<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Wp-login.php and xmlrpc.php both look like dictionary attacks trying to guess Wordpress passwords<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Blueonyx [mailto:blueonyx-bounces@mail.blueonyx.it] <b>On Behalf Of </b>Fungal Style<br><b>Sent:</b> Monday, December 4, 2017 2:52 PM<br><b>To:</b> BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it><br><b>Subject:</b> [BlueOnyx:21560] Attack by a botnet.<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'>Hi all,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'>Just want to get some ideas on anything I can do as they are quite literally filling up log files with spam entries of hits from an IP then rotating to a new IP.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'>It is a form of brute force attack from what I can tell and it is low bandwidth as they are requesting part of a file (possibly to go undetected as it is 2/10’s of bugger all data).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'>As I am only using the domain for testing currently I placed a 301 on it and renamed the files it is requesting, but they are still going. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'>Here is some of the apache log:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 112.202.163.181 - - [05/Dec/2017:07:38:58 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 112.202.163.181 - - [05/Dec/2017:07:39:05 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.70 - - [05/Dec/2017:07:39:09 +1100] "GET /ukgb4/trne.php?recipe-for-homemade-window-cleaner HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 182.181.141.253 - - [05/Dec/2017:07:39:12 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 89.64.36.121 - - [05/Dec/2017:07:39:32 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 89.64.36.121 - - [05/Dec/2017:07:39:33 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 89.64.36.121 - - [05/Dec/2017:07:39:33 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.72 - - [05/Dec/2017:07:39:34 +1100] "GET /ukgb4/trne.php?famous-sun-valley-id-trout-recipes HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 182.181.141.253 - - [05/Dec/2017:07:39:43 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 88.230.246.176 - - [05/Dec/2017:07:39:44 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 176.240.142.162 - - [05/Dec/2017:07:39:45 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 88.230.246.176 - - [05/Dec/2017:07:39:46 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 88.230.246.176 - - [05/Dec/2017:07:39:47 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 176.240.142.162 - - [05/Dec/2017:07:39:47 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 176.240.142.162 - - [05/Dec/2017:07:39:48 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 182.181.141.253 - - [05/Dec/2017:07:39:52 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 212.237.119.209 - - [05/Dec/2017:07:39:59 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.72 - - [05/Dec/2017:07:40:00 +1100] "GET /vvbni5/td.php?bed-and-breakfast-weston-super-mare HTTP/1.1" 301 266 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 220.245.195.62 - - [05/Dec/2017:07:40:01 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 220.245.195.62 - - [05/Dec/2017:07:40:03 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 220.245.195.62 - - [05/Dec/2017:07:40:04 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 212.237.119.209 - - [05/Dec/2017:07:40:05 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 212.237.119.209 - - [05/Dec/2017:07:40:06 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.70 - - [05/Dec/2017:07:40:26 +1100] "GET /ukgb4/trne.php?diablo-2-lod-horadric-cube-recipes HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 189.69.67.47 - - [05/Dec/2017:07:40:26 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 189.69.67.47 - - [05/Dec/2017:07:40:27 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 189.69.67.47 - - [05/Dec/2017:07:40:28 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 182.18.238.214 - - [05/Dec/2017:07:40:45 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 182.18.238.214 - - [05/Dec/2017:07:40:47 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 182.18.238.214 - - [05/Dec/2017:07:40:47 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.70 - - [05/Dec/2017:07:40:52 +1100] "GET /ukgb4/trne.php?fried-green-bean-recipe-applebee-s HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 45.220.247.2 - - [05/Dec/2017:07:41:07 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 45.220.247.2 - - [05/Dec/2017:07:41:16 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.70 - - [05/Dec/2017:07:41:18 +1100] "GET /dpjm6/xsoax.php?quilted-casserole-carrier-patterns HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 45.220.247.2 - - [05/Dec/2017:07:41:20 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 93.84.30.121 - - [05/Dec/2017:07:41:22 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 197.228.204.125 - - [05/Dec/2017:07:41:23 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 93.84.30.121 - - [05/Dec/2017:07:41:23 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 93.84.30.121 - - [05/Dec/2017:07:41:24 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 197.228.204.125 - - [05/Dec/2017:07:41:25 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 197.228.204.125 - - [05/Dec/2017:07:41:26 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.70 - - [05/Dec/2017:07:41:44 +1100] "GET /ukgb4/trne.php?do-japanesse-people-eat-raw-chicken HTTP/1.1" 301 266 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 185.16.25.76 - - [05/Dec/2017:07:41:58 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 185.16.25.76 - - [05/Dec/2017:07:41:59 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 185.16.25.76 - - [05/Dec/2017:07:42:00 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 120.43.162.255 - - [05/Dec/2017:07:42:10 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 66.249.79.74 - - [05/Dec/2017:07:42:10 +1100] "GET /kdka3/bu.php?turkey-soup-in-pressure-cooker-recipe HTTP/1.1" 301 268 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><a href="http://www.it-malls.com">www.it-malls.com</a> 201.156.9.61 - - [05/Dec/2017:07:42:17 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'>Prior to the perminant redirect and renaming of files they were getting 302 206 from memory instead of the current 301 230.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'>Any suggestions would be appreciated if there is anything I can do to get rid of this garbage as it started up just over 24 hours ago and has been constant as fail2ban and other security measures I can’t see as doing anything as it is rotating IPs and does not seem to use the same ones for more than one lot of hits.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'>Regards<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'>Brian<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-AU style='font-size:11.0pt'><o:p> </o:p></span></p></div></body></html>