nginx 5 second response time from portscanner

Question

nginx 5 second response time from portscanner

general

forum:joachimfermstad 12 years, 10 months ago

This is a extract from the access log of my default website (where portscanners and odd requests for the previous owners website goes).

Just trying to understand how/why the scriptkiddies that try to find phpmyadmin are taking more or less exactly 5 seconds for their requests.

Are they just sending a request and then wait 5 seconds before actually reading from the socket, or is there some "intelligence" behind doing something like this instead of just sloppy coding on their part?

::ffff:202.137.26.84 - - [01/Feb/2012:02:21:20 +0100]  "GET //index.php HTTP/1.1" 404 423 "-" "-" 5.004 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:20 +0100]  "GET //admin/index.php HTTP/1.1" 404 423 "-" "-" 5.000 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:25 +0100]  "GET //admin/phpmyadmin/index.php HTTP/1.1" 404 423 "-" "-" 5.000 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:30 +0100]  "GET //db/index.php HTTP/1.1" 404 423 "-" "-" 5.005 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:35 +0100]  "GET //myadmin/index.php HTTP/1.1" 404 423 "-" "-" 5.002 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:38 +0100]  "GET //mysql/index.php HTTP/1.1" 404 423 "-" "-" 5.001 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:38 +0100]  "GET //mysqladmin/index.php HTTP/1.1" 404 423 "-" "-" 5.001 - .

1 Reply

forum:hybinet · Answer 1 · Feb. 1, 2012, 12:15 p.m.

forum:hybinet 12 years, 10 months ago

An example of sloppy coding: two slashes at the beginning of the URI.

If this were Apache with mpm_prefork, holding up a connection for 5 seconds might count as a rudimentary DoS attack. But since this is nginx, I would guess there's no damage done.

Compute

Storage

Networking

Databases

Services

Developer Tools

Industries

Pricing

Community

Engage With Us

nginx 5 second response time from portscanner

1 Reply

Reply

Tips: