Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[gentoo-user] spam - different IP's

142 views
Skip to first unread message

the...@sys-concept.com

unread,
Feb 4, 2021, 12:30:04 AM2/4/21
to
I'm perplex with this entry in apache log.
I'm sure it was done by same person as the timing is very sequential and same file-name request, but how they were able to lunch an attack from a different IP's different geographical locations.
Can they spoof an IP?

173.201.196.206 - - [03/Feb/2021:19:17:47 -0700] "GET /wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
195.70.43.234 - - [03/Feb/2021:19:18:24 -0700] "GET /wordpress/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
198.38.92.110 - - [03/Feb/2021:19:21:18 -0700] "GET /new/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
50.62.208.141 - - [03/Feb/2021:19:21:20 -0700] "GET /en/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
64.62.206.242 - - [03/Feb/2021:19:21:34 -0700] "GET /web/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
184.168.46.171 - - [03/Feb/2021:19:22:11 -0700] "GET /home/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
50.63.196.23 - - [03/Feb/2021:19:23:41 -0700] "GET /www/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
203.205.21.159 - - [03/Feb/2021:19:23:57 -0700] "GET /staging/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
66.113.226.191 - - [03/Feb/2021:19:25:42 -0700] "GET /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
148.72.232.107 - - [03/Feb/2021:19:26:06 -0700] "GET /news/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
35.208.134.190 - - [03/Feb/2021:19:26:22 -0700] "GET /shop/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
160.153.153.30 - - [03/Feb/2021:19:26:50 -0700] "GET /main/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
192.241.230.24 - - [03/Feb/2021:19:27:50 -0700] "GET /v2/wp-includes/wlwmanifest.xml HTTP/1.1" 403 199
66.113.221.43 - - [03/Feb/2021:19:28:37 -0700] "GET /website/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
2.50.180.72 - - [03/Feb/2021:19:28:48 -0700] "GET /portal/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
104.236.82.97 - - [03/Feb/2021:19:29:39 -0700] "GET /2019/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
50.63.197.91 - - [03/Feb/2021:19:30:46 -0700] "GET /1/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
103.27.61.222 - - [03/Feb/2021:19:30:57 -0700] "GET /store/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
184.168.152.18 - - [03/Feb/2021:19:31:14 -0700] "GET /wp2/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196
184.168.193.129 - - [03/Feb/2021:19:31:24 -0700] "GET /blogs/wp-includes/wlwmanifest.xml HTTP/1.1" 404 196

the...@sys-concept.com

unread,
Feb 4, 2021, 12:50:03 AM2/4/21
to
Correction: should be "launch"

Adam Carter

unread,
Feb 4, 2021, 2:10:03 AM2/4/21
to
On Thursday, February 4, 2021, <the...@sys-concept.com> wrote:
I'm perplex with this entry in apache log. 
I'm sure it was done by same person as the timing is very sequential and same file-name request, but how they were able to lunch an attack from a different IP's different geographical locations.
Can they spoof an IP?


Probably just different instances of the same bot scanning for vulnerabilities. I imagine you will keep seeing that log from many different ips 

William Kenworthy

unread,
Feb 4, 2021, 2:20:04 AM2/4/21
to

Check the IP's on https://www.abuseipdb.com/ or similar, or do a hostname and whois lookup

The 3 IP's I checked all come from the same organisation/location (secureserver.net in the US) ...

BillK

bobwxc

unread,
Feb 4, 2021, 4:10:03 AM2/4/21
to
在 2021/2/4 下午1:22, the...@sys-concept.com 写道:
> I'm perplex with this entry in apache log.
> I'm sure it was done by same person as the timing is very sequential and same file-name request, but how they were able to lunch an attack from a different IP's different geographical locations.
> Can they spoof an IP?
This is very common.
If someone intentionally attacks, they usually have an IP pool to avoid
being blocked.
Also ISP sometimes give dynamic IP to users, cause IP changes of normal
users.

And one suggestion, just put part of an IP to the list, use '*' to
replace some fields
to avoid information leakage

--
bobwxc
F645 5C7A 08E8 A637 24C6 D59E 36E9 4EAB B53E 516B


OpenPGP_signature

Adam Carter

unread,
Feb 4, 2021, 8:50:03 PM2/4/21
to
On Thu, Feb 4, 2021 at 6:07 PM Adam Carter <adamc...@gmail.com> wrote:
On Thursday, February 4, 2021, <the...@sys-concept.com> wrote:
I'm perplex with this entry in apache log. 
I'm sure it was done by same person as the timing is very sequential and same file-name request, but how they were able to lunch an attack from a different IP's different geographical locations.
Can they spoof an IP?


