Bashy
21 January 2017 11:00
1
Hi folks, a client on my server just got hit with loads of these
185.58.226.53 - - [21/Jan/2017:10:31:34 +0000] "GET / HTTP/1.1" 200 80355 "http://gear-fu.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#2 HTTP/1.1" 200 80355 "http://atomyviet.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#1 HTTP/1.1" 200 80355 "http://devpog.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.58.226.53 - - [21/Jan/2017:10:31:34 +0000] "GET / HTTP/1.1" 200 80355 "http://elink-software.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
217.17.46.162 - - [21/Jan/2017:10:31:33 +0000] "GET /#1 HTTP/1.0" 200 80355 "http://maddieandshaine.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
217.17.46.162 - - [21/Jan/2017:10:31:33 +0000] "GET /#1 HTTP/1.0" 200 80355 "http://breakerzgaming.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:34 +0000] "GET /#1 HTTP/1.1" 200 80355 "http://ceoninsights.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#2 HTTP/1.1" 200 80355 "http://joshuaapplebaum.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:34 +0000] "GET /#2 HTTP/1.1" 200 80355 "http://dosuino.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:34 +0000] "GET /#1 HTTP/1.1" 200 80355 "http://goshopz.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:35 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://csrlalumni.org" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:35 +0000] "GET /#2 HTTP/1.1" 200 79926 "http://fuelburnmaroc.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#4 HTTP/1.1" 200 79926 "http://elink-software.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://butlerlee.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://blogquedalivre.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://gidbuild.info" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://eqrelic.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://maddieandshaine.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:36 +0000] "GET /#4 HTTP/1.1" 200 79926 "http://csrlalumni.org" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.58.226.53 - - [21/Jan/2017:10:31:36 +0000] "GET / HTTP/1.1" 200 79926 "http://geschenkgutscheinen.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:36 +0000] "GET /#5 HTTP/1.1" 200 79926 "http://akomodasidimalang.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://evrekam.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://jainwatersolution.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://ebayhots.info" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://fluffcollective.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.156.144.59 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://burimeparody.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://besplatnie-uchebniki.org" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://devpog.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://excellent-supporting.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://domeylearning.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
185.58.226.53 - - [21/Jan/2017:10:31:37 +0000] "GET / HTTP/1.1" 200 79926 "http://centpicks.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:37 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://kingdomofgod.us" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:38 +0000] "GET /#1 HTTP/1.1" 200 79926 "http://curoworld.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
94.177.233.129 - - [21/Jan/2017:10:31:38 +0000] "GET /#6 HTTP/1.1" 200 79926 "http://elink-software.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Thats just a small few, I was notified by my server of a huge load, thats what comes up in their log
Theres also this, looks like sommat is going on with the whos online scritp???
199.255.159.212 - - [21/Jan/2017:10:29:34 +0000] "GET /whos-been-online.php?http://www.yurax.jp/cgi/analyze/analyze.cgi?Today HTTP/1.1" 200 57198 "https://women.look.blackfriday/stainless-steel-5-7-and-9irons.php" "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
Any thoughts please?
Bashy that last line you showed for the whosonline scripts someone who is trying to execute a command by passing a parameter after the ? and hoping that the script is badly formed.
Stuart
Bashy
21 January 2017 12:58
3
Hi Stuart, So i take it that it dont necessarily mean they managed to do it?
Something did happen though, was enough to trigger a server alert
1 Min Load Avg: 19.17
5 Min Load Avg: 6.97
15 Min Load Avg: 2.60
Running/Total Processes: 31/767
Over 2000 of those other lines 8O
Well if the whose online script is correct in the way it interprets the parameters then not it probably did not work but maybe it did, difficult to know without seeing the script code.
How many of the total requests were from 94.177.233.129 as it shows up a lot in that excerpt you have given. That IP belongs to a site in Italy according to whois, maybe they have either a bad dns or have deliberately tried a distributed denial of service (DDOS) attack on your server for some reason.
