Spam-bots hunting for blogs. How to stop this?

J

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Lately I've been seeing a ton of these in the apache access logs:

70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /file/forms/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /html/xmlrpc.php HTTP/1.1" 404 -


I take it that the "404" means that the target of the hunt was not found, but I am sure that this spiking bandwidth like crazy. I am wondering if there is a way to tweak, or add a new rule to the BFD package, or maybe PortSentry that would stop this after only a few seeks. Anyone?


P.S. What the heck are these about:

210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:03 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:03 -0600] "-" 408 -

These entries sometimes goes on for miles...
 
D

dball

Member
Dec 19, 2003
6
0
151
Alabama
Code: 
P.S. What the heck are these about:

210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -

408 is "Request Time-out"

210.196.127.184 is apparently in Japan (JPNIC Address Space) and allocated to
Network Information:
a. [Network Number] 210.196.127.176/28
b. [Network Name] YOKOHAMA-SSS
g. [Organization] Yokohama Sogo Shasin Corporation​

-- David
 
J

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
dball said:
Code: 
P.S. What the heck are these about:

210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -

408 is "Request Time-out"

210.196.127.184 is apparently in Japan (JPNIC Address Space) and allocated to
Network Information:
a. [Network Number] 210.196.127.176/28
b. [Network Name] YOKOHAMA-SSS
g. [Organization] Yokohama Sogo Shasin Corporation​

-- David
Click to expand...

Great. Thanks. That what the heck do you suppose that this is all about? DoS attack?
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
S Disabling spam-bots Email 4
J A good countermeasure to bot harvesters and spam comment bots Email 1
M How to block spam bots? Email 3
J DoSed by spam-bots, jeeeze I am getting tired of this! Email 23
C spam bots Email 9
Similar threads
Disabling spam-bots
A good countermeasure to bot harvesters and spam comment bots
How to block spam bots?
DoSed by spam-bots, jeeeze I am getting tired of this!
spam bots
Top Bottom