有同样服务器频繁被“OPPO A33”光顾的吗?非常之诡异。 - V2EX
Home Sign Up Sign In
dfc643

有同样服务器频繁被“OPPO A33”光顾的吗?非常之诡异。

  •   
  •   dfc643 Jul 5, 2021 4557 views
    This topic created in 1796 days ago, the information mentioned may be changed or developed.

    个人博客自 2021 年 5 月底开始,一直有 OPPO A33 的访问记录,访问内容也极其不堪入目。他通常通过博客的搜索接口 /search?kw= 来搜索各种 不堪入目 的关键词,大多为 yue 泡 相关。

    我觉得这位神秘访客,非常有意思,所以发到 V 站一起聊着,就是玩儿。也不知道有 V 友同样遇到这类问题没有?

    目的猜测

    个人猜测目的为:通过不停请求各种奇葩关键词,以便达到被搜索引擎收录。这样有 yue 泡 需求的人,可以非常方便地通过百度搜索到联系方式。由于其搜索结果嫁接在其他网站上,以至于他自己的网站不会被查封。由于遍布非常广泛,也不至于广告一时间被清理掉。

    V 站内类似案例

    • 访问记录里同一设备不停换 IP 怎么做到的? t/728966

    访问者特征

    • 所有 UA 均基于 OPPO A33
    • IP 大多数归属江苏电信(已内部报告给江苏网安,但也没什么结果)
    • 请求速率较慢,一分钟不多于 50 次
    • UA 有各类浏览器,包括但不限于:QQ 浏览器、UC 浏览器、猎豹浏览器
    • 只请求搜索接口

    个人分析

    • 访问者应该不是伪造 UA,如果为伪造 UA 没必要一直用 OPPO A33
    • 访问者可能使用群控,由于 A33 属于古董机,价格低廉是群控的不二之选

