Summary of simple anti-CC script attack experience in php. The author summarizes some problems related to CC script attacks and some solutions against CC script attacks. if you need them, please refer to them. 1. log on to the VPS control panel and be ready to repeat at any time. The author summarizes some problems related to CC script attacks and some solutions against CC script attacks. if you need them, please refer to them.
1. log on to the VPS control panel and be ready to restart the VPS at any time.
2. shut down the Web Server first. excessive load will make subsequent operations very difficult, and even cannot directly log on to SSH.
3. remove the configured Web Server automatically after it is started.
(If you are unable to log on to the system, and the load is too high after the restart, the system will no longer be able to log on after the startup. you can contact the administrator to block the IP address or port 80 of the VPS on the master machine, log on to the system using the Virtual Console on the parent machine, perform 2 & 3 operations, and then unseal them)
2. find the attacker's IP address
1. create the file ip address. php in the root directory of the website and write the following content.
The code is as follows: |
|
$ Real_ip = getenv ('http _ X_FORWARDED_FOR '); If (isset ($ real_ip )){ Shell_exec ("echo $ real_ip> real_ip.txt "); Shell_exec ("echo $ _ SERVER ['remote _ ADDR ']> proxy.txt "); } Else { Shell_exec ("echo $ _ SERVER ['remote _ ADDR ']> ips.txt "); } Echo: The server is under attack and is collecting attack sources. please visit this site five minutes later. multiple accesses to this site within five minutes may be blocked as an attack source. Thank you for your cooperation! '; ?> |
2. set the pseudo-static state and rewrite all accesses to ip. php.
Nginx rules:
The code is as follows: |
|
Rewrite (. *)/ip. php; Lighttpd rules: Url. rewrite = (
"^/(. + )/? $ "=>"/Ip. php" ) |
3. start the Web Server to collect IP addresses.
After setting 1 and 2, start the Web Server and record IP information.
It is recommended that the collection time be 3 to 5 minutes, and then the Web Server is disabled again.
Real_ip.txt: the IP addresses stored in this file are more than 80% identical. this IP address is the IP address of the platform where attackers are launching attacks.
Proxy.txt, which stores the IP address of the proxy server called by the attacker and needs to be blocked.
Ips.txt, which records the IP addresses that do not show the characteristics of the proxy server, and determines whether the IP addresses are attack sources based on the number of visits.
III. Supplement to the previous paragraph
If WEB logs are enabled on VPS, you can view the log file growth rate to determine which site is under attack.
If logs are not enabled and the number of sites is small, it is convenient to enable logs temporarily.
If logs are not enabled and the number of sites is too large, you can use the temporary Web Server configuration file to set a default site without binding a virtual host. Add the following line to ip. php.
The code is as follows: |
|
Shell_exec ("echo $ _ SERVER ['http _ host']> domain.txt ");
|
In domain.txt, the Accessed domain names will be saved, and CC-attacked sites will account for the vast majority.
4. block IP addresses
Create file ban. php
The code is as follows: |
|
$ Threshold = 10; $ Ips = array_count_values(file('ips.txt ')); $ Ban_num = 0; Foreach ($ ips as $ ip => $ num ){ If ($ num> $ threshold ){ $ Ip = trim ($ ip ); $ Cmd = "iptables-I INPUT-p tcp -- dport 80-s $ ip-j DROP "; Shell_exec ($ cmd ); Echo "$ ip baned! N "; $ Ban_num ++; } } $ Proxy_arr = array_unique(file('proxy.txt ')); Foreach ($ proxy_arr as $ proxy ){ Proxy = trim ($ proxy ); $ Cmd = "iptables-I INPUT-p tcp -- dport 80-s $ proxy-j DROP "; Shell_exec ($ cmd ); Echo "$ proxy baned! N "; $ Ban_num ++; } Echo "total: $ ban_num ipsn "; ?> |
Run the script with the following command (make sure that the php command is in PATH)
Php ban. php
This script depends on the results saved in ips.txt in section 2. when the number of IP access records exceeds 10, it is blocked as an attack source. If it is a proxy server, it is directly blocked without judging the number of times.
After the IP address is closed, all the website settings are restored to normal, and the website can continue to run normally.
Bytes. 1. log on to the VPS control panel, and be ready to repeat at any time...