今天我在 Digital Ocean 上启动了一台新机器,该机器预先配置了 Web 环境。我向新网站发出了初始请求,发现以下内容(IP地址已删除)在我的 nginx 访问日志中:
218.65.131.13 - - [16/Apr/2015:07:14:50 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.20 - - [16/Apr/2015:07:42:59 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.13 - - [16/Apr/2015:08:04:08 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
218.65.131.20 - - [16/Apr/2015:08:36:15 -0400] "GET http://218.65.131.13/intoIp.aspx?ip=111.111.111.111:8080 HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
很明显,他们设法嗅探了请求,并随后将请求 URL 传递给了服务器,218.65.131.13因为日志中还包含我使用的非标准端口号。我进行了反向 IP 查找,发现这个 IP 属于中国电信,如图所示。
这有点麻烦,因为我从托管的 DigitalOcean 服务器向另一个全新的 DigitalOcean 服务器发出请求。
事后我做了跟踪路由,但没有发现任何有趣的东西:
traceroute to 111.111.111.111 (111.111.111.111), 30 hops max, 60 byte packets
1 162.243.160.253 (162.243.160.253) 0.459 ms 0.440 ms 0.417 ms
2 198.211.111.70 (198.211.111.70) 0.407 ms 0.398 ms 198.211.111.66 (198.211.111.66) 0.797 ms
3 xe-0-3-0-28.r05.nycmny01.us.bb.gin.ntt.net (204.2.241.49) 1.029 ms nyk-b2-link.telia.net (62.115.45.1) 0.705 ms 0.702 ms
4 xe-0-1-0-34.r05.nycmny01.us.ce.gin.ntt.net (129.250.204.110) 1.631 ms nyk-bb2-link.telia.net (213.155.130.31) 0.752 ms xe-0-1-0-34.r05.nycmny01.us.ce.gin.ntt.net (129.250.204.110) 1.620 ms
5 nyk-b3-link.telia.net (80.91.247.21) 1.234 ms 162.243.188.230 (162.243.188.230) 1.602 ms 162.243.188.242 (162.243.188.242) 1.869 ms
6 digitalocean-ic-306497-nyk-b3.c.telia.net (62.115.45.6) 1.863 ms digitalocean-ic-306498-nyk-b3.c.telia.net (62.115.45.10) 1.588 ms example.com (111.111.111.111) 1.576 ms
关于我应该寻找什么来追踪这个请求是如何泄露/共享的或者是否存在安全漏洞,有什么建议吗?