Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam-bots hunting for blogs. How to stop this?

Discussion in 'General Discussion' started by jols, Jan 26, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Lately I've been seeing a ton of these in the apache access logs:

    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /file/forms/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /html/xmlrpc.php HTTP/1.1" 404 -


    I take it that the "404" means that the target of the hunt was not found, but I am sure that this spiking bandwidth like crazy. I am wondering if there is a way to tweak, or add a new rule to the BFD package, or maybe PortSentry that would stop this after only a few seeks. Anyone?


    P.S. What the heck are these about:

    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:03 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:03 -0600] "-" 408 -

    These entries sometimes goes on for miles...
     
    #1 jols, Jan 26, 2006
  2. dball

    dball Member

    Joined:
    Dec 19, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Alabama
    Code:
    P.S. What the heck are these about:

210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -

    408 is "Request Time-out"

    210.196.127.184 is apparently in Japan (JPNIC Address Space) and allocated to
    Network Information:
    a. [Network Number] 210.196.127.176/28
    b. [Network Name] YOKOHAMA-SSS
    g. [Organization] Yokohama Sogo Shasin Corporation​

    -- David
     
    #2 dball, Jan 26, 2006
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168

    Great. Thanks. That what the heck do you suppose that this is all about? DoS attack?
     
    #3 jols, Jan 26, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Spam bots hunting
  1. Bashed

    CBL Listing Due to "Spam Trap Servers"

    Bashed, Apr 19, 2018 at 3:30 PM, in forum: E-mail Discussions
    Replies:
    6
    Views:
    43
    cPanelLauren
    Apr 20, 2018 at 7:46 AM
  2. Rajubhai Rathod

    Email Going in Spam

    Rajubhai Rathod, