Martin <
New...@avisoft.f9.co.uk> wrote:
> In the last couple of days my website has had an increase in traffic,
> from about 30 different IP addresses, all with a User-Agent of
> "Go-http-client/1.1".
>
> Each starts with a "GET / HTTP/1.1" request, with various User-Agents,
> including Windows, Linux & MaxOS. If that works (as it will) it then
> issues GETs for about 30 varied files, then stops.
>
> It seems that Go-http-client is a package which "provides HTTP client
> and server implementations" but it is suddenly being used by lots of
> IPs in a suspicious way.
>
> Anyone else seen this?
Looking at the
riscos.info logs, there's a variety of entries matching that.
Since the start of December there have been 1632 requests.
Some examples (I have redacted part of the IPs, but they're all with
completely different prefixes):
Testing if the site will proxy for another:
106.2.x.x - - [19/Jan/2024:11:14:23 +0000] "CONNECT
www.whitehouse.gov:443 HTTP/1.1" 302 292 "-" "Go-http-client/1.1"
80.91.x.x - - [20/Jan/2024:11:30:17 +0000] "CONNECT
google.com:443 HTTP/1.1" 302 284 "-" "Go-http-client/1.1"
Testing for vulnerable pages:
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //alfa.php HTTP/1.1" 404 287 "-" "Go-http-client/1.1"
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //doc.php HTTP/1.1" 404 286 "-" "Go-http-client/1.1"
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //marijuana.php HTTP/1.1" 404 292 "-" "Go-http-client/1.1"
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //mini.php HTTP/1.1" 404 287 "-" "Go-http-client/1.1"
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //shell.php HTTP/1.1" 404 288 "-" "Go-http-client/1.1"
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //small.php HTTP/1.1" 404 288 "-" "Go-http-client/1.1"
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //wso.php HTTP/1.1" 404 286 "-" "Go-http-client/1.1"
91.92.x.x - - [14/Dec/2023:08:14:25 +0000] "GET //wp-info.php HTTP/1.1" 404 290 "-" "Go-http-client/1.1"
A legit access followed by some probing:
195.20.x.x - - [06/Dec/2023:05:14:05 +0000] "GET / HTTP/1.1" 302 287 "-" "Go-http-client/1.1"
195.20.x.x - - [06/Dec/2023:05:14:16 +0000] "GET / HTTP/1.1" 301 26 "-" "Go-http-client/1.1"
195.20.x.x - - [06/Dec/2023:05:14:17 +0000] "GET /index.php/RISC_OS HTTP/1.1" 200 7210 "
http://www.riscos.info/" "Go-http-client/1.1"
195.20.x.x - - [06/Dec/2023:05:14:19 +0000] "GET /+CSCOE+/logon.html HTTP/1.1" 302 305 "-" "Go-http-client/1.1"
195.20.x.x - - [06/Dec/2023:05:14:50 +0000] "GET /global-protect/login.esp HTTP/1.1" 302 311 "-" "Go-http-client/1.1"
195.20.x.x - - [06/Dec/2023:05:14:50 +0000] "GET /global-protect/login.esp HTTP/1.1" 404 303 "-" "Go-http-client/1.1"
The ownership of some of those prefixes is:
netname: Netease-Network
descr: Guangzhou NetEase Computer System Co.,Ltd
country: CN
organisation: ORG-FZTA3-RIPE
org-name: Ferdinand Zink trading as Tube-Hosting
country: DE
organisation: ORG-LA1853-RIPE
org-name: Limenet
org-type: OTHER
address: 84 W Broadway, Ste 200
address: 03038 Derry
address: United States of America
organisation: ORG-GL496-RIPE
org-name: Shelter LLC
country: RU
so not a geographic pattern.
> They obviously do not abide by robots/txt (or even read it), so the
> only way I know to block them is to add them to /htaccess as deny
> froms - some have the same top two numbers.
>
> Are there any better ways?
> One way is just to ignore them, I know, but I would not want a trickle
> to turn into a flood.
They appear to just be probing for vulnerable sites. I don't think anything
you do will affect the rate, they are just picking targets at random. I'd
guess it's just coming from a malware toolkit of some kind that happens to
be programmed in Go, possibly running through a botnet.
I doubt any kind of IP filtering is going to work. So it boils down to
hot they're bothering you - filling up the log (something that's been
happening to
riscos.info a few times of late), eating your bandwidth or CPU.
There are too many IPs to block in firewall rules. You could block accesses
from Go-http-client, but I think it would still log as blocked. Mostly from
the above they aren't actually interacting with real content on the site so
the CPU is not doing much serving real pages, and the 302/404 traffic is
minimal (~300 bytes per request). Maybe some kind of adaptive
firewalling/rate limiting, but that would probably block genuine traffic.
Unless you have scripts on your site that are actually vulnerable (in which
case you should fix them) I'm not sure there's much to be done. If you
provide a site on the internet, people (or bots) on the internet connect to
it. That's the deal.
Theo