0

I've just deployed a barebones Apache server on Digital Ocean, only hosting static files. No PHP et al.

I'm not too bothered to see random exploit attempts, but 99% of the requests are of this similar format and I'd like to know what they are trying to do.

The source IP is always changing, but the GET resource request is the same, as well as the user-agent. My server is under a constant 30kB/s public inbound (sometimes peaking at around 80kB/s) from this type of request.

I have written a .htaccess and I regex the user-agent for 'wget', and direct the request to a 403. Very noob at this but I feel like that was possibly redundant.

180.190.118.26 - - 14/Feb/2021:09:10:07 +1100] "GET /index.php?c=update&a=patchsum&product=BTFLY-A&ver=1.3.0 HTTP/1.1" 403 407 "-" "Wget/BTFLY/\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff

There is no index.php on my server, but I'm still curious nonetheless about how concerned I should be.

Thank you

Corey
  • 1
  • 1

1 Answers1

1

The request seems to match a butterfly vpn router (OpenWrt BTFLY-A 1.3.0 / LuCI 15.05 Branch), so someone probably used your IP for a vpn service in the past and there is an active endpoint querying it.

https://forum.openwrt.org/t/how-to-flash-openwrt-on-a-butterfly-vpn-router/73652

wireghoul
  • 5,745
  • 2
  • 17
  • 26