網(wǎng)站日志中發(fā)現(xiàn)大量的avatar.php的訪問消耗流量如何解決？

土雞瓦犬

版本還是比較舊的Discuz! X3.4 R20230520，發(fā)現(xiàn)流量異常高，用的寶塔（沒買Nginx防火墻），一看網(wǎng)站日志中大量的
“IP地址- - [日期] ＂GET /uc_server/avatar.php?uid=[各種uid數(shù)值]&size=small HTTP/2.0＂ 301 0 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36＂”

我知道答案 回答被采納將會獲得1 貢獻(xiàn) 已有13人回答

IsaacZ

/uc_server/avatar.php 是對頭像的訪問，一個回復(fù)比較多的熱門帖子一打開就會對10層樓的頭像進(jìn)行加載，訪問數(shù)量大本身沒有什么問題。
301永久重定向也一般看作正常，不過你這個沒有 referrer 比較可疑。看看除了301還有沒有別的錯誤碼。

我的網(wǎng)站攻擊入口是首頁熱搜鏈接，全是503錯誤碼，原來用 Fail2ban 見一個封一個，現(xiàn)在被我關(guān)了熱搜，然后針對熱搜的所有訪問被我擋在 Nginx 層，現(xiàn)在清靜多了。參考：
Fail2ban 封禁了 47700 個IP！ - 站長雜談
http://m.9999xn.com/thread-27539-1-1.html

crx349

可以改成靜態(tài)頭像模式會好點(diǎn)

鴻茂傳媒

如果流量異常高，那就改成靜態(tài)的看下，或者增加防火墻。

土雞瓦犬

IsaacZ 發(fā)表于 2025-12-14 01:10
/uc_server/avatar.php 是對頭像的訪問，一個回復(fù)比較多的熱門帖子一打開就會對10層樓的頭像進(jìn)行加載，訪問 ...

抽了一個ip看了下正常和錯誤日志，這是被攻擊了吧- -|||

攻擊者IP - - [14/Dec/2025:12:13:30 +0800] ＂GET / HTTP/1.1＂ 301 162 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:31 +0800] ＂GET / HTTP/2.0＂ 200 11914 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:31 +0800] ＂GET /sslogo.gif HTTP/1.1＂ 301 162 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184544&size=small HTTP/2.0＂ 301 230 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184540&size=small HTTP/2.0＂ 301 230 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184543&size=small HTTP/2.0＂ 301 230 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184542&size=small HTTP/2.0＂ 301 230 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184539&size=small HTTP/2.0＂ 301 230 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184545&size=small HTTP/2.0＂ 301 230 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂
攻擊者IP - - [14/Dec/2025:12:13:33 +0800] ＂GET /uc_server/avatar.php?uid=184541&size=small HTTP/2.0＂ 301 230 ＂-＂ ＂Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36＂



2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻擊者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184544&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻擊者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184540&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻擊者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184543&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻擊者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184542&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻擊者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184539&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻擊者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184545&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂
2025/12/14 12:13:33 [error] 3997#0: *461236 FastCGI sent in stderr: ＂PHP message: PHP Warning: file_put_contents(./data/ip_count/7f40f4a9460074a55fb7e668184d9cbc.txt): failed to open stream: No such file or directory in /www/wwwroot/www.我的url/uc_server/avatar.php on line 33＂ while reading response header from upstream, client: 攻擊者IP, server: www.我的url, request: ＂GET /uc_server/avatar.php?uid=184541&size=small HTTP/2.0＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-74.sock:＂, host: ＂www.我的url＂

IsaacZ

土雞瓦犬 發(fā)表于 2025-12-14 12:48
抽了一個ip看了下正常和錯誤日志，這是被攻擊了吧- -|||

攻擊者IP - - [14/Dec/2025:12:13:30 +0800] ＂ ...

建議：在Nginx添加location規(guī)則：

plain

IsaacZ

土雞瓦犬 發(fā)表于 2025-12-14 12:48
抽了一個ip看了下正常和錯誤日志，這是被攻擊了吧- -|||

攻擊者IP - - [14/Dec/2025:12:13:30 +0800] ＂ ...

修改文件：# 寶塔面板（你日志路徑含 /www/wwwroot/，很可能是寶塔）
/www/server/panel/vhost/nginx/你的域名.conf

注意把 yourdomain.com 換成你自己的域名

土雞瓦犬

IsaacZ 發(fā)表于 2025-12-14 20:22
修改文件：# 寶塔面板（你日志路徑含 /www/wwwroot/，很可能是寶塔）
/www/server/panel/vhost/nginx/你 ...

謝謝你的解答。

確實是寶塔。
其實之前問了AI，給的是類似的答復(fù)：

# 在站點(diǎn)配置中添加：
        location ~* /uc_server/avatar\.php
        {
    # 封禁所有已知攻擊IP
    # deny IP案例;
   
    # 嚴(yán)格參數(shù)驗證
                if ($args !~* "^uid=[0-9]{1,6}&size=(small|middle|large)$") {
                        return 403;
                }
   
    # UID范圍限制
                if ($arg_uid > 200000) {
                        return 403;
                }
   
    # 頻率限制：每秒1次
                limit_req zone=one burst=1 nodelay;
   
    # 必須來自本站
                valid_referers none blocked server_names *.我的域名;
                if ($invalid_referer) {
                        return 403;
                }
        }

我把你提供的也寫在它前頭好了。
現(xiàn)在雖然攻擊還是有的，但流量情況正常多了…

IsaacZ

我的 location 規(guī)則放上面的話優(yōu)先級最高，你后面的規(guī)則可能就沒用了。

羅永浩

你的網(wǎng)站如果沒有收益，以及不是很賺錢的論壇，很多攻擊都是“誤會”，有時搜索引擎爬蟲也會出現(xiàn)這種情況，至于什么搜索 熱詞之類，直接打開 使用搜索需要登錄就可以了，增加防火墻純粹增加系統(tǒng)負(fù)擔(dān)

你的同行攻擊直接D概率比較大，不會搞這種費(fèi)時費(fèi)力的手段