Q: Strange web traffic - Is this an attack?

Question

I recently noticed some strange traffic in my nginx access logs. I'm not sure if these indicate an attack, a mistake, or something else. I've started sending these to HTTP 444, so these logs will indicate that.

1) I noticed an increase in traffic, and in checking the logs I saw request after request like this:

121.32.149.215 - - [28/Nov/2015:06:27:00 +0000] "GET / HTTP/1.1" 444 0 "http://vp.f8bet.com/wf360.html" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36" "-"

They come from different IPs and different user agents. Lots of them. The weird part is that the referring page has my TLD as the src for a script tag. My site isn't returning any JS from that URL, so it just hits the site's index. If I was less nice I could start returning some mean JS there. I think this may just be referrer spam, but am not sure.

2) I'm also getting a lot of requests like this:

190.137.153.244 - - [28/Nov/2015:06:07:16 +0000] "GET / HTTP/1.1" 302 97 "-" "WhatsApp" "-"

They also come from various IPs and have WhatsApp as the user agent. The interesting part here is that they're various subdomains (seemingly random Spanish words), which resolve because of a wildcard. I removed the wildcard to kill some of these, and ended up just blocking all WhatsApp user agent traffic as well.

I'm getting some under a Spanish subdomain with "MJ12bot" as the referer as well. "MJ12bot" appears semi-legit, but if it's a real crawler, the subdomain is never something that existed specifically.

Like anyone I get random attacks all day, but the first one is very specific, and I find the second one interesting due to the subdomains. Both have been hitting me continously over the last week or so.

Does anyone have thoughts on the purpose of these requests and if I should do anything more than just send them to 444 and be on my way?

[Welcome to the internet](http://serverfault.com/search?q=welcome+to+the+internet) — user9517, Nov 28 '15 at 06:57
That's correct Michael. It just seems odd that they would specifically add my domain to their script tag, though it would be a way to do referrer spam. They might just think my single letter domain is worth spamming. — user153775, Nov 28 '15 at 16:27
The solution depends on how professional your site is. Mine is a hobby site, so when hotlinked, I first try to mail the admin, when that fails, I insert something annoying to force them to remove the link. It once took the infamous tubgirl to get rid of a pervasive hotlink. — Zdenek, Apr 05 '18 at 20:10

score 2 · Accepted Answer · answered Jan 22 '16 at 09:50

There are two questions here. I'll answer the second one: it's not an attack, it's because of the way people type and things that look like domain names getting treated as links automatically.

I noticed a lot of requests for http://kak.be/ from the "WhatsApp" user agent. Mine almost always come from Malaysia. I had a better look at the logs, and like you, they were requests for various (non-existing) subdomains. My guess is the WhatsApp users type using dots/periods instead of spaces, which in turn leads to valid-looking domain names. WhatsApp then seemingly prefetches that link, maybe to check it for dangerous content?

Examples:

Original request: ah.kakak.ini.ndak.percaya.gimana.ak.mau.tidur.di.mana.bingung.ak.kak.be
Google Translate: This sister ah not believe how I want to sleep where kak be confused ak

Original request: kak.maafkan.adik.pliz.kak.be
Google Translate: kak kak be forgiven sister pliz

According to the English Wiktionary, "kak"/"kakak" denote an (older) sister or brother. Heh.

So yeah, nothing to worry about. That is, if.you.ask.me.

I've decided the first one is just referrer spam, as that's pretty common for all of the sites I run. This one was a bit more traffic, but still not enough to be an effective attack if it was one. Thanks for the good idea on the second one... I'm going to go with that! — user153775, Jan 23 '16 at 16:23

Q: Strange web traffic - Is this an attack?

1 Answers1