Project getting random requests

Glitch Help
1

I have a project I use as an “API”. It basically is a gateway for me to use my database with other things. I noticed that I was getting weird requests that weren’t from me.

::ffff:127.0.0.1 - HEAD /wp/ HTTP/1.1 404 143 - 2.818 ms
::ffff:127.0.0.1 - HEAD /wordpress/ HTTP/1.1 404 150 - 1.038 ms
::ffff:127.0.0.1 - HEAD /blog/ HTTP/1.1 404 145 - 2.360 ms
::ffff:127.0.0.1 - GET /flex2gateway/amf HTTP/1.1 404 155 - 0.869 ms
::ffff:127.0.0.1 - GET /robots.txt HTTP/1.1 404 149 - 4.103 ms
::ffff:127.0.0.1 - GET /CFIDE/Administrator/index.cfm HTTP/1.1 404 168 - 0.624 ms
::ffff:127.0.0.1 - HEAD / HTTP/1.1 200 2 - 0.916 ms
::ffff:127.0.0.1 - GET /.hg/hgrc HTTP/1.1 404 147 - 0.692 ms
::ffff:127.0.0.1 - GET /sftp_config.json HTTP/1.1 404 155 - 0.677 ms
::ffff:127.0.0.1 - GET /scripts/cfformhistory.cfm HTTP/1.1 404 164 - 0.564 ms
::ffff:127.0.0.1 - GET /cf_scripts/scripts/cfformhistory.cfm HTTP/1.1 404 175 - 0.600 ms
::ffff:127.0.0.1 - GET /CFIDE/scripts/cfformhistory.cfm HTTP/1.1 404 170 - 0.886 ms
::ffff:127.0.0.1 - GET /wwscripts/cfformhistory.cfm HTTP/1.1 404 166 - 0.613 ms
::ffff:127.0.0.1 - GET /FormScripts/cfformhistory.cfm HTTP/1.1 404 168 - 0.553 ms
::ffff:127.0.0.1 - GET /SSMWeb/login?1 HTTP/1.1 404 151 - 0.582 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.597 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 1.605 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.579 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.595 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.555 ms

I don’t know where the requests are coming from, or who got the domain, but this shouldn’t be happening.

2

It could be a crawler.

1 Like
3

Probably, but the question is, how did they get the project name or the domain. All the code I use for this is backend code.

4

You would be surprised. I’ve looked through my access logs before and I see weird bots in there.

5

I searched /v2/keys/?recursive=true and it looks like it is apart of this.

6

Are you coding in ColdFusion? Why all the .cfm requests.

7

No, the entire project is express and the database.

8

Hmm, pretty odd. I’m interested, I am going to do some more research on this and tell you if I find anything.

9

Ok, so I looked into this a little bit more and all of the .cfm files seem to be names of standard ColdFusion files (on was for forms I think). What probably happened was a bot checked your site to see if it was a CF site? Maybe somebody made a typo? It would really help if you got the user agents.

10

Usually these are attacks that tries to identify what you’re running on your server, and attempt to find vulnerabilities within them.

1 Like
11

If this is the case, I might as well log the IPs and Request to a file or database to block them later.

12

That would make scence. If you are using CF in 2020, you are asking to get hacked.

13

A lot of crawlers check many vulnerable endpoints regardless of what your site is actually made in. The most common is /wp-admin.php

3 Likes
14

But what caught me off-guard was that the first few requests were to /blog or /

15

Probably for wordpress.

1 Like
16

Since this is an issue, Would it be bad if I logged requests like these to a database to block.

17

Do what you want with them, but they will come from many ips and user agents

18

What I mean is, to block it, to prevent it from duing further damage. All of this happend within the same minute. And this happened two hours ago. So banning the IP would help other people as well.

19

Its not actually doing any damage and if you want to ban the ips on your site, go ahead

1 Like
20

I have maybe 8 banned on my site.

21

Checked CloudFlare, and it looks like the request are coming from, The US, Netherlands, or France.

22

Are you sure you can’t get the user agent? Thats the part that really matters.

23

I don’t have it, n’or know how. The staff team maybe able to get it. But for now, I added a rule on cloudflare to block any requests that are outside the US.

24

If you would like to know, I have gotten the IP and user agent from the crawlers. They are coming from France and maybe Sweeden (there is no user agent)

France's IP

195.154.62.232
62.210.5.253

25

User Agent can be helpful at times, but its very easy to fake.

26

Well. I just put my entire domain on lockdown. Nothing with a Linux or Unbuntu, out of the us, greater threat score than 3 or is a known bot.

27

As long as you don’t use bad passwords or use outdated software, you should be fine.

1 Like
28

Found the root of some of the crawlers. http://www.google.com/bot.html This is what I found in Cloudflare. Goolgle for some reason spoofed the IPs. I found it when a useragent had “googlebot” in it. And it seemed to be checking for access to it I guess. But the logins and v2/keys stuff is not mentioned. The weird part was that, near none of the UserAgents don’t have what Google said the bot’s UserAgent had.

29

Also about outdated software, what is the Linux version on the containers?

30

@chessebuilderman
via terminal:

NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
31

I don’t think I should worry about that, thanks though. It is only 2 versions behind.

32

Very odd. I should see if I am getting these errors on my web-site!!