架了一個在 line 上面練習 ipas 題目的 bot 5/16，[guan4tou2/exam-line-bot](https://github.com/guan4tou2/exam-line-bot) ~~幫我按愛心~~ https://line.me/R/ti/p/@892ghuog 然後就放著不管，突然心血來潮 5/21 要玩的時候發現沒有反應了，所以把伺服器打開來看看 結果就看到被打了  往上追源頭  147[.]92.149.166 是 line 的平台，可以看到在 5/16 19:33:03 UTC+0800 的時候都還是正常的存取 然後突然就有存取錯誤的記錄 192[.]164.107.5  5/16 21:14:07 UTC+0800 開始有一連串的存取錯誤 162[.].142.125.33 54[.]62.156.43 147[.]92.150.194 也是 line 147[.].182.154.71 但是可以注意到這個 ip 嘗試存取的路徑 /ab2g /ab2h /download/powershell 這很明顯是進行目錄爆破  205[.]210.31.98 152[.]32.239.15 165[.]154.120.223 137[.]184.85.24 141[.]76.94.18 這個 ip 也可以注意一下，他嘗試存取自己開的檔案 並且嘗試與 p-scanner.research.netd.cs.tu-dresden.de:8083 建立 tls 連線 [VirusTotal - Domain - p-scanner.research.netd.cs.tu-dresden.de](https://www.virustotal.com/gui/domain/p-scanner.research.netd.cs.tu-dresden.de/relations) [VirusTotal - IP address - 141.76.94.18](https://www.virustotal.com/gui/ip-address/141.76.94.18) 3.149.59.26 - - [17/May/2025 12:51:36] "GET / HTTP/1.1" 405 -  可以看到 106[.]75.169.149 在 18/May/2025 06:13:38 的時候嘗試塞入挖礦指令 搜尋此帳號 `45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV`，剛好找到這篇文章 [挖矿木马借“XX的秘密”等小黄书疯传，中毒后会劫持比特币交易_网易订阅](https://www.163.com/dy/article/DJETL6TT05119F6V.html) [VirusTotal - IP address - 106.75.169.149](https://www.virustotal.com/gui/ip-address/106.75.169.149/detection)  後面就都是被嘗試攻擊的記錄，但不清楚為何 line bot 無法使用 --- 另一個服務  ``` 198.58.109.90 - - [2025-05-11 07:37:38] "GET / HTTP/1.0" 200 21769 0.000654 <gevent._socket3.socket at 0x798376f35470 object, fd=13, family=2, type=1, proto=0>: (from ('198.58.109.90', 42140)) Expected GET method; Got command="lv|'|'|VHJvamFuX0M0NkY2RT k=|'|'|MARK|'|'|user|'|'|2013-11-22|'|'||'|'|Win"; path="XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof]"; raw="lv|'|'|VHJvamFuX0M0NkY2RTk=|'|'|MARK|'|'|user|'|'|2013-11-22|'|'||'| '|Win XP|'|'|No|'|'|0.6.4|'|'|..|'|'||'|'|[endof]" ``` VHJvamFuX0M0NkY2RTk= base64 decode 後得到 Trojan_C46F6E9 搜尋 Trojan_C46F6E9 找到文章 [2022-11-16 跟着IPS学信息安全18-Backdoor.MSIL.Bladabindi（ninja木马） - 知乎](https://zhuanlan.zhihu.com/p/583919369) 此 ip 也找到 [VirusTotal - IP address - 198.58.109.90](https://www.virustotal.com/gui/ip-address/198.58.109.90/community) 可以看到有存取 HELP 等路徑 ``` BrokenPipeError: [Errno 32] Broken pipe 2025-05-10T23:37:41Z <Greenlet at 0x79837708c2c0: _handle_and_close_when_done(<bound method WSGIServer.handle of <WSGIServer at , <bound method StreamServer.do_close of <WSGIServer, (<gevent._socket3.socket [closed] at 0x798376f3547)> failed with BrokenPipeError <gevent._socket3.socket at 0x798376f36190 object, fd=13, family=2, type=1, proto=0>: (from ('198.58.109.90', 35994)) Invalid HTTP method: 'HELP\r\n' 198.58.109.90 - - [2025-05-11 07:37:41] "HELP" 400 - 0.000182 <gevent._socket3.socket at 0x798376f36190 object, fd=13, family=2, type=1, proto=0>: (from ('198.58.109.90', 35998)) Invalid HTTP method: "\x1b\x84Õ°]ôÄ\x93Å0ÂX\x8cڱ׬¯n\x1dá\x1e\x1a3*\x85·\x1d'±Ék¿ð¼\n" 198.58.109.90 - - [2025-05-11 07:37:42] " Õ°]ôÄÅ0ÂXڱ׬¯ná3* ·'±Ék¿ð¼" 400 - 0.000214 <gevent._socket3.socket at 0x798376f36190 object, fd=13, family=2, type=1, proto=0>: (from ('198.58.109.90', 36002)) Invalid HTTP method: "Gh0st\xad\x00\x00\x00à\x00\x00\x00x\x9cKS``\x98ÃÀÀÀ\x06Ä\x8c@¼Q\x96\x81\x81\tH\x07§\x16\x95e&§*\x04$&g+\x182\x94ö°00¬¨rc\x00\x01\x11\xa0\x82\x1f\\`&\x83ÇK7\x86\x19ån\x0c9\x95n\x0c;\x84\x0f3¬èsch¨^Ï4'J\x97©\x82ã0Ã\x91h]&\x90øÎ\x97SËA4L?2=áÄ\x92\x86\x0b@õ`\x0cT\x1f®¯]\n" 198.58.109.90 - - [2025-05-11 07:37:42] "Gh0st­àxKS``ÃÀÀÀÄ@¼Q H§e&§*$&g+2ö°00¬¨rc \`&ÇK7ån9n; 3¬èsch¨^Ï4'J©ã0Ãh]& ^^^^^^^^^^^^^^^^^^^ File "/home/guantou/danmu-desktop/server/.venv/lib/python3.12/site-packages/gevent/pywsgi.py", line 1700, in handle ``` ``` 91.196.152.231 - - [2025-05-15 22:29:17] "GET /favicon.ico HTTP/1.1" 404 331 0.000720 <gevent._socket3.socket at 0x798376ee01a0 object, fd=14, family=2, type=1, proto=0>: (from ('88.214.25.123', 65508)) Expected GET method; Got command='\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:'; path='mstshash=Administr'; raw='\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr\r\n' ```