Discuz!应用商城(DisMall)Discuz!应用商城(DisMall)

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 895|回复: 8

[求助] 救命似乎又被挂马了!!!

[复制链接]

25

主题

61

帖子

74

积分

Member

Rank: 2Rank: 2

贡献
0 点
金币
10 个
发表于 2021-8-2 16:49:47 | 显示全部楼层 |阅读模式
mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=9.3&archy_gzdy=2&archy_xlyq=8&archy_gznx=3&archy_zpzw=2&page=1 HTTP/1.1", host: "abcd.com"
2021/08/02 16:44:13 [error] 6118#6118: *20268 [lua] [string "local hOCvCfmVpL094={[1]=0,[2]=1,[3]=2,[4]=3,..."]:1: run(): failed to connect redis: timeout, client: 171.109.216.72, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=9.3&archy_gzdy=2&archy_xlyq=8&archy_gznx=3&archy_zpzw=2&page=1 HTTP/1.1", host: "abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20281 lua tcp socket connect timed out, when connecting to 127.0.0.1:6379, client: 171.109.216.126, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=22.10&archy_xlyq=4&archy_gzdy=1&archy_zpzw=1&archy_gznx=4&page=1 HTTP/1.1", host: "abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20281 [lua] [string "local hOCvCfmVpL094={[1]=0,[2]=1,[3]=2,[4]=3,..."]:1: run(): failed to connect redis: timeout, client: 171.109.216.126, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=22.10&archy_xlyq=4&archy_gzdy=1&archy_zpzw=1&archy_gznx=4&page=1 HTTP/1.1", host: "abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20282 lua tcp socket connect timed out, when connecting to 127.0.0.1:6379, client: 95.223.229.18, server: abcd.com, request: "GET /member.php?mod=logging&action=login&referer=https%3A%2F%2Frosyhub.com HTTP/1.1", host: "www.abcd.com", referrer: "https://www.abcd.com/"
2021/08/02 16:44:14 [error] 6118#6118: *20282 [lua] [string "local hOCvCfmVpL094={[1]=0,[2]=1,[3]=2,[4]=3,..."]:1: run(): failed to connect redis: timeout, client: 95.223.229.18, server: abcd.com, request: "GET /member.php?mod=logging&action=login&referer=https%3A%2F%2Frosyhub.com HTTP/1.1", host: "www.abcd.com", referrer: "https://www.abcd.com/"
2021/08/02 16:44:14 [error] 6118#6118: *20293 lua tcp socket connect timed out, when connecting to 127.0.0.1:6379, client: 171.109.216.108, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=1&archy_zpzw=2&archy_xlyq=2&archy_gznx=3&archy_gzdy=4&page=1 HTTP/1.1", host: "abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20293 [lua] [string "local hOCvCfmVpL094={[1]=0,[2]=1,[3]=2,[4]=3,..."]:1: run(): failed to connect redis: timeout, client: 171.109.216.108, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=1&archy_zpzw=2&archy_xlyq=2&archy_gznx=3&archy_gzdy=4&page=1 HTTP/1.1", host: "abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20295 lua tcp socket connect timed out, when connecting to 127.0.0.1:6379, client: 114.119.158.50, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=6&archy_gznx=3&archy_gzdy=2&archy_gsmc=all&archy_zpzw=all&archy_xlyq=7&page=1 HTTP/1.1", host: "www.abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20295 [lua] [string "local hOCvCfmVpL094={[1]=0,[2]=1,[3]=2,[4]=3,..."]:1: run(): failed to connect redis: timeout, client: 114.119.158.50, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=6&archy_gznx=3&archy_gzdy=2&archy_gsmc=all&archy_zpzw=all&archy_xlyq=7&page=1 HTTP/1.1", host: "www.abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20300 lua tcp socket connect timed out, when connecting to 127.0.0.1:6379, client: 114.119.134.230, server: abcd.com, request: "GET /home.php?mod=space&uid=22364&do=wall&from=space HTTP/1.1", host: "www.abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20300 [lua] [string "local hOCvCfmVpL094={[1]=0,[2]=1,[3]=2,[4]=3,..."]:1: run(): failed to connect redis: timeout, client: 114.119.134.230, server: abcd.com, request: "GET /home.php?mod=space&uid=22364&do=wall&from=space HTTP/1.1", host: "www.abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20249 lua tcp socket connect timed out, when connecting to 127.0.0.1:6379, client: 171.109.216.50, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=4&archy_zpzw=3&archy_gzdy=6&archy_xlyq=6&page=1 HTTP/1.1", host: "abcd.com"
2021/08/02 16:44:14 [error] 6118#6118: *20249 [lua] [string "local hOCvCfmVpL094={[1]=0,[2]=1,[3]=2,[4]=3,..."]:1: run(): failed to connect redis: timeout, client: 171.109.216.50, server: abcd.com, request: "GET /forum.php?mod=forumdisplay&fid=48&filter=sortid&sortid=4&searchsort=1&archy_qy_3=4&archy_zpzw=3&archy_gzdy=6&archy_xlyq=6&page=1 HTTP/1.1", host: "abcd.com"