Do I gather that you have other websites than your own hosted on your server and it was one of these which got hit? It does look like some kind of DDOS. I trust there is nothing contentious on your server
Stuart
I would think the first part is someone’s PC/webcam/IOT bidet that has been botnetted to send referral spam. For the last line:
[url=https://blog.sucuri.net/2015/08/funwebproducts-useragent-bloating-traffic.html]"A visitor who has FunWebProducts in their user agent probably doesn
[quote author=niko link=topic=64395.msg516657#msg516657 date=1485015214]
I would think the first part is someone’s PC/webcam/IOT bidet that has been botnetted to send referral spam. For the last line:
[url=https://blog.sucuri.net/2015/08/funwebproducts-useragent-bloating-traffic.html]"A visitor who has FunWebProducts in their user agent probably doesn
Only a matter of time http://arstechnica.com/the-multiverse/2017/01/japanese-toilet-washlet-symbols/
There’s some botnet that continually hits my server looking for wp-login from dozens of different IP’s every day :roll:
Bashy
21 January 2017 16:34
8
Thanks for the replies, nothing bad in the server, the site in question is a weather site.
There’s only 3 sites including mine and another just starting up
That ip, looks like that’s only 7 in the apache status
They are all GET/#00HTTP /1.1 where 00 is a random double number
Could have had anything to do with that incident with the who’s online script?
Hate it when things get technical like this cause in lost… The guy don’t even know it’s happened lol not told him, but that’s only cause I do not know what happened or why, of it turns out to be a script then I will have to deal with it…
Bashy
21 January 2017 16:41
9
Heres a wee snippet of the apache status. surely thats not 300mb under those connections?
Current Time: Saturday, 21-Jan-2017 10:33:19 GMT
Restart Time: Thursday, 20-Oct-2016 19:48:50 BST
Parent Server Generation: 1170
Server uptime: 92 days 15 hours 44 minutes 29 seconds
Total accesses: 2332348 - Total Traffic: 11.0 GB
CPU Usage: u5.91 s27.12 cu221.38 cs0 - .00318% CPU load
.291 requests/sec - 1480 B/second - 5081 B/request
256 requests currently being processed, 0 idle workers
WWGWGKWWKWWWKWWWWWWKWWWKWWWGWWKWKWWWWWWWWWWWWWWWWWWWWWWWWGKWWWCW
WRWWWWWWWWWWWWWWWWWWWWWKWWWKWWWWWKWKWWWWKWWWWWWKKKKWWWWWWWWWWWWK
KWWWWWWWWWWKKWWWWWWWWWWWWCWWWWWKWWWWWCWWWWWKWWWWWWKKWWWWWWWWWWWW
KCCWCCCWWCWWWKWKWCWWWWWWWWWCWKCKWWWWWWWWWWWWKWKWWWWWWCWWCWKKWKWK
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-1170 26229 0/175/215092 W 11.58 4 0 0.0 0.68 1115.96 110.155.81.189 depereweather.com GET /#80 HTTP/1.1
1-1170 13313 0/14/212180 W 2.34 21 0 0.0 0.00 1067.89 39.187.254.193 depereweather.com GET /#19 HTTP/1.1
2-624 18473 35/161/104453 G 12.80 3807834 300202 137.5 0.54 479.87 2.228.138.60 depereweather.com GET /wxriverpage.php HTTP/1.1