    反制行动与效果

    1. 托关系举报到江苏网安,已留日志备案,但缺乏公安的命令无后续行动
    2. 通过规则 TCP RESET 掉所有请求,但非法请求未因此而停止

    日志样例

    有兴趣的 V 友可以通过 urldecode 方式解码内容,即可知道有多不堪入目

    0.000 - IP:124.71.91.20 - RealIP:171.109.217.136(171.109.217.136, 222.217.95.84) - [03/Jul/2021:01:26:35 +0800] GET /search?kw=%E6%88%90%E9%83%BD%E9%9D%92%E7%BE%8A%E5%8C%BA%E5%A6%B9%E5%AD%90%E6%A1%91%E6%8B%BF116.93.371VX%E5%9C%BA%E8%82%89 HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.3 - RealIP:171.109.216.180(171.109.216.180, 113.17.168.3) - [03/Jul/2021:01:26:36 +0800] GET /search?kw=%E5%A8%84%E5%BA%95%E5%A8%84%E6%98%9F%E5%8C%BA%E5%A4%A7%E5%AD%A6%E7%94%9F%E5%8F%91%E5%BB%8A769%E2%92%901%E2%92%9023VX%E5%8E%8B%E9%82%A3 HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.3 - RealIP:171.109.216.180(171.109.216.180, 113.17.168.3) - [03/Jul/2021:01:26:36 +0800] GET /search?kw=%E5%A8%84%E5%BA%95%E5%A8%84%E6%98%9F%E5%8C%BA%E5%A4%A7%E5%AD%A6%E7%94%9F%E5%8F%91%E5%BB%8A769%E2%92%901%E2%92%9023VX%E5%8E%8B%E9%82%A3 HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.72 - RealIP:171.111.63.55(171.111.63.55, 113.17.168.48) - [03/Jul/2021:01:26:39 +0800] GET /search?kw=%E6%94%80%E6%9E%9D%E8%8A%B1%E4%B8%9C%E5%8C%BA%E6%B4%97%E6%B5%B4%E5%A6%B9%E5%AD%9063%E2%92%907%E2%92%8E539VX%E7%83%A7%E8%B5%B7 HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.72 - RealIP:116.9.31.107(116.9.31.107, 222.217.95.72) - [03/Jul/2021:01:26:39 +0800] GET /search?kw=%E5%92%8C%E7%94%B0%E5%A4%A7%E5%AD%A6%E7%94%9F%E5%8C%85%E5%A4%9C7135%E2%92%901%E2%92%8F9%E8%96%87%E6%9D%82%E4%B8%80 HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.72 - RealIP:171.111.63.55(171.111.63.55, 113.17.168.48) - [03/Jul/2021:01:26:39 +0800] GET /search?kw=%E6%94%80%E6%9E%9D%E8%8A%B1%E4%B8%9C%E5%8C%BA%E6%B4%97%E6%B5%B4%E5%A6%B9%E5%AD%9063%E2%92%907%E2%92%8E539VX%E7%83%A7%E8%B5%B7 HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.72 - RealIP:116.9.31.107(116.9.31.107, 222.217.95.72) - [03/Jul/2021:01:26:39 +0800] GET /search?kw=%E5%92%8C%E7%94%B0%E5%A4%A7%E5%ADA6%E7%94%9F%E5%8C%85%E5%A4%9C7135%E2%92%901%E2%92%8F9%E8%96%87%E6%9D%82%E4%B8%80 HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.93 - RealIP:171.109.218.9(171.109.218.9, 113.17.168.24) - [03/Jul/2021:01:26:44 +0800] GET /search?kw=%E9%9D%92%E5%B2%9B%E5%B4%82%E5%B1%B1%E5%8C%BA%E5%A6%B9%E5%AD%90%E6%97%A5%E5%BC%8F6%E2%92%8A787939VX%E5%9D%A0%E8%BF%9B HTTP/1.1 - 444 - Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36 0.000 - IP:124.71.91.93 - RealIP:171.109.218.9(171.109.218.9, 113.17.168.24) - [03/Jul/2021:01:26:44 +0800] GET /search?kw=%E9%9D%92%E5%B2%9B%E5%B4%82%E5%B1%B1%E5%8C%BA%E5%A6%B9%E5%AD%90%E6%97%A5%E5%BC%8F6%E2%92%8A787939VX%E5%9D%A0%E8%BF%9B HTTP/1.1 - 444 - Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36 0.000 - IP:124.71.91.66 - RealIP:171.111.62.99(171.111.62.99, 113.17.168.9) - [03/Jul/2021:01:26:47 +0800] GET /search?kw=%E4%B9%A0%E6%B0%B4%E5%8E%BF%E7%81%AB%E8%BD%A6%E7%AB%99%E5%A6%B9%E5%AD%90%286397.7539VX%29%E6%81%AC%E6%81%AC%E5%A6%B9%E5%AD%90...rcc.htm HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3 0.000 - IP:124.71.91.66 - RealIP:171.111.62.99(171.111.62.99, 113.17.168.9) - [03/Jul/2021:01:26:47 +0800] GET /search?kw=%E4%B9%A0%E6%B0%B4%E5%8E%BF%E7%81%AB%E8%BD%A6%E7%AB%99%E5%A6%B9%E5%AD%90%286397.7539VX%29%E6%81%AC%E6%81%AC%E5%A6%B9%E5%AD%90...rcc.htm HTTP/1.1 - 444 - Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3

    IP 段统计

    C 类地址 拦截次数
    171.109.216.0/24 184473
    171.109.218.0/24 145898
    49.74.3.0/24 88310
    171.109.217.0/24 86588
    49.82.87.0/24 84098
    49.74.23.0/24 83748
    49.82.145.0/24 78688
    49.74.2.0/24 76928
    171.109.219.0/24 63766
    116.9.31.0/24 57480
    49.82.162.0/24 56462
    117.60.201.0/24 52070
    117.60.203.0/24 51932
    117.60.200.0/24 48514
    117.60.202.0/24 48034
    171.111.62.0/24 44892
    171.111.63.0/24 40282
    49.87.53.0/24 39208
    49.89.163.0/24 38776
    49.89.167.0/24 37322
    49.89.162.0/24 36384
    49.89.165.0/24 36302
    49.89.161.0/24 35862
    49.89.160.0/24 35790
    49.89.164.0/24 34274
    49.89.166.0/24 33730
    117.95.181.0/24 33662
    49.87.32.0/24 33216
    117.95.166.0/24 32436
    117.95.182.0/24 31426
    117.95.165.0/24 31304
    117.95.167.0/24 30888
    49.87.13.0/24 30536
    121.226.150.0/24 30414
    121.226.151.0/24 30160
    117.95.180.0/24 29962
    121.226.148.0/24 29902
    117.95.164.0/24 29688
    117.95.183.0/24 29658
    116.9.34.0/24 27352
    121.226.149.0/24 26936
    114.239.56.0/24 26858
    114.239.59.0/24 25016
    114.239.57.0/24 24924
    114.239.63.0/24 24876
    114.239.58.0/24 24204
    114.239.62.0/24 23814
    106.110.207.0/24 23436
    114.239.60.0/24 23172
    114.239.61.0/24 21650
    49.87.17.0/24 17900
    180.139.242.0/24 15612
    121.234.248.0/24 15034
    121.234.251.0/24 14760
    121.234.249.0/24 14582
    121.234.250.0/24 14222
    106.110.208.0/24 14218
    106.125.148.0/24 7024
    106.111.133.0/24 6178
    49.89.149.0/24 1888
    106.125.149.0/24 1780
    121.226.128.0/24 1734
    1.181.138.0/24 1400
    114.239.129.0/24 972
    1.181.137.0/24 748
    1.181.136.0/24 662
    106.125.150.0/24 530
    1.181.139.0/24 152
    36.102.12.0/24 80
  • a33
  • OPPO
  • 21:01:26
  • lmy47v
    16 replies    2022-01-02 17:09:51 +08:00
    dfc643
        1
    dfc643  
    OP
       Jul 5, 2021
    附加一份完整的 IP 列表: https://isu.fcsys.eu.org/oppo-a33-ip.7z
    Xusually
        2
    Xusually  
       Jul 5, 2021
    垃圾 SEO 你看看日志里的 Referer 字段更有意思,这些垃圾灰产把自己平台地址都放进去了
    marktask
        3
    marktask  
       Jul 6, 2021 via Android
    这个不是什么访客,只是爬虫,直接屏蔽 ua 就行。
    xiaoqiao24
        4
    xiaoqiao24  
       Jul 6, 2021
    就是爬虫而已,ip 使用了代理池,ua 可能没弄那么多,所以被你发现了,否则几百个 ua 随机切换,就没那么显眼了
    ho121
        5
    ho121  
       Jul 6, 2021 via Android
    盲猜是广告
    ClaudeCode
        6
    ClaudeCode  
       Jul 6, 2021
    很多年前遇到过.
    dfc643
        7
    dfc643  
    OP
       Jul 6, 2021
    @marktask 好的,已屏蔽
    dfc643
        8
    dfc643  
    OP
       Jul 6, 2021
    @xiaoqiao24 IP 大多是家宽地址池,不好屏蔽 IP,只能屏蔽 UA,还好就用了 OPPO A33
    dfc643
        9
    dfc643  
    OP
       Jul 6, 2021
    @ho121 是的,小广告
    dfc643
        10
    dfc643  
    OP
       Jul 6, 2021
    @yaocai321 这种挺流氓的
    dfc643
        11
    dfc643  
    OP
       Jul 6, 2021
    @Xusually 有点意思,让我抓抓 referer
    dfc643
        12
    dfc643  
    OP
       Jul 6, 2021
    @Xusually 刚才注意了一下,我这边的流量没有 Referer,可能他们改进了
    Xusually
        13
    Xusually  
       Jul 6, 2021   1
    @dfc643 哈哈 好吧 ,很意外啊,UA 都不改的就封 UA 吧。。能看到 Referer 的话就很有意思了,可以收集一堆垃圾 SEO 、站群、灰产的网站地址。
    dfc643
        14
    dfc643  
    OP
       Jul 19, 2021
    @Xusually 是的,暂时只能这样,像极了蜜獾
    yashika
        15
    yashika  
       Aug 5, 2021
    这个人也遇到和你一样的问题了, 我看他就是封 User-Agent, 后来不妥当就直接封代理池 IP 了
    https://blog.csdn.net/kkun/article/details/119191695
    yashika
        16
    yashika  
       Jan 2, 2022
    通过持续 3 个月观察, 最近 A33 的客户端变成三星的 SM-G900P Build/LRX21T 了
    About     Help     Advertise     Blog     API     FAQ     Solana     906 Online   Highest 6679       Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 72ms UTC 19:46 PVG 03:46 LAX 12:46 JFK 15:46
    Do have faith in what you're doing.
    ubao msn snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86