Blog/CMS scan in logs - possible attack?
176.106.204.88 - - [19/Sep/2013:12:22:58 -0400] "GET / HTTP/1.1" 200 3888 "http://www.fierydragonlord.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
93.125.15.138 - - [19/Sep/2013:12:23:11 -0400] "GET /wordpress HTTP/1.1" 404 1221 "http://www.fierydragonlord.com/wordpress" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
178.124.116.201 - - [19/Sep/2013:12:23:32 -0400] "GET /wp HTTP/1.1" 404 1207 "http://www.fierydragonlord.com/wp" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
178.90.106.165 - - [19/Sep/2013:12:24:48 -0400] "GET /joomla HTTP/1.1" 404 1215 "http://www.fierydragonlord.com/joomla" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
195.69.87.222 - - [19/Sep/2013:12:25:05 -0400] "GET /drupal HTTP/1.1" 404 1215 "http://www.fierydragonlord.com/drupal" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
95.133.189.245 - - [19/Sep/2013:12:25:49 -0400] "GET /blog HTTP/1.1" 404 1211 "http://www.fierydragonlord.com/blog" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
2.135.194.103 - - [19/Sep/2013:12:26:06 -0400] "GET /blog HTTP/1.1" 404 1211 "http://www.fierydragonlord.com/blog" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
The IP address is different for each access, traceroute returns results consistent with Tor (they often end with "* * *"), and the accesses appear to be manually initiated. I don't have any CMS installed on the server. Is this a vulnerability scan or attack on the server? What should I do?
–DragonLord
Edit: Research on the traceroutes that did go through indicates the accesses likely originate from a spam botnet. This does not appear to be an attempt to gain control over the server, but an attempt to post spam whatever CMS or blog is installed on the system (and no such software is installed).
7 Replies
It may be manually initiated, or the bot that's trying is running down a list of domains for each attempt rather than a list of attempts for each domain (thus the longer than normal times between rapid fire attempts).
There's not much you can do about it. We just ignore these types of things (though I used to redirect the attempts to a domain on a $5 GD hosting account that used a lot of PHP sleep() statements).
@fierydragonlord:
… traceroute returns results consistent with Tor (they often end with "* * ") … What does " * *" have to do with Tor? Lots of people configure their firewalls to block traceroute packets.
How else can I interpret this output?
Example:
dragonlord@li650-40:~> /usr/sbin/traceroute 95.133.189.245
traceroute to 95.133.189.245 (95.133.189.245), 30 hops max, 40 byte packets using UDP
1 router2-nac.linode.com (207.99.1.14) 0.877 ms 0.518 ms 0.654 ms
2 207.99.53.45 (207.99.53.45) 0.917 ms 1.302 ms 0.780 ms
3 vlan803.tbr1.mmu.nac.net (209.123.10.29) 0.425 ms 0.291 ms 0.969 ms
4 0.e1-1.tbr1.tl9.nac.net (209.123.10.102) 1.322 ms 1.330 ms 0.e1-3.tbr2.mmu.nac.net (209.123.10.26) 9.077 ms
5 0.e1-1.tbr2.tl9.nac.net (209.123.10.78) 1.412 ms 0.e1-3.tbr2.tl9.nac.net (209.123.10.74) 1.375 ms 0.e1-1.tbr2.tl9.nac.net (209.123.10.78) 1.473 ms
6 xe-11-1-3.edge8.NewYork1.Level3.net (4.31.30.37) 1.658 ms 1.716 ms 1.667 ms
7 vlan60.csw1.NewYork1.Level3.net (4.69.155.62) 105.134 ms 104.985 ms vlan90.csw4.NewYork1.Level3.net (4.69.155.254) 104.644 ms
8 ae-61-61.ebr1.NewYork1.Level3.net (4.69.134.65) 108.840 ms ae-91-91.ebr1.NewYork1.Level3.net (4.69.134.77) 111.870 ms ae-71-71.ebr1.NewYork1.Level3.net (4.69.134.69) 106.655 ms
9 ae-42-42.ebr2.London1.Level3.net (4.69.137.69) 105.719 ms ae-44-44.ebr2.London1.Level3.net (4.69.137.77) 104.516 ms 107.314 ms
10 ae-24-24.ebr2.Frankfurt1.Level3.net (4.69.148.198) 106.136 ms ae-23-23.ebr2.Frankfurt1.Level3.net (4.69.148.194) 104.827 ms ae-22-22.ebr2.Frankfurt1.Level3.net (4.69.148.190) 103.694 ms
11 ae-82-82.csw3.Frankfurt1.Level3.net (4.69.140.26) 104.666 ms ae-72-72.csw2.Frankfurt1.Level3.net (4.69.140.22) 113.773 ms 112.361 ms
12 ae-93-93.ebr3.Frankfurt1.Level3.net (4.69.163.13) 111.045 ms ae-83-83.ebr3.Frankfurt1.Level3.net (4.69.163.9) 109.847 ms ae-93-93.ebr3.Frankfurt1.Level3.net (4.69.163.13) 108.642 ms
13 ae-1-12.bar1.Budapest1.Level3.net (4.69.141.249) 115.808 ms * 104.096 ms
14 ae-0-11.bar2.Budapest1.Level3.net (4.69.141.242) 104.793 ms 104.527 ms 103.912 ms
15 dialup-212.162.26.158.frankfurt1.mik.net (212.162.26.158) 120.481 ms dialup-212.162.26.150.frankfurt1.mik.net (212.162.26.150) 123.432 ms 121.789 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
–DragonLord
–DragonLord
@fierydragonlord:
but how should I respond to these probes/attacks?
It's normal internet noise, ignore it.
@vonskippy:
@fierydragonlord:but how should I respond to these probes/attacks?
It's normal internet noise, ignore it.
Make sure you have good security. Bad guys are going to probe for attacks, but just make sure they can't get one. The probing is going to happen.