3-1170 26339 0/162/202672 W 12.87 74 0 0.0 0.28 988.13 94.177.233.129 depereweather.com GET /#13 HTTP/1.1
4-633 19361 1/99/73371 G 2.77 3744957 300233 0.0 0.32 253.86 157.55.39.172 depereweather.com GET /wxriverpage.php HTTP/1.1
5-1170 27682 1/165/193962 K 12.09 3 5333 0.0 0.32 988.51 8.21.67.247 depereweather.com GET /#99 HTTP/1.1
6-1170 26219 0/178/165803 W 14.12 7 0 0.0 0.32 755.78 120.52.73.97 depereweather.com GET /#4 HTTP/1.1
7-1170 26220 0/170/178929 W 11.92 1 0 0.0 0.33 858.62 120.77.157.78 depereweather.com GET /#22 HTTP/1.1
8-1170 27683 1/159/160592 K 12.16 3 1965 0.0 0.13 674.85 159.203.133.228 depereweather.com GET /#95 HTTP/1.1
9-1170 26221 0/178/145233 W 11.46 16 0 0.0 0.55 743.05 125.85.138.163 depereweather.com GET /#10 HTTP/1.1
10-1170 26222 2/162/127072 W 10.40 95 0 0.0 0.43 586.24 94.177.233.129 depereweather.com GET /#9 HTTP/1.1
11-1170 26223 0/168/116697 W 11.62 25 0 0.0 0.69 679.24 171.39.226.51 depereweather.com GET /#50 HTTP/1.1
12-1170 27684 1/156/96687 K 12.50 3 2227 0.0 0.10 553.52 120.52.73.98 depereweather.com GET /#1 HTTP/1.1
13-1170 13341 0/17/76440 W 3.08 4 0 0.0 0.00 470.28 111.6.46.191 depereweather.com GET /#9 HTTP/1.1
14-1170 13348 8/8/54223 W 1.08 73 0 0.0 0.00 262.60 94.177.233.129 depereweather.com GET /#17 HTTP/1.1
15-1170 13383 1/18/38803 W 1.97 3 0 0.0 0.00 132.61 200.29.191.149 depereweather.com GET /#9 HTTP/1.1
16-1170 13413 0/13/29030 W 1.84 20 0 0.0 0.00 112.36 221.175.41.101 depereweather.com GET /#67 HTTP/1.1
17-1170 13414 0/17/24333 W 2.30 4 0 0.0 0.00 89.47 120.213.149.27 depereweather.com GET /#63 HTTP/1.1
18-1170 13451 0/11/20285 W 0.97 5 0 0.0 0.00 79.66 120.213.149.27 depereweather.com GET /#18 HTTP/1.1
19-1170 13452 1/16/10390 K 2.75 2 8381 0.0 0.00 76.12 94.177.188.104 depereweather.com GET /#97 HTTP/1.1
20-1170 13453 0/10/9475 W 1.17 5 0 0.0 0.00 32.01 120.77.157.78 depereweather.com GET /#5 HTTP/1.1
21-1170 13454 3/3/6752 W 0.67 80 0 0.0 0.00 26.56 94.177.233.129 depereweather.com GET /#13 HTTP/1.1
22-1170 13505 0/4/5115 W 0.42 78 0 0.0 0.00 14.26 163.172.211.141 depereweather.com GET /#12 HTTP/1.1
23-1170 13506 1/6/3952 K 0.78 2 1115 0.0 0.00 15.08 163.121.188.3 depereweather.com GET / HTTP/1.1
24-1170 13507 0/10/6135 W 0.85 14 0 0.0 0.00 17.97 120.212.21.55 depereweather.com GET /#9 HTTP/1.1
25-1170 13508 0/17/3922 W 1.97 1 0 0.0 0.00 15.01 120.77.157.78 depereweather.com GET /#11 HTTP/1.1
26-1170 13509 0/16/4768 W 1.79 4 0 0.0 0.00 19.33 120.213.149.27 depereweather.com GET /#2 HTTP/1.1
27-718 14413 1/198/1739 G 8.39 3154717 300179 0.0 0.13 6.32 37.1.202.179 depereweather.com GET /wxwuhistory.php?ID=KWIDEPER2&month=02&day=11&year=2016&mod
I have also included the zip with thecopt of the apache status in full
apachestatus.zip (7.49 KB)
Bashy
21 January 2017 16:48
10
Just checked that whos online code and nothing happend so thats something at least, but, take a look at
all his guests today lol HERE