Weird happenings....

Hi folks, a client on my server just got hit with loads of these

185.58.226.53 - - [21/Jan/2017:10:31:34 +0000] "GET / HTTP/1.1" 200 80355 "http://gear-fu.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#2 HTTP/1.1" 200 80355 "http://atomyviet.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#1 HTTP/1.1" 200 80355 "http://devpog.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.58.226.53 - - [21/Jan/2017:10:31:34 +0000] "GET / HTTP/1.1" 200 80355 "http://elink-software.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
217.17.46.162 - - [21/Jan/2017:10:31:33 +0000] "GET /#1 HTTP/1.0" 200 80355 "http://maddieandshaine.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
217.17.46.162 - - [21/Jan/2017:10:31:33 +0000] "GET /#1 HTTP/1.0" 200 80355 "http://breakerzgaming.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:34 +0000] "GET /#1 HTTP/1.1" 200 80355 "http://ceoninsights.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#2 HTTP/1.1" 200 80355 "http://joshuaapplebaum.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#2 HTTP/1.1" 200 80355 "http://dosuino.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:34 +0000] "GET /#1 HTTP/1.1" 200 80355 "http://goshopz.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:35 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://csrlalumni.org" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:35 +0000] "GET /#2 HTTP/1.1" 200 79926 "http://fuelburnmaroc.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#4 HTTP/1.1" 200 79926 "http://elink-software.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://butlerlee.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://blogquedalivre.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://gidbuild.info" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://eqrelic.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://maddieandshaine.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:36 +0000] "GET /#4 HTTP/1.1" 200 79926 "http://csrlalumni.org" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.58.226.53 - - [21/Jan/2017:10:31:36 +0000] "GET / HTTP/1.1" 200 79926 "http://geschenkgutscheinen.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://akomodasidimalang.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://evrekam.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://jainwatersolution.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://ebayhots.info" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://fluffcollective.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://burimeparody.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://besplatnie-uchebniki.org" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://devpog.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://excellent-supporting.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://domeylearning.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.58.226.53 - - [21/Jan/2017:10:31:37 +0000] "GET / HTTP/1.1" 200 79926 "http://centpicks.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://kingdomofgod.us" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:38 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://curoworld.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:38 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://elink-software.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Thats just a small few, I was notified by my server of a huge load, thats what comes up in their log

Theres also this, looks like sommat is going on with the whos online scritp???

199.255.159.212 - - [21/Jan/2017:10:29:34 +0000] "GET /whos-been-online.php?http://www.yurax.jp/cgi/analyze/analyze.cgi?Today HTTP/1.1" 200 57198 "https://women.look.blackfriday/stainless-steel-5-7-and-9irons.php" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"

Any thoughts please?

Bashy that last line you showed for the whosonline scripts someone who is trying to execute a command by passing a parameter after the ? and hoping that the script is badly formed.

Stuart

Hi Stuart, So i take it that it dont necessarily mean they managed to do it?

Something did happen though, was enough to trigger a server alert

1 Min Load Avg: 19.17
5 Min Load Avg: 6.97
15 Min Load Avg: 2.60
Running/Total Processes: 31/767

Over 2000 of those other lines 8O

Well if the whose online script is correct in the way it interprets the parameters then not it probably did not work but maybe it did, difficult to know without seeing the script code.

How many of the total requests were from 94.177.233.129 as it shows up a lot in that excerpt you have given. That IP belongs to a site in Italy according to whois, maybe they have either a bad dns or have deliberately tried a distributed denial of service (DDOS) attack on your server for some reason.

Do I gather that you have other websites than your own hosted on your server and it was one of these which got hit? It does look like some kind of DDOS. I trust there is nothing contentious on your server :wink:

Stuart

I would think the first part is someone’s PC/webcam/IOT bidet that has been botnetted to send referral spam. For the last line:

[url=https://blog.sucuri.net/2015/08/funwebproducts-useragent-bloating-traffic.html]"A visitor who has FunWebProducts in their user agent probably doesn

[quote author=niko link=topic=64395.msg516657#msg516657 date=1485015214]
I would think the first part is someone’s PC/webcam/IOT bidet that has been botnetted to send referral spam. For the last line:

[url=https://blog.sucuri.net/2015/08/funwebproducts-useragent-bloating-traffic.html]"A visitor who has FunWebProducts in their user agent probably doesn

Only a matter of time http://arstechnica.com/the-multiverse/2017/01/japanese-toilet-washlet-symbols/

There’s some botnet that continually hits my server looking for wp-login from dozens of different IP’s every day :roll:

Thanks for the replies, nothing bad in the server, the site in question is a weather site.

There’s only 3 sites including mine and another just starting up

That ip, looks like that’s only 7 in the apache status

They are all GET/#00HTTP/1.1 where 00 is a random double number

Could have had anything to do with that incident with the who’s online script?

Hate it when things get technical like this cause in lost… The guy don’t even know it’s happened lol not told him, but that’s only cause I do not know what happened or why, of it turns out to be a script then I will have to deal with it…

Heres a wee snippet of the apache status. surely thats not 300mb under those connections?

Current Time: Saturday, 21-Jan-2017 10:33:19 GMT
Restart Time: Thursday, 20-Oct-2016 19:48:50 BST
Parent Server Generation: 1170
Server uptime: 92 days 15 hours 44 minutes 29 seconds
Total accesses: 2332348 - Total Traffic: 11.0 GB
CPU Usage: u5.91 s27.12 cu221.38 cs0 - .00318% CPU load
.291 requests/sec - 1480 B/second - 5081 B/request
256 requests currently being processed, 0 idle workers
WWGWGKWWKWWWKWWWWWWKWWWKWWWGWWKWKWWWWWWWWWWWWWWWWWWWWWWWWGKWWWCW
WRWWWWWWWWWWWWWWWWWWWWWKWWWKWWWWWKWKWWWWKWWWWWWKKKKWWWWWWWWWWWWK
KWWWWWWWWWWKKWWWWWWWWWWWWCWWWWWKWWWWWCWWWWWKWWWWWWKKWWWWWWWWWWWW
KCCWCCCWWCWWWKWKWCWWWWWWWWWCWKCKWWWWWWWWWWWWKWKWWWWWWCWWCWKKWKWK
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv	PID	Acc	M	CPU	SS	Req	Conn	Child	Slot	Client	VHost	Request
0-1170	26229	0/175/215092	W	11.58	4	0	0.0	0.68	1115.96	110.155.81.189	depereweather.com	GET /#80 HTTP/1.1
1-1170	13313	0/14/212180	W	2.34	21	0	0.0	0.00	1067.89	39.187.254.193	depereweather.com	GET /#19 HTTP/1.1
2-624	18473	35/161/104453	G	12.80	3807834	300202	137.5	0.54	479.87	2.228.138.60	depereweather.com	GET /wxriverpage.php HTTP/1.1
3-1170	26339	0/162/202672	W	12.87	74	0	0.0	0.28	988.13	94.177.233.129	depereweather.com	GET /#13 HTTP/1.1
4-633	19361	1/99/73371	G	2.77	3744957	300233	0.0	0.32	253.86	157.55.39.172	depereweather.com	GET /wxriverpage.php HTTP/1.1
5-1170	27682	1/165/193962	K	12.09	3	5333	0.0	0.32	988.51	8.21.67.247	depereweather.com	GET /#99 HTTP/1.1
6-1170	26219	0/178/165803	W	14.12	7	0	0.0	0.32	755.78	120.52.73.97	depereweather.com	GET /#4 HTTP/1.1
7-1170	26220	0/170/178929	W	11.92	1	0	0.0	0.33	858.62	120.77.157.78	depereweather.com	GET /#22 HTTP/1.1
8-1170	27683	1/159/160592	K	12.16	3	1965	0.0	0.13	674.85	159.203.133.228	depereweather.com	GET /#95 HTTP/1.1
9-1170	26221	0/178/145233	W	11.46	16	0	0.0	0.55	743.05	125.85.138.163	depereweather.com	GET /#10 HTTP/1.1
10-1170	26222	2/162/127072	W	10.40	95	0	0.0	0.43	586.24	94.177.233.129	depereweather.com	GET /#9 HTTP/1.1
11-1170	26223	0/168/116697	W	11.62	25	0	0.0	0.69	679.24	171.39.226.51	depereweather.com	GET /#50 HTTP/1.1
12-1170	27684	1/156/96687	K	12.50	3	2227	0.0	0.10	553.52	120.52.73.98	depereweather.com	GET /#1 HTTP/1.1
13-1170	13341	0/17/76440	W	3.08	4	0	0.0	0.00	470.28	111.6.46.191	depereweather.com	GET /#9 HTTP/1.1
14-1170	13348	8/8/54223	W	1.08	73	0	0.0	0.00	262.60	94.177.233.129	depereweather.com	GET /#17 HTTP/1.1
15-1170	13383	1/18/38803	W	1.97	3	0	0.0	0.00	132.61	200.29.191.149	depereweather.com	GET /#9 HTTP/1.1
16-1170	13413	0/13/29030	W	1.84	20	0	0.0	0.00	112.36	221.175.41.101	depereweather.com	GET /#67 HTTP/1.1
17-1170	13414	0/17/24333	W	2.30	4	0	0.0	0.00	89.47	120.213.149.27	depereweather.com	GET /#63 HTTP/1.1
18-1170	13451	0/11/20285	W	0.97	5	0	0.0	0.00	79.66	120.213.149.27	depereweather.com	GET /#18 HTTP/1.1
19-1170	13452	1/16/10390	K	2.75	2	8381	0.0	0.00	76.12	94.177.188.104	depereweather.com	GET /#97 HTTP/1.1
20-1170	13453	0/10/9475	W	1.17	5	0	0.0	0.00	32.01	120.77.157.78	depereweather.com	GET /#5 HTTP/1.1
21-1170	13454	3/3/6752	W	0.67	80	0	0.0	0.00	26.56	94.177.233.129	depereweather.com	GET /#13 HTTP/1.1
22-1170	13505	0/4/5115	W	0.42	78	0	0.0	0.00	14.26	163.172.211.141	depereweather.com	GET /#12 HTTP/1.1
23-1170	13506	1/6/3952	K	0.78	2	1115	0.0	0.00	15.08	163.121.188.3	depereweather.com	GET / HTTP/1.1
24-1170	13507	0/10/6135	W	0.85	14	0	0.0	0.00	17.97	120.212.21.55	depereweather.com	GET /#9 HTTP/1.1
25-1170	13508	0/17/3922	W	1.97	1	0	0.0	0.00	15.01	120.77.157.78	depereweather.com	GET /#11 HTTP/1.1
26-1170	13509	0/16/4768	W	1.79	4	0	0.0	0.00	19.33	120.213.149.27	depereweather.com	GET /#2 HTTP/1.1
27-718	14413	1/198/1739	G	8.39	3154717	300179	0.0	0.13	6.32	37.1.202.179	depereweather.com	GET /wxwuhistory.php?ID=KWIDEPER2&month=02&day=11&year=2016&mod

I have also included the zip with thecopt of the apache status in full


apachestatus.zip (7.49 KB)

Just checked that whos online code and nothing happend so thats something at least, but, take a look at
all his guests today lol HERE