[BlueOnyx:21560] Attack by a botnet.

Fungal Style wayin at hotmail.com
Mon Dec 4 15:52:06 -05 2017


Hi all,

Just want to get some ideas on anything I can do as they are quite literally filling up log files with spam entries of hits from an IP then rotating to a new IP.

It is a form of brute force attack from what I can tell and it is low bandwidth as they are requesting part of a file (possibly to go undetected as it is 2/10’s of bugger all data).

As I am only using the domain for testing currently I placed a 301 on it and renamed the files it is requesting, but they are still going.

Here is some of the apache log:
www.it-malls.com 112.202.163.181 - - [05/Dec/2017:07:38:58 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 112.202.163.181 - - [05/Dec/2017:07:39:05 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.70 - - [05/Dec/2017:07:39:09 +1100] "GET /ukgb4/trne.php?recipe-for-homemade-window-cleaner HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 182.181.141.253 - - [05/Dec/2017:07:39:12 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 89.64.36.121 - - [05/Dec/2017:07:39:32 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 89.64.36.121 - - [05/Dec/2017:07:39:33 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 89.64.36.121 - - [05/Dec/2017:07:39:33 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.72 - - [05/Dec/2017:07:39:34 +1100] "GET /ukgb4/trne.php?famous-sun-valley-id-trout-recipes HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 182.181.141.253 - - [05/Dec/2017:07:39:43 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 88.230.246.176 - - [05/Dec/2017:07:39:44 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 176.240.142.162 - - [05/Dec/2017:07:39:45 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 88.230.246.176 - - [05/Dec/2017:07:39:46 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 88.230.246.176 - - [05/Dec/2017:07:39:47 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 176.240.142.162 - - [05/Dec/2017:07:39:47 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 176.240.142.162 - - [05/Dec/2017:07:39:48 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 182.181.141.253 - - [05/Dec/2017:07:39:52 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 212.237.119.209 - - [05/Dec/2017:07:39:59 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.72 - - [05/Dec/2017:07:40:00 +1100] "GET /vvbni5/td.php?bed-and-breakfast-weston-super-mare HTTP/1.1" 301 266 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 220.245.195.62 - - [05/Dec/2017:07:40:01 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 220.245.195.62 - - [05/Dec/2017:07:40:03 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 220.245.195.62 - - [05/Dec/2017:07:40:04 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 212.237.119.209 - - [05/Dec/2017:07:40:05 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 212.237.119.209 - - [05/Dec/2017:07:40:06 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.70 - - [05/Dec/2017:07:40:26 +1100] "GET /ukgb4/trne.php?diablo-2-lod-horadric-cube-recipes HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 189.69.67.47 - - [05/Dec/2017:07:40:26 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 189.69.67.47 - - [05/Dec/2017:07:40:27 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 189.69.67.47 - - [05/Dec/2017:07:40:28 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 182.18.238.214 - - [05/Dec/2017:07:40:45 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 182.18.238.214 - - [05/Dec/2017:07:40:47 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 182.18.238.214 - - [05/Dec/2017:07:40:47 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.70 - - [05/Dec/2017:07:40:52 +1100] "GET /ukgb4/trne.php?fried-green-bean-recipe-applebee-s HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 45.220.247.2 - - [05/Dec/2017:07:41:07 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 45.220.247.2 - - [05/Dec/2017:07:41:16 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.70 - - [05/Dec/2017:07:41:18 +1100] "GET /dpjm6/xsoax.php?quilted-casserole-carrier-patterns HTTP/1.1" 301 265 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 45.220.247.2 - - [05/Dec/2017:07:41:20 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 93.84.30.121 - - [05/Dec/2017:07:41:22 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 197.228.204.125 - - [05/Dec/2017:07:41:23 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 93.84.30.121 - - [05/Dec/2017:07:41:23 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 93.84.30.121 - - [05/Dec/2017:07:41:24 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 197.228.204.125 - - [05/Dec/2017:07:41:25 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 197.228.204.125 - - [05/Dec/2017:07:41:26 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.70 - - [05/Dec/2017:07:41:44 +1100] "GET /ukgb4/trne.php?do-japanesse-people-eat-raw-chicken HTTP/1.1" 301 266 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 185.16.25.76 - - [05/Dec/2017:07:41:58 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 185.16.25.76 - - [05/Dec/2017:07:41:59 +1100] "GET /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 185.16.25.76 - - [05/Dec/2017:07:42:00 +1100] "POST /wp-login.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 120.43.162.255 - - [05/Dec/2017:07:42:10 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
www.it-malls.com 66.249.79.74 - - [05/Dec/2017:07:42:10 +1100] "GET /kdka3/bu.php?turkey-soup-in-pressure-cooker-recipe HTTP/1.1" 301 268 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
www.it-malls.com 201.156.9.61 - - [05/Dec/2017:07:42:17 +1100] "POST /xmlrpc.php HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"


Prior to the perminant redirect and renaming of files they were getting 302 206 from memory instead of the current 301 230.

Any suggestions would be appreciated if there is anything I can do to get rid of this garbage as it started up just over 24 hours ago and has been constant as fail2ban and other security measures I can’t see as doing anything as it is rotating IPs and does not seem to use the same ones for more than one lot of hits.

Regards
Brian



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20171204/66fcecfe/attachment.html>


More information about the Blueonyx mailing list