大约每天一次，我在我的 Apache 2.4 httpd 日志中看到以下一系列请求，我试图找出正在扫描的漏洞。这些扫描的每次出现都具有相同的模式（将我的域名替换为 DOMAIN）：

89.123.16.10 - - [20/Dec/2017:05:35:37 +0000] "GET /https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:37 +0000] "GET /https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:38 +0000] "GET /https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:38 +0000] "GET /https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:38 +0000] "GET /https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:39 +0000] "GET /https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:39 +0000] "GET /https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:39 +0000] "GET /https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:39 +0000] "GET /https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:39 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:39 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:39 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:40 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:40 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:40 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:40 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:40 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:41 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:41 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:41 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:41 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:41 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:42 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236
89.123.16.10 - - [20/Dec/2017:05:35:42 +0000] "GET /https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://https://www.DOMAIN.com HTTP/1.1" 301 236

请求来自以下主机：

103.194.169.16 - 荷兰（在IIS 8.5 Windows Server上运行的 Java 1.8 客户端）
109.102.111.66 - 罗马尼亚布加勒斯特（Java 1.6 客户端，被一项服务禁止）
109.102.111.67 - 罗马尼亚布加勒斯特（Java 1.6 客户端，被多项服务禁止） , 字典攻击, 垃圾邮件屋)
109.102.111.76 - 罗马尼亚布加勒斯特 (Java 1.7 客户端, 被多个服务禁止)
109.102.111.84 - 罗马尼亚布加勒斯特 (Java 1.6 客户端, 被一项服务禁止)
109.102.111.89 - 罗马尼亚布加勒斯特 (Java 1.6 客户端，被一项服务禁止）
109.102.111.92 - 罗马尼亚布加勒斯特（Java 1.6、1.8 客户端，被多项服务、字典攻击、垃圾邮件屋禁止）
172.111.130.9- 罗马尼亚布加勒斯特（Java 1.6 客户端，被一项服务禁止）
172.111.200.61 - 德国法兰克福（Java 1.6 客户端，被一项服务禁止）
23.227.201.194 - [Swiftway Cloud - swiftwaycloud.com] 美国芝加哥（Java 1.6在 IIS 7.5 ASP.NET 服务器上运行的客户端，被一项服务禁止）
79.5.128.38 - Piansano，拉齐奥，意大利（Java 1.6 客户端，被多项服务禁止）
89.123.14.74 - 罗马尼亚布加勒斯特（Java 1.6 客户端，被多项禁止服务，垃圾邮件屋）
89.123.16.10 - 罗马尼亚布加勒斯特（Java 1.6 客户端，被多项服务禁止）
89.123.20.221 - 罗马尼亚布加勒斯特（Java 1.6 客户端，被多项服务禁止，垃圾邮件屋）
89.123.31.76- 罗马尼亚布加勒斯特（Java 1.6 客户端，被多项服务、字典攻击、垃圾邮件屋禁止）
89.136.31.222 - 罗马尼亚布加勒斯特（可能是家庭宽带地址、Java 1.6 客户端，被多项服务、字典攻击、垃圾邮件屋禁止）

大多数主机都是罗马尼亚人，所以我假设这些扫描的来源是在那里。此外，我可以在请求时间中辨别出的唯一模式是，这些请求从未在 UTC 时间 09:00 到 UTC 时间 12:00（罗马尼亚的晚上 11 点到凌晨 3 点）发生。已涵盖一天中每隔 30 分钟的时间段，每天最多出现 4 次，每天最少出现 1 次。

正如评论中提到的，我使用重定向规则将 HTTP 请求转发到 HTTPS：

RedirectMatch permanent ^ https://www.DOMAIN.com

值得注意的是，这些请求都只出现在我的非 SSL 日志中。我的服务器配置返回 301（永久移动），它将非 SSL 请求重定向到https://www.DOMAIN.com。执行这些扫描的 IP 地址从不通过 HTTPS 发出任何请求，并且只执行这种类型的扫描。

我已经使用 curl 复制了确切的日志：

C:\>curl -s -D - http://www.DOMAIN.com/https://https://www.DOMAIN.com
HTTP/1.1 301 Moved Permanently
Date: Thu, 21 Dec 2017 15:49:58 GMT
Server: Apache
Location: https://www.DOMAIN.com
Content-Length: 236
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.DOMAIN.com">here</a>.</p>
</body></html>

日志条目中的结果（替换了我的域和 IP 地址）：

192.168.1.5 - - [21/Dec/2017:14:29:57 +0000] "GET /https://https://www.DOMAIN.com HTTP/1.1" 301 236

概括

来自远程主机的初始格式错误的请求：

GET http://www.DOMAIN.com/https://https://www.DOMAIN.com

我的服务器返回：

301 https://www.DOMAIN.com

远程主机从不请求上述 URL。

来自远程主机的第二个格式错误的请求：

GET http://www.DOMAIN.com/https://https://https://www.DOMAIN.com

我的服务器返回（有关确切的服务器响应，请参见上面的 curl 示例）：

301 https://www.DOMAIN.com

远程主机从不请求上述 URL。

依此类推，进行 24 次迭代。我的服务器总是返回的事实https://www.DOMAIN.com表明格式错误的 URL 是由远程主机故意构建的。

是否存在正在扫描的特定已知漏洞或服务器配置错误？

我相信任何 SSL 证书问题都可以简单地排除，因为这些主机从未发出过 SSL 请求（除非扫描被划分以避免牵连其他主机）。

我只发现了另一个类似的案例（2016 年 4 月）：

1. 无法映射 GET /https:///https:///https:/https:///https:/https:/https:/ ...

我添加了来自Project Honeypot和What Is My IP Address Blacklist的元数据。据报道，这些主机都使用 Java 客户端，范围从 Java 1.4 到 Java 1.8。