ING
tcp 0 0 108.171.196.76:80 119.126.250.170:26868 ESTA BLISHED
tcp 0 0 108.171.196.76:80 108.171.209.238:59981 TIME _WAIT
tcp 014480 108.171.196.76:80 108.171.209.238:60237 ESTA BLISHED
tcp 0 0 108.171.196.76:80 108.171.209.238:59469 TIME _WAIT
tcp 018824 108.171.196.76:80 108.171.209.238:59725 ESTA BLISHED
tcp 0 0 108.171.196.76:80 108.171.209.238:58189 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:59213 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:58701 TIME _WAIT
tcp 010719 108.171.196.76:80 115.239.166.10:7834 LAST _ACK
tcp 011584 108.171.196.76:80 108.171.209.238:59980 ESTA BLISHED
tcp 0 0 108.171.196.76:80 108.171.209.238:59724 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:59468 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:59212 TIME _WAIT
tcp 012191 108.171.196.76:80 175.141.151.157:2911 LAST _ACK
tcp 044624 108.171.196.76:80 221.3.133.232:28086 ESTA BLISHED
tcp 012203 108.171.196.76:80 112.243.69.191:23761 LAST _ACK
tcp 0 0 108.171.196.76:80 108.171.209.238:59467 TIME _WAIT
tcp 0 2966 108.171.196.76:80 108.171.209.238:59723 FIN_ WAIT1
tcp 0 0 108.171.196.76:80 108.171.209.238:58443 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:58699 TIME _WAIT
tcp 0 0 108.171.196.76:80 108.171.209.238:59211 TIME _WAIT
tcp 0 1 108.171.196.76:80 125.112.168.80:4951 FIN_ WAIT1
tcp 0 0 108.171.196.76:80 108.171.209.238:59466 TIME _ 你发的这格式没法看,命令后面的参数都要带!用代码发
回复 4# 的帖子
嗯,我现在SSH很难登陆上,正在登陆中...谢谢军哥 等一下代码回复 4# 的帖子
军哥看一下对不对# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 101.226.66.174
1 110.211.126.57
1 110.84.162.107
1 113.117.106.127
1 113.126.194.225
1 113.250.16.63
1 113.64.72.210
1 115.218.207.55
1 115.225.242.15
1 116.231.160.250
1 118.120.210.43
1 123.125.71.133
1 123.125.71.61
1 180.149.133.37
1 180.153.163.210
1 180.153.206.16
1 180.153.206.17
1 183.184.126.13
1 218.75.102.166
1 220.181.108.18
1 220.181.51.36
1 220.181.51.37
1 220.181.51.38
1 220.181.51.39
1 222.50.197.44
1 61.135.165.14
1 61.135.169.46
1 61.135.186.15
1 61.135.186.18
1 61.135.186.42
1 61.135.186.56
1 61.136.95.180
1 61.136.95.181
1 61.136.95.185
1 61.153.149.202
1 61.160.223.168
1 72.64.146.136
1 Address
1 servers)
2 110.190.249.69
2 117.33.214.85
2 118.115.13.74
2 118.250.53.40
2 123.125.71.62
2 123.126.50.120
2 220.181.51.51
2 220.181.51.52
2 61.135.169.47
2 61.148.244.68
3 124.77.136.183
3 14.213.152.153
3 220.114.18.140
4 182.149.241.188
4 210.73.35.144
5 117.22.17.97
5 221.227.69.129
5 59.46.39.169
6 106.9.192.71
6 111.179.6.163
6 180.153.163.209
6 58.33.184.131
7 117.70.57.158
7 123.112.170.18
8 108.171.209.238
8 123.126.50.91
9 119.162.3.105
10 123.164.93.74
10 222.160.135.162
10 222.214.204.190
10 222.249.131.224
11 221.227.90.69
12 183.201.255.16
12 222.175.28.94
15 113.104.186.139
15 113.68.126.249
22 59.41.63.19
24 222.189.170.8
回复 4# 的帖子
# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n1 110.190.249.69
1 115.85.248.159
1 117.136.37.140
1 119.177.189.129
1 123.125.71.20
1 123.126.50.91
1 125.112.211.224
1 125.115.64.205
1 180.153.214.181
1 183.32.175.55
1 183.63.0.135
1 210.73.35.144
1 211.97.148.74
1 218.106.85.134
1 222.175.28.94
1 222.50.197.44
1 60.213.50.54
1 61.135.186.18
1 61.164.180.10
1 66.249.67.148
1 Address
1 servers)
2 113.96.4.40
2 120.192.231.126
2 124.74.27.218
2 180.153.206.17
2 180.153.206.31
2 183.63.0.131
2 221.218.126.151
2 222.131.75.72
2 222.60.132.183
2 60.211.184.62
3 202.198.187.74
4 61.162.179.197
5 111.179.6.163
5 122.234.50.253
5 182.149.241.188
6 111.175.10.55
6 180.153.206.16
6 58.246.27.30
6 58.59.24.76
7 205.251.156.96
8 119.162.3.105
8 122.192.103.78
8 61.172.174.94
9 113.104.186.139
10 221.227.69.129
13 59.41.63.19
24 113.88.4.186
1347 108.171.209.238
# deny 108.171.209.238 原帖由 wfqvip 于 2012-4-24 17:34 发表 https://bbs.vpser.net/images/common/back.gif
deny 108.171.209.238 麻烦详细说明 ,是这个IP攻击我吗? 1347 108.171.209.238
最好是ban了这个,这个很可疑,一般用户不可能回用这么多连接数
回复 10# 的帖子
再麻烦军哥一下,具体怎么操作?[ 本帖最后由 408904199 于 2012-4-24 20:13 编辑 ]
回复 11# 的帖子
https://www.vpser.net/security/linux-iptables.html回复 12# 的帖子
:( 万分感谢......
页:
[1]