Probably just different instances of the same bot scanning for vulnerabilities. I imagine you will keep seeing that log from many different ips 

FWIW i'm seeing the same traffic. Here's some numbers;

$ zgrep -ic wlwmanifest.xml access.log*
access.log:16
access.log-20210110.gz:0
access.log-20210117.gz:0
access.log-20210124.gz:34
access.log-20210131.gz:0

Michael

unread,
Feb 5, 2021, 5:20:04 AM2/5/21
to
Bot herders have acquired many geographically dispersed IP addresses to run
their reconnaissance scripts from. When you block one subnet or ISP block,
they will usually popup in the logs almost immediately from another ISP in the
same or different country. Their calls seem to coordinate with evening or day
time hours in their respective countries of origin.

Script kiddies tend to use mobile IPs, indicating they're using their phone or
SIM as a modem. When you block them they don't come back at least until their
PAYG phone contract runs out.

There may also be state agents, but I would think it unlikely you'll find
their fingerprints on your apache logs. :p

Depending on your server's IP address featuring on some target list, the
volume of calls can become quite high. Trying to manually block the bots is a
tedious and ineffective task, because the professionals will add yet one more
compromised IP address to their herd faster than you can block them. A
scripted honeypot to automatically block typical mass scans, e.g. for
wordpress installations, would be more effective.
signature.asc

William Kenworthy

unread,
Feb 5, 2021, 9:00:03 AM2/5/21
to

On 5/2/21 6:10 pm, Michael wrote:
> On Friday, 5 February 2021 01:48:09 GMT Adam Carter wrote:
>> On Thu, Feb 4, 2021 at 6:07 PM Adam Carter <adamc...@gmail.com> wrote:
>>> On Thursday, February 4, 2021, <the...@sys-concept.com> wrote:
>>>> I'm perplex with this entry in apache log.
>>>> I'm sure it was done by same person as the timing is very sequential and
>>>> same file-name request, but how they were able to lunch an attack from a
>>>> different IP's different geographical locations.
>>>> Can they spoof an IP?
>>> Probably just different instances of the same bot scanning for
>>> vulnerabilities. I imagine you will keep seeing that log from many
>>> different ips
>> FWIW i'm seeing the same traffic. Here's some numbers;
>>
>> $ zgrep -ic wlwmanifest.xml access.log*
>> access.log:16
>> access.log-20210110.gz:0
>> access.log-20210117.gz:0
>> access.log-20210124.gz:34
>> access.log-20210131.gz:0
> Bot herders have acquired many geographically dispersed IP addresses to run
...
> Depending on your server's IP address featuring on some target list, the
> volume of calls can become quite high. Trying to manually block the bots is a
> tedious and ineffective task, because the professionals will add yet one more
> compromised IP address to their herd faster than you can block them. A
> scripted honeypot to automatically block typical mass scans, e.g. for
> wordpress installations, would be more effective.

Use fail2ban to target active abusers using your logs. (recommended)

Leverage the cloud with something like:
http://iplists.firehol.org/?ipset=firehol_level1 (loaded to shorewall
with ipset:hash) to preemptively ban via blacklists - recommended. 
There are many good blacklists out there - this one is a meta-list and
has fast and responsive updates.

Snort (in IDS mode triggering a fail2ban rule) is a bit heavier
resource-wise but quite useful.  Snort in IPS mode is better, but it can
impact throughput. (if you are commercial, consider a licence to get the
latest rules as soon as they are created/needed.)

or use all of them at the same time :)

BillK

Grant Taylor

unread,
Feb 5, 2021, 11:50:03 AM2/5/21
to
On 2/5/21 6:57 AM, William Kenworthy wrote:
> Use fail2ban to target active abusers using your logs. (recommended)

I've had extremely good luck using Fail2Ban in a distributed
configuration* such that when one of my servers bans an IP, my other
servers also (almost) immediately ban the same IP.

*I'm using Fail2Ban's (null / reject) "route" option. I have BGP
sessions between my servers synchronizing the banned routes.

> Leverage the cloud with something like:
> http://iplists.firehol.org/?ipset=firehol_level1 (loaded to shorewall
> with ipset:hash) to preemptively ban via blacklists - recommended.
> There are many good blacklists out there - this one is a meta-list
> and has fast and responsive updates.

That's an option.

I personally have some trouble swallowing the pill that is other
people's ban lists. -- It's one thing with adding to a spam score.
It's another when IPs are out and out blocked.

Aside: Make use of Fail2Ban's ignore feature to white list (or ignore
problems from) known good IPs.

> Snort (in IDS mode triggering a fail2ban rule) is a bit heavier
> resource-wise but quite useful. Snort in IPS mode is better, but it
> can impact throughput. (if you are commercial, consider a licence to
> get the latest rules as soon as they are created/needed.)

Another option in the same vein is to use the IPTables variants of the
Snort rules.



--
Grant. . . .
unix || die
0 new messages