0

Just set up my first linode server this last Wednesday, and today I tried to take a look on the nginx access logs, and found this suspicious logs.

47.96.15.13 - - [28/Jul/2018:14:54:05 +0800] "GET /webdav/ HTTP/1.1" 404 6303 "-" "-" "-"
47.96.15.13 - - [28/Jul/2018:14:54:06 +0800] "PROPFIND / HTTP/1.1" 404 6303 "-" "-" "-"
47.96.15.13 - - [28/Jul/2018:14:54:09 +0800] "POST /wuwu11.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:09 +0800] "POST /xw.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:10 +0800] "POST /xw1.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:10 +0800] "POST /9678.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:23 +0800] "POST /xx.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:25 +0800] "POST /wc.php HTTP/1.1" 499 0 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:27 +0800] "POST /w.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:30 +0800] "POST /sheep.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:30 +0800] "POST /db.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:31 +0800] "POST /db_session.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:32 +0800] "POST /db__.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:33 +0800] "POST /mx.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:33 +0800] "POST /wshell.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:39 +0800] "POST /xshell.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /qq.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /lindex.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /conflg.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:41 +0800] "POST /phpstudy.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:51 +0800] "POST /ak47.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:51 +0800] "POST /xiao.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:55 +0800] "POST /defect.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:55 +0800] "POST /webslee.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:02 +0800] "POST /hm.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:10 +0800] "POST /zuoshou.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:22 +0800] "POST /system.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:22 +0800] "POST /l7.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:27 +0800] "POST /q.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:27 +0800] "POST /qaq.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"

I call it suspicious because the app hosted there is not even written in php. I was thinking is to block the ipaddress but I am hesitant because it could be a dynamic ip and will be re assigned to a legit user and they will be blocked.

Any advice how to deal with this, I will appreciate it greatly.

Daxeto
  • 1
  • 3
zer09
  • 133
  • 6
  • If you're unable to block the ip could you not just block all urls with php? – geco17 Jul 28 '18 at 09:49
  • All the attempts are registering a `404` so there was no success. if you're really stressed about it you could just block the IP – jonroethke Jul 28 '18 at 14:59
  • If it's an external web server you'd expect some for of probing such as this. My only concern given the urls would be if these didn't return a 404. Also, I assume that particular IP has since stopped and it was just part of some broader scan not targeted at you specifically? If this IP keeps coming back or you see it repeatedly cropping up maybe in other logs, say Firewall and any other external services I'd go for a block as maybe then it is more of a targeted attack. Is this service expecting many genuine requests from China if not a block would be pretty safe. – HelpingHand Jul 29 '18 at 07:32
  • @HelpingHand so far that IP didn't show up today, but I got another two different IP the other one is trying to login using ```wordpress url``` the other one is something like this ```HEAD http://139.162.126.80:80/phpmyadmin/ HTTP/1.1" 404 0 ```. Actually I am not expecting an request other than coming from my home country "not china", and at the moment the service is not live, we are still doing test on it. – zer09 Jul 29 '18 at 11:56
  • You might find [this](https://security.stackexchange.com/questions/35773/how-can-i-block-an-ip-if-im-getting-many-http-requests-in-a-second) useful. – user8675309 Jan 16 '19 at 17:03

1 Answers1

1

This looks like a generic bot. They scan the internet and probably randomly found your server, then probed around to see if it could find any gaping security holes. Nothing to worry about, your server is not at risk if they did not find anything.

Private_GER
  • 101
  • 6