网站受到奇怪的攻击，请求网站的地址是 https://epay.12306.cn？

今天检查网站的debug，偶然发现了几条奇怪的记录：

不明白为什么会有向 https://*.12306.cn 发送的请求指向了我的服务器

下面是几个请求的Request Headers

1. POST `https://epay.12306.cn/pay/payGateway` at 2018-12-07 06:37:06 pm by 139.199.188.192

Name	Value
upgrade-insecure-requests	'1'
referer	'https://kyfw.12306.cn/otn/pay...'
origin	'https://kyfw.12306.cn'
content-type	'application/x-www-form-urlencoded'
connection	'keep-alive'
cache-control	'max-age=0'
accept-language	'zh-CN,zh;q=0.8,en;q=0.6'
accept-encoding	'gzip, deflate, br'
accept	'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8'
content-length	'1987'
user-agent	'Mozilla/5.0 (Windows NT 6.3; ARM; Trident/7.0; Touch; rv:11.0) like Gecko'
host	'epay.12306.cn'

2. GET `https://kyfw.12306.cn/otn/login/init` at 2018-12-07 06:36:34 pm by 121.41.39.6

Name	Value
referer	'https://kyfw.12306.cn/otn/lef...'
connection	'keep-alive'
accept-language	'zh-CN,zh;q=0.8,en;q=0.6'
accept-encoding	'gzip, deflate, sdch, br'
accept	'/'
user-agent	'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A'
host	'kyfw.12306.cn'

3. GET https://mobile.12306.cn/otsmobile/app/mgs/mgw.htm?operationType=com.cars.otsmobile.queryLeftTicket&requestData=%5B%7B%22train_date%22%3A%2220181217%22%2C%22purpose_codes%22%3A%2200%22%2C%22from_station%22%3A%22PIJ%22%2C%22to_station%22%3A%22POJ%22%2C%22station_train_code%22%3A%22%22%2C%22start_time_begin%22%3A%220000%22%2C%22start_time_end%22%3A%222400%22%2C%22train_headers%22%3A%22QB%23%22%2C%22train_flag%22%3A%22%22%2C%22seat_type%22%3A%22%22%2C%22seatBack_Type%22%3A%22%22%2C%22ticket_num%22%3A%22%22%2C%22dfpStr%22%3A%22%22%2C%22baseDTO%22%3A%7B%22check_code%22%3A%227d6a7259915ae11894d2afae8b3cb8a9%22%2C%22device_no%22%3A%2261af7de9dbacd2b6%22%2C%22mobile_no%22%3A%22%22%2C%22os_type%22%3A%22a%22%2C%22time_str%22%3A%2220181207183649%22%2C%22user_name%22%3A%22%22%2C%22version_no%22%3A%224.1.9%22%7D%7D%5D&ts=1544179009469&sign= at 2018-12-07 06:36:49 pm by 111.230.50.47

Name	Value
accept-encoding	'gzip'
workspaceid	'product'
trackerid	''
signtype	'0'
riskudid	'00cb8864-fa0c-11e8-8657-000000000000'
platform	'ANDROID'
did	'61af7de9dbacd2b6'
appid	'9101430221728'
user-agent	'Go-http-client/1.1'
host	'mobile.12306.cn'

有哪位大佬了解是怎么发动攻击的吗？

翻过高山走不出你

浏览 2636回答 4

4回答

墨色风雨

我查看服务器日志，出现了和你一样的情况，就这样放着不管吗？

繁华开满天机

我也有，怎么处理？

宝慕林4294392

大佬你们好，很想知道一下最后是怎么处理的？我这边相同情况，查看nginx的日志发现每天无时无刻源源不断地在请求otsmobile/app/mgs/mgw.htm?operationType=com.... 状态是301。只能推断是有人利用服务器流量，然后把这个请求(otsmobile/app/mgs)再转发到12306(推测)进行刷票。但我查遍了nginx没有发现配置文件有任何被改动的地方。

随时随地看视频慕课网APP

网站受到奇怪的攻击，请求网站的地址是 https://epay.12306.cn？

下面是几个请求的Request Headers

1. POST https://epay.12306.cn/pay/payGateway at 2018-12-07 06:37:06 pm by 139.199.188.192

2. GET https://kyfw.12306.cn/otn/login/init at 2018-12-07 06:36:34 pm by 121.41.39.6

有哪位大佬了解是怎么发动攻击的吗？

4回答

1. POST `https://epay.12306.cn/pay/payGateway` at 2018-12-07 06:37:06 pm by 139.199.188.192

2. GET `https://kyfw.12306.cn/otn/login/init` at 2018-12-07 06:36:34 pm by 121.41.39.6