看看这些程序是如何盗取站点数据的

翻了一下Nginx的log，发现这些傻逼天天使用程序不停的想要盗取我站点资料

14.114.23.72 - [23/Jul/2013:16:40:01] "HEAD /wwwroot.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:01] "HEAD /wwwroot.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:01] "HEAD /www.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /www.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /bbs.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /bbs.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /web.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /web.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /www.qttc.net.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /www.qttc.net.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /www_qttc_net.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /www_qttc_net.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /wwwqttcnet.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /wwwqttcnet.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:02] "HEAD /qttc.net.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:03] "HEAD /qttc.net.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:03] "HEAD /qttc.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
14.114.23.72 - [23/Jul/2013:16:40:03] "HEAD /qttc.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

这个IP的更疯狂:

59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /db.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /db.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /wz.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /wz.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /fdsa.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /fdsa.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /wangzhan.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:34] "HEAD /wangzhan.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /root.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /root.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /admin.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /admin.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /data.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /gg.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /vip.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /flashfxp.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /flashfxp.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /\xD0\xC2\xBD\xA8\xCE\xC4\xBC\xFE\xBC\xD0.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /\xD0\xC2\xBD\xA8\xCE\xC4\xBC\xFE\xBC\xD0.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /1.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /1.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /2.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /2.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /3.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /3.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /wwwroot.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /wwwroot.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /HYTop.mdb HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /www.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /www.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /web.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /web.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /www.qttc.net.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /www.qttc.net.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /wwwqttcnet.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /wwwqttcnet.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /qttc.net.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:35] "HEAD /qttc.net.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:36] "HEAD /qttc.rar HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:36] "HEAD /qttc.zip HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
59.39.222.209 - [23/Jul/2013:03:35:36] "HEAD //html/db/ewebeditor.mdb HTTP/1.1" 405 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

其它的就不列了，这只是冰山一角，这些IP统统都是广东省的。从时间间隔上判断这不是人工，肯定是一个专门干这事的程序天天游走，我查看了过去一个月的log，几乎每天都有。

他们这样的程序真的能盗取资料吗？能。就我上家公司就经常把站点命名wwwroot，并且打包的程序经常忘了删除，于是别人通过域名+wwwroot.zip就轻而易举搞定了，2011年网站信息泄露事件想必大家还有印象。其实这些人只不过是根据国内大多数站点环境而推算出你的站点资料压缩名，然后挨个试，就算有一千种可能也不累人，程序刷一下就知分晓。国内不少买空间的IDC也会经常中招，因为它们的打包文件经常放在站点根目录下，压缩包的文件名也轻而易举能猜出来。

你的站点安全吗？不要在站点根目录下放你不想泄露的压缩包，经常检查log里的记录，有必要把一些IP墙掉。