odd webserver probe
Wed Nov 8 12:47:21 EST 2017
From my webserver log, someone was looking really hard for a "guestbook" on my website. But it wasn't looking like visiting the site and wandering around (i.e. didn't ever go to the home page), it was poking at "expected" locations:12:40:28 "GET / HTTP/1.1" 200 9088
12:40:29 "GET /index.php?option=com_user&task=register HTTP/1.1" 404 564
12:40:29 "GET /index.php/component/users/?view=registration HTTP/1.1" 404 564
12:40:30 "GET /modules.php?name=Your_Account HTTP/1.1" 404 564
12:40:30 "GET /member/ HTTP/1.1" 404 564
12:40:30 "GET /index.php?act=dispMemberLoginForm HTTP/1.1" 404 564
12:40:31 "GET /home.php HTTP/1.1" 404 564
12:40:31 "GET /yabb.pl HTTP/1.1" 404 564
12:40:31 "GET /YaBB.cgi HTTP/1.1" 404 564
12:40:32 "GET /guestbook.php HTTP/1.1" 404 564
12:40:32 "GET /bbs.cgi HTTP/1.1" 404 564
12:40:32 "GET /gastenboek.php HTTP/1.1" 404 564
12:40:33 "GET /light.cgi HTTP/1.1" 404 564
12:40:33 "GET /CGI/guestbook?page=1 HTTP/1.1" 404 564
12:40:33 "GET /Guestbook.php HTTP/1.1" 404 564
12:40:34 "GET /seo-joy.cgi HTTP/1.1" 404 564
12:40:34 "GET /yybbs.cgi HTTP/1.1" 404 564
12:40:34 "GET /guestbook HTTP/1.1" 404 564
12:40:35 "GET /aska.cgi HTTP/1.1" 404 564
12:40:35 "GET /jax_guestbook.php HTTP/1.1" 404 564
12:40:35 "GET /sbb.cgi HTTP/1.1" 404 564
12:40:36 "GET /default.asp HTTP/1.1" 404 564
12:40:36 "GET /sunbbs.cgi?mode=form HTTP/1.1" 404 564
12:40:36 "GET /yapgb.php HTTP/1.1" 404 564
12:40:37 "GET /book.php HTTP/1.1" 404 564
12:40:37 "GET /album.cgi HTTP/1.1" 404 564
12:40:37 "GET /guestbook.php HTTP/1.1" 404 564
12:40:38 "GET /scarbook.php HTTP/1.1" 404 564
12:40:38 "GET /guestbook.html HTTP/1.1" 404 564
12:40:38 "GET /gaestebuch.php HTTP/1.1" 404 564
12:40:39 "GET /apps/guestbook HTTP/1.1" 404 564
12:40:39 "GET /g_book.cgi HTTP/1.1" 404 564
12:40:39 "GET /gb.php HTTP/1.1" 404 564
12:40:40 "GET /site_changes.html/ HTTP/1.1" 404 564
All from 89.70.217.98, using "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
(Hmmm, I do have a site_changes.html page; I wonder why that last entry failed?)
If you've visited my site, you haven't seen anyplace to enter anything. I don't collect any data about visitors (besides the server logs), and I certainly don't have members. I wonder what this hacker wanted to know about my "guests"? (All I know about them is date/time, IP address, and what page(s) they requested.) [I guess from a guest book you might harvest email addresses for spamming?]
The attempts I see most often are trying for WordPress admin logins, presumably hoping they'll take default passwords. I'm not using WordPress, and I don't provide for remote admin; there's no logins through the website. There's no pages with input forms. I'm not selling anything. I don't want information from anyone. All I'm doing is serving static pages. There's minimal attack surface here.
[This entry was originally posted as https://syntonic-comma.dreamwidth.org/933038.html on Dreamwidth (where there are
comments).]
From my webserver log, someone was looking really hard for a "guestbook" on my website. But it wasn't looking like visiting the site and wandering around (i.e. didn't ever go to the home page), it was poking at "expected" locations:12:40:28 "GET / HTTP/1.1" 200 9088
12:40:29 "GET /index.php?option=com_user&task=register HTTP/1.1" 404 564
12:40:29 "GET /index.php/component/users/?view=registration HTTP/1.1" 404 564
12:40:30 "GET /modules.php?name=Your_Account HTTP/1.1" 404 564
12:40:30 "GET /member/ HTTP/1.1" 404 564
12:40:30 "GET /index.php?act=dispMemberLoginForm HTTP/1.1" 404 564
12:40:31 "GET /home.php HTTP/1.1" 404 564
12:40:31 "GET /yabb.pl HTTP/1.1" 404 564
12:40:31 "GET /YaBB.cgi HTTP/1.1" 404 564
12:40:32 "GET /guestbook.php HTTP/1.1" 404 564
12:40:32 "GET /bbs.cgi HTTP/1.1" 404 564
12:40:32 "GET /gastenboek.php HTTP/1.1" 404 564
12:40:33 "GET /light.cgi HTTP/1.1" 404 564
12:40:33 "GET /CGI/guestbook?page=1 HTTP/1.1" 404 564
12:40:33 "GET /Guestbook.php HTTP/1.1" 404 564
12:40:34 "GET /seo-joy.cgi HTTP/1.1" 404 564
12:40:34 "GET /yybbs.cgi HTTP/1.1" 404 564
12:40:34 "GET /guestbook HTTP/1.1" 404 564
12:40:35 "GET /aska.cgi HTTP/1.1" 404 564
12:40:35 "GET /jax_guestbook.php HTTP/1.1" 404 564
12:40:35 "GET /sbb.cgi HTTP/1.1" 404 564
12:40:36 "GET /default.asp HTTP/1.1" 404 564
12:40:36 "GET /sunbbs.cgi?mode=form HTTP/1.1" 404 564
12:40:36 "GET /yapgb.php HTTP/1.1" 404 564
12:40:37 "GET /book.php HTTP/1.1" 404 564
12:40:37 "GET /album.cgi HTTP/1.1" 404 564
12:40:37 "GET /guestbook.php HTTP/1.1" 404 564
12:40:38 "GET /scarbook.php HTTP/1.1" 404 564
12:40:38 "GET /guestbook.html HTTP/1.1" 404 564
12:40:38 "GET /gaestebuch.php HTTP/1.1" 404 564
12:40:39 "GET /apps/guestbook HTTP/1.1" 404 564
12:40:39 "GET /g_book.cgi HTTP/1.1" 404 564
12:40:39 "GET /gb.php HTTP/1.1" 404 564
12:40:40 "GET /site_changes.html/ HTTP/1.1" 404 564
All from 89.70.217.98, using "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
(Hmmm, I do have a site_changes.html page; I wonder why that last entry failed?)
If you've visited my site, you haven't seen anyplace to enter anything. I don't collect any data about visitors (besides the server logs), and I certainly don't have members. I wonder what this hacker wanted to know about my "guests"? (All I know about them is date/time, IP address, and what page(s) they requested.) [I guess from a guest book you might harvest email addresses for spamming?]
The attempts I see most often are trying for WordPress admin logins, presumably hoping they'll take default passwords. I'm not using WordPress, and I don't provide for remote admin; there's no logins through the website. There's no pages with input forms. I'm not selling anything. I don't want information from anyone. All I'm doing is serving static pages. There's minimal attack surface here.
[This entry was originally posted as https://syntonic-comma.dreamwidth.org/933038.html on Dreamwidth (where there are
comments).]