You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Ok, bit of a geeky one, but Google-fu has failed me.
I have a website online and every 10 mins someone tries probing it looking for unsecured log-in pages or known weaknesses.
Most probes are self explanatory eg every hour or so someone tries "/owa/auth/logon.aspx" looking for outlook web access etc...
But WTF is "/aaaaaaaaaaaaaaaaaaaaaaaaaqr"?
Get hit with it every hour or so, so someone thinks it's a worthwhile probe....
Trying for buffer overflow? I mean it's not that long or usually more likely ina POST but just throwing ideas out there
Trying for buffer overflow?
It looks far too short for that. Nearly all probes are looking for specific pages eg: /users/index.php etc
Nearly all probes are GET, only see the odd POST attempt.
When I google all the other addresses, it comes up straight away as a known weakness / bug in whatever package it is, but this - nothing...
Completely new to websites and it's fascinating to watch, 24/7 every few minutes some random bot tries half a dozen weaknesses in current software packages....
Again just wondering but is this request following or followed by a particular request? (I am thinking this is a obvious part of a sequence that you have noticed)?
Yep, maybe a sequence thing...
This is the sequence of events from Gunicorn (sat behind Nginx).
[2023-08-04 08:49:12 +0000] [1102126] [DEBUG] GET /
[2023-08-04 08:49:12 +0000] [1102128] [DEBUG] GET /robots.txt
[2023-08-04 08:49:12 +0000] [1102124] [DEBUG] GET /robots.txt
[2023-08-04 08:49:12,282] DEBUG in main: 404: Not found for '/robots.txt', previous page was 'None'.
[2023-08-04 08:49:12 +0000] [1102125] [DEBUG] GET /99vt
[2023-08-04 08:49:12 +0000] [1102127] [DEBUG] GET /Res/login.html
[2023-08-04 08:49:12,289] DEBUG in main: 404: Not found for '/robots.txt', previous page was 'None'.
[2023-08-04 08:49:12,294] DEBUG in main: 404: Not found for '/99vt', previous page was 'None'.
[2023-08-04 08:49:12,295] DEBUG in db_users: update_last_seen(): User not logged in.
[2023-08-04 08:49:12,298] DEBUG in main: 404: Not found for '/Res/login.html', previous page was 'None'.
[2023-08-04 08:49:12,337] DEBUG in __init__: Detected desktop: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36'.
[2023-08-04 08:49:12 +0000] [1102128] [DEBUG] GET /aaaaaaaaaaaaaaaaaaaaaaaaaqr
[2023-08-04 08:49:12,344] DEBUG in main: 404: Not found for '/aaaaaaaaaaaaaaaaaaaaaaaaaqr', previous page was 'None'.
[2023-08-04 08:49:12 +0000] [1102124] [DEBUG] GET /99vu
[2023-08-04 08:49:12,665] DEBUG in main: 404: Not found for '/99vu', previous page was 'None'.
Just sorting out logging source IP address in Gunicorn (Proxied behind Nginx).
put it behind cloudflare or some such to get that garbage blocked
I did a little Google myself and a random Nginx mailing list response came up.
I'm still non the wiser though
Don't know but somebody on reddit had the same thing in their log (or is that your reddit a/c)
https://www.reddit.com/r/apache/comments/yzno3h/where_can_i_get_help_understanding_my_server/
We get some very odd URLs probed on our servers, some clearly are just valid URLs from another site. Assume a badly written robot.
Another mention of that string on this page
https://mailman.nginx.org/pipermail/nginx/2023-January/JZOJ2O4JQPJCIDYEPCTCKPH2YLPZNVVJ.html
I would guess one of:
Its just a random string added as an example and everyone keeps running it.
It was one added deliberately at some point so someone could keep an eye on scans and it got more widely used.
That page was intended to be installed as a backdoor by another process and so they are scanning to see if any are vulnerable (although if this was true I would expect it to have been identified and reported).
put it behind cloudflare or some such to get that garbage blocked
There's a dedicated package which I could add..
It monitors errors and applies a 3 strikes and your IP is blocked style rule. Could just add it to Nginx.
Currently it all seems harmless, so I'm not that bothered, plus I'm using it to test logging unusual events etc...
Don’t know but somebody on reddit had the same thing in their log (or is that your reddit a/c)
Not me, I am/was 'footflaps' on Reddit as well, although not used it for years.
We get some very odd URLs probed on our servers, some clearly are just valid URLs from another site. Assume a badly written robot.
Possible. My site is on Google's Cloud and they just assigned me one of their IP addresses when I bought a VM in their cloud, so who knows what that IP was doing beforehand...
Possible. My site is on Google’s Cloud and they just assigned me one of their IP addresses when I bought a VM in their cloud, so who knows what that IP was doing beforehand
I would suspect it's just automated and testing everyone it can get to. Looking at the logs can be quite shocking sometimes as people are constantly trying to break in but they normally look people checking for Wordpress vulnerabilities and we use Drupal. Mind you if you aren't on top of patching holes they are in in no time 🙁
actually, I wonder if it's some sort of 'signature' being sent to websites as part of the probing so if the site has been compromised it knows to allow traffic from whoever sends that particular GET request in the future.
Mind you if you aren’t on top of patching holes they are in in no time 🙁
Yes, on my ToDo list is to add myself to mailing lists for Nginx and Gunicorn, to keep up to date with patches....
Git Hub's Free security code scanning tools are pretty cool, it has found several weaknesses in my source code and recommended fixes. It supposedly also watches any packages you use and alerts you to vulnerabilities found in them.
why am i reading this post! 😅
Looks like the sort of thing my cat's arse would type.
Had an even better one yesterday
Not found for '/e3e7e71a0b28b5e96cc492e636722f73/4sVKAOvu3D/BDyot0NxyG.php'
Some sort of Red Army secret activation code for sleeper agents would be my guess...
Not found for ‘/e3e7e71a0b28b5e96cc492e636722f73/4sVKAOvu3D/BDyot0NxyG.php’
That’s the sort of thing my forehead would type after I slumped onto the keyboard trying to parse what all of this stuff is about!
That’s the sort of thing my forehead would type after I slumped onto the keyboard trying to parse what all of this stuff is about!
I refer you to my previous post. 😁
GET /aaaaaaaaaaaaaaaaaaaaaaaaaqr
It'll be all names begining with aaaaaaaaaaaaaaaaaqr on the electoral roll.
Not found for ‘/e3e7e71a0b28b5e96cc492e636722f73/4sVKAOvu3D/BDyot0NxyG.php’
I've seen that sort of thing before as a test to see any of my sites had been infected with a particular virus 🙁
i'm to scared to look at logs any more, its horrible