网站日志中发现大量的avatar.php的访问消耗流量如何解决？

土鸡瓦犬 · 发表于 2025-12-13 22:43:52

版本还是比较旧的Discuz! X3.4 R20230520，发现流量异常高，用的宝塔（没买Nginx防火墙），一看网站日志中大量的
“IP地址- - [日期] ＂GET /uc_server/avatar.php?uid=[各种uid数值]&size=small HTTP/2.0＂ 301 0 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36＂”

我知道答案回答被采纳将会获得1 贡献已有13人回答

IsaacZ · 发表于 2025-12-14 01:10:21

/uc_server/avatar.php 是对头像的访问，一个回复比较多的热门帖子一打开就会对10层楼的头像进行加载，访问数量大本身没有什么问题。
301永久重定向也一般看作正常，不过你这个没有 referrer 比较可疑。看看除了301还有没有别的错误码。

我的网站攻击入口是首页热搜链接，全是503错误码，原来用 Fail2ban 见一个封一个，现在被我关了热搜，然后针对热搜的所有访问被我挡在 Nginx 层，现在清静多了。参考：
Fail2ban 封禁了 47700 个IP！ - 站长杂谈
https://www.dismall.com/thread-27539-1-1.html

crx349 · 发表于 2025-12-14 03:31:49

可以改成静态头像模式会好点

鸿茂传媒 · 发表于 2025-12-14 07:55:36

如果流量异常高，那就改成静态的看下，或者增加防火墙。

土鸡瓦犬 · 发表于 2025-12-14 12:48:10

IsaacZ 发表于 2025-12-14 01:10
/uc_server/avatar.php 是对头像的访问，一个回复比较多的热门帖子一打开就会对10层楼的头像进行加载，访问 ...

抽了一个ip看了下正常和错误日志，这是被攻击了吧- -|||

攻击者IP - - [14/Dec/2025:12:13:30 +0800] ＂GET / HTTP/1.1＂ 301 162 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:31 +0800] ＂GET / HTTP/2.0＂ 200 11914 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:31 +0800] ＂GET /sslogo.gif HTTP/1.1＂ 301 162 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184544&size=small HTTP/2.0＂ 301 230 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184540&size=small HTTP/2.0＂ 301 230 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184543&size=small HTTP/2.0＂ 301 230 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184542&size=small HTTP/2.0＂ 301 230 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184539&size=small HTTP/2.0＂ 301 230 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184545&size=small HTTP/2.0＂ 301 230 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻击者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184541&size=small HTTP/2.0＂ 301 230 ＂-＂＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂

2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻击者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184544&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻击者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184540&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻击者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184543&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻击者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184542&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻击者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184539&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻击者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184545&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻击者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184541&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂

IsaacZ · 发表于 2025-12-14 20:20:25

土鸡瓦犬发表于 2025-12-14 12:48
抽了一个ip看了下正常和错误日志，这是被攻击了吧- -|||

攻击者IP - - [14/Dec/2025:12:13:30 +0800] ＂ ...

建议：在Nginx添加location规则：

plain

IsaacZ · 发表于 2025-12-14 20:22:23

土鸡瓦犬发表于 2025-12-14 12:48
抽了一个ip看了下正常和错误日志，这是被攻击了吧- -|||

攻击者IP - - [14/Dec/2025:12:13:30 +0800] ＂ ...

修改文件：# 宝塔面板（你日志路径含 /www/wwwroot/，很可能是宝塔）
/www/server/panel/vhost/nginx/你的域名.conf

注意把 yourdomain.com 换成你自己的域名

土鸡瓦犬 · 发表于 2025-12-14 21:58:25

IsaacZ 发表于 2025-12-14 20:22
修改文件：# 宝塔面板（你日志路径含 /www/wwwroot/，很可能是宝塔）
/www/server/panel/vhost/nginx/你 ...

谢谢你的解答。

确实是宝塔。
其实之前问了AI，给的是类似的答复：

# 在站点配置中添加：
location ~* /uc_server/avatar\.php
{
# 封禁所有已知攻击IP
# deny IP案例;

# 严格参数验证
if ($args !~* "^uid=[0-9]{1,6}&size=(small|middle|large)$") {
return 403;
}

# UID范围限制
if ($arg_uid > 200000) {
return 403;
}

# 频率限制：每秒1次
limit_req zone=one burst=1 nodelay;

# 必须来自本站
valid_referers none blocked server_names *.我的域名;
if ($invalid_referer) {
return 403;
}
}

我把你提供的也写在它前头好了。
现在虽然攻击还是有的，但流量情况正常多了…

IsaacZ · 发表于 2025-12-15 09:28:55

我的 location 规则放上面的话优先级最高，你后面的规则可能就没用了。

罗永浩 · 发表于 2025-12-15 21:02:33

你的网站如果没有收益，以及不是很赚钱的论坛，很多攻击都是“误会”，有时搜索引擎爬虫也会出现这种情况，至于什么搜索热词之类，直接打开使用搜索需要登录就可以了，增加防火墙纯粹增加系统负担

你的同行攻击直接D概率比较大，不会搞这种费时费力的手段

[求助] 网站日志中发现大量的avatar.php的访问消耗流量如何解决？

相关帖子

产品服务

开发者服务

使用教程