只要一开php必定cpu100%   php-cfm跟sql  

回复

使用道具 举报

25

主题

61

帖子

74

积分

Member

Rank: 2Rank: 2

贡献
0 点
金币
10 个
 楼主| 发表于 2021-8-2 17:13:02 | 显示全部楼层
别的网址都好的 就不知道他挂哪了 文件校验都是对的
回复 支持 反对

使用道具 举报

5

主题

407

帖子

641

积分

Lord

Rank: 4

贡献
18 点
金币
111 个
发表于 2021-8-2 23:51:47 | 显示全部楼层
盗版插件?
回复

使用道具 举报

0

主题

987

帖子

1030

积分

开发者

啦啦啦~

Rank: 6Rank: 6Rank: 6

贡献
2 点
金币
8 个
发表于 2021-8-3 10:54:30 | 显示全部楼层
看日志好像是 Redis 连接不上,先排查一下 Redis
回复 支持 反对

使用道具 举报

25

主题

61

帖子

74

积分

Member

Rank: 2Rank: 2

贡献
0 点
金币
10 个
 楼主| 发表于 2021-8-4 11:21:30 | 显示全部楼层
monery2 发表于 2021-8-2 17:13
别的网址都好的 就不知道他挂哪了 文件校验都是对的

后来后台查了nginx 查了php配置,最后发现是买的模板启用后cpu飙高的,用默认的就好了 正在排查中。。。。
回复 支持 反对

使用道具 举报

25

主题

61

帖子

74

积分

Member

Rank: 2Rank: 2

贡献
0 点
金币
10 个
 楼主| 发表于 2021-8-4 11:33:06 | 显示全部楼层
https://pc6a.com/1540.html.  似乎跟这个有关被恶意爬虫了
回复 支持 反对

使用道具 举报

25

主题

61

帖子

74

积分

Member

Rank: 2Rank: 2

贡献
0 点
金币
10 个
 楼主| 发表于 2021-8-4 22:51:59 | 显示全部楼层
好像也不是在排查中 插件全关了仍然没有解决 奇怪
回复 支持 反对

使用道具 举报

25

主题

61

帖子

74

积分

Member

Rank: 2Rank: 2

贡献
0 点
金币
10 个
 楼主| 发表于 2021-8-7 16:13:31 | 显示全部楼层
因为上班,连续三天4个小时,终于找到了,查找过程是这样,查了nginx和php的配置正常,又查找死锁表没有,关闭所有插件仍然cpu飚高,还原默认模板,降到20%左右(但仍然不正常,测试新站3%以下),监听网卡发现一直有ip访问我的站,以为是哪个php被挂马了(因为之前就挂过),查找所有被改过的文件没有恶意挂马现象,仍然飚高,又记录调出mysql最近的查询语句,不停的在select, 看了一下查询语句好像就是有ip不停的刷我的网站,换了域名CPU正常了(原理域名被cc了),换回域名,开启cc防护将http头记录在客户端cookie中验证无效,很有可能是木马肉鸡攻击,又开启cc防护将js验证在客户端cookie中正常了,期间开过阿里云的waf,理论上也可以防但收费无奈太贵放弃了
回复 支持 反对

使用道具 举报

25

主题

61

帖子

74

积分

Member

Rank: 2Rank: 2

贡献
0 点
金币
10 个
 楼主| 发表于 2021-8-10 14:29:17 | 显示全部楼层
再补充下 https://blog.csdn.net/weixin_34234823/article/details/89779113
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

手机版|小黑屋|Discuz!应用中心 ( 皖ICP备16010102号 )|网站地图star

GMT+8, 2022-5-18 04:01 , Processed in 0.038129 second(s), 8 queries , Yac On.

Powered by Discuz!

Copyright © Tencent Cloud.

快速回复 返回顶部 返回列表