The website is subjected to a strange attack. The address of the request website is https://epay.12306.cn?

checking the debug of the website today, I stumbled upon several strange records:

I don"t understand why a request to https://*.12306.cn is directed to my server

here are the Request Headers of several requests

1. POST https://epay.12306.cn/pay/payGateway at 2018-12-07 06:37:06 pm by 139.199.188.192

< table > < thead > < tr > < th > Name < / th > < th > Value < / th > < / tr > < / thead > < tbody > < tr > < td > upgrade-insecure-requests < / td > < td >"1" < / td > < / tr > < tr > < td > referer < / td > < td >" https://kyfw.12306.cn/otn/pay..." < / tr > < tr > < td > origin < / td > < td >" https://kyfw.12306.cn" < / tr > < tr > < td > content-type < / td > < td > "application/x-www-form-urlencoded" < / td > < / tr > < tr > < td > connection < / td > < td > "keep-alive" < / td > < / tr > < tr > < td > cache-control < / td > < td > "max-age=0" < / td > < / tr > < tr > < td > accept-language < / td > < td > "zh-CN,zh;q=0.8,en;q=0.6" < / td > < / tr > < tr > < td > accept-encoding < / td > < td > "gzip, deflate, br" < / td > < / tr > < tr > < td > accept < / td > < td > "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp, / ; qroom0.8" < / td > < / tr > < tr > < td > content-length < / td > < td > "1987" < / td > < / tr > < tr > < td > user-agent < / td > < td > "Mozilla/5.0 (Windows NT 6.3; ARM; Trident/7.0; Touch; rv:11.0) like Gecko" < / td > < / tr > < tr > < td > host < / td > < td > "epay.12306.cn" < / td > < / tr > < / tbody > < / table >

2. GET https://kyfw.12306.cn/otn/login/init at 2018-12-07 06:36:34 pm by 121.41.39.6

< table > < thead > < tr > < th > Name < / th > < th > Value < / th > < / tr > < / thead > < tbody > < tr > < td > referer < / td > < td >" https://kyfw.12306.cn/otn/lef..." < / tr > < tr > < td > connection < / td > < td > "keep-alive" < / td > < / tr > < tr > < td > accept-language < / td > < td > "zh-CN,zh;q=0.8,en;q=0.6" < / td > < / tr > < tr > < td > accept-encoding < / td > < td > "gzip, deflate, sdch, br" < / td > < / tr > < tr > < td > accept < / td > < td >" / "< / td > < / tr > < tr > < td > user-agent < / td > < td > "Mozilla/5.0 (Macintosh; Intel Mac OS X 109.3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" < / td > < / tr > < tr > < td > host < / td > < td > "kyfw.12306.cn" < / td > < / tr > < / tbody > < / table >

3. GET https://mobile.12306.cn/otsmobile/app/mgs/mgw.htm?operationType=com.cars.otsmobile.queryLeftTicket&requestData=%5B%7B%22train_date%22%3A%2220181217%22%2C%22purpose_codes%22%3A%2200%22%2C%22from_station%22%3A%22PIJ%22%2C%22to_station%22%3A%22POJ%22%2C%22station_train_code%22%3A%22%22%2C%22start_time_begin%22%3A%220000 % 22%2C%22start_time_end%22%3A%222400%22%2C%22train_headers%22%3A%22QB%23%22%2C%22train_flag%22%3A%22%22%2C%22seat_type%22%3A%22%22%2C%22seatBack_Type%22%3A%22%22%2C%22ticket_num%22%3A%22%22%2C%22dfpStr%22%3A%22%22%2C%22baseDTO%22%3A%7B%22check_code%22%3A % 227d6a7259915ae11894d2afae8b3cb8a9% 22% 2C% 22deviceroomno% 22% 3A% 2261af7de9dbacd2b6% 22% 2C% 22mobileroomno% 22% 3A% 22% 22% 2C% 22% 2C% 22% timekeeper% 22% 3A% 2220181207183649% 22% 2C% 22username% 22% 3A% 22% 22% 2C% 22versionremote no% 22% 3A% 221.9% 227D% 7D% 5D% 5D examples signalling = at-2018-12-06:36:49 111.230.47

< table > < thead > < tr > < th > Name < / th > < th > Value < / th > < / tr > < / thead > < tbody > < tr > < td > accept-encoding < / td > < td > "gzip" < / td > < / tr > < tr > < td > workspaceid < / td > < td > "product" < / td > < / tr > < tr > < td > trackerid < / td > < td >""< / td > < / tr > < tr > < td > signtype < / td > < td >"0" < / td > < / tr > < tr > < td > riskudid < / td > < td > "00cb8864-fa0c-11e8-8657-00000000000000" < / td > < / tr > < tr > < td > platform < / td > < td > "ANDROID" < / td > < / tr > < tr > < td > did < / td > < td > "61af7de9dbacd2b6" < / td > < / tr > < tr > < td > appid < / td > < td > "9101430221728" < / td > < / tr > < tr > < td > user-agent < / td > < td > "Go-http-client/1.1" < / td > < / tr > < tr > < td > host < / td > < td > "mobile.12306.cn" < / td > < / tr > < / tbody > < / table >

does any boss know how to launch an attack?


change the local hosts . You can change the hosts of your local computer to point baidu.com to your ip. You are visiting baidu.com to have a look.

it is estimated that this client's local hosts or a route in the middle has been tampered with, pointing 12306.cn to you.


I check the server log, and the situation is the same as yours. Just leave it alone?


I have one, too. What should I do?


Hello, boss. I'd like to know how to deal with it in the end. In the same situation on my side, looking at the log of nginx, I found that there is a steady stream of requests for otsmobile/app/mgs/mgw.htm?operationType=com.... every day. The status is 301.
can only infer that someone took advantage of the server traffic and then forwarded the request (otsmobile/app/mgs) to 12306 (presumably) to swipe the ticket.
but I checked nginx and didn't find any changes to the configuration file.

Menu