问答博客资讯标签用户活动
logo极客观点logo项目管理logoHarmonyOS
javascript
前端
python
node.js
react
vue.js
php
laravel
go
人工智能
mysql
linux
ios
java
android
css
typescript
spring
程序员
logoONES 研发管理logo思否企业问答logo安谋科技 XPU

网站受到奇怪的攻击,请求网站的地址是 https://epay.12306.cn?

头像
白菜1031
    5.4k65074

    今天检查网站的debug,偶然发现了几条奇怪的记录:

    不明白为什么会有向 https://*.12306.cn 发送的请求指向了我的服务器

    图片描述

    下面是几个请求的Request Headers

    1. POST https://epay.12306.cn/pay/payGateway at 2018-12-07 06:37:06 pm by 139.199.188.192

    Name Value
    upgrade-insecure-requests '1'
    referer 'https://kyfw.12306.cn/otn/pay...'
    origin 'https://kyfw.12306.cn'
    content-type 'application/x-www-form-urlencoded'
    connection 'keep-alive'
    cache-control 'max-age=0'
    accept-language 'zh-CN,zh;q=0.8,en;q=0.6'
    accept-encoding 'gzip, deflate, br'
    accept 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8'
    content-length '1987'
    user-agent 'Mozilla/5.0 (Windows NT 6.3; ARM; Trident/7.0; Touch; rv:11.0) like Gecko'
    host 'epay.12306.cn'

    2. GET https://kyfw.12306.cn/otn/login/init at 2018-12-07 06:36:34 pm by 121.41.39.6

    Name Value
    referer 'https://kyfw.12306.cn/otn/lef...'
    connection 'keep-alive'
    accept-language 'zh-CN,zh;q=0.8,en;q=0.6'
    accept-encoding 'gzip, deflate, sdch, br'
    accept '/'
    user-agent 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A'
    host 'kyfw.12306.cn'

    3. GET https://mobile.12306.cn/otsmobile/app/mgs/mgw.htm?operationType=com.cars.otsmobile.queryLeftTicket&requestData=%5B%7B%22train_date%22%3A%2220181217%22%2C%22purpose_codes%22%3A%2200%22%2C%22from_station%22%3A%22PIJ%22%2C%22to_station%22%3A%22POJ%22%2C%22station_train_code%22%3A%22%22%2C%22start_time_begin%22%3A%220000%22%2C%22start_time_end%22%3A%222400%22%2C%22train_headers%22%3A%22QB%23%22%2C%22train_flag%22%3A%22%22%2C%22seat_type%22%3A%22%22%2C%22seatBack_Type%22%3A%22%22%2C%22ticket_num%22%3A%22%22%2C%22dfpStr%22%3A%22%22%2C%22baseDTO%22%3A%7B%22check_code%22%3A%227d6a7259915ae11894d2afae8b3cb8a9%22%2C%22device_no%22%3A%2261af7de9dbacd2b6%22%2C%22mobile_no%22%3A%22%22%2C%22os_type%22%3A%22a%22%2C%22time_str%22%3A%2220181207183649%22%2C%22user_name%22%3A%22%22%2C%22version_no%22%3A%224.1.9%22%7D%7D%5D&ts=1544179009469&sign= at 2018-12-07 06:36:49 pm by 111.230.50.47

    Name Value
    accept-encoding 'gzip'
    workspaceid 'product'
    trackerid ''
    signtype '0'
    riskudid '00cb8864-fa0c-11e8-8657-000000000000'
    platform 'ANDROID'
    did '61af7de9dbacd2b6'
    appid '9101430221728'
    user-agent 'Go-http-client/1.1'
    host 'mobile.12306.cn'

    有哪位大佬了解是怎么发动攻击的吗?

    安全yii2yiiweb安全php
    阅读 8.1k
    4 个回答
    得票最新
    头像
    XYShaoKang
      3.3k1415
      ✓ 已被采纳

      改本地的hosts就可以了,你改下你本地电脑的hostsbaidu.com指向你的 ip,你在访问baidu.com看看.

      估计是这个客户端本机的hosts或者中间的某个路由被动了手脚,把 12306.cn 指向到你这里了.

      头像
      搁浅的鱼
        75127

        我查看服务器日志,出现了和你一样的情况,就这样放着不管吗?

        头像
        cokapp
          411
          新手上路,请多包涵

          我也有,怎么处理?

          头像
          tar
            414
            新手上路,请多包涵

            大佬你们好,很想知道一下最后是怎么处理的?我这边相同情况,查看nginx的日志发现每天无时无刻源源不断地在请求otsmobile/app/mgs/mgw.htm?operationType=com.... 状态是301。
            只能推断是有人利用服务器流量,然后把这个请求(otsmobile/app/mgs)再转发到12306(推测)进行刷票。
            但我查遍了nginx没有发现配置文件有任何被改动的地方。

            撰写回答
            你尚未登录,登录后可以
            • 和开发者交流问题的细节
            • 关注并接收问题和回答的更新提醒
            • 参与内容的编辑和改进,让解决方法与时俱进
            推荐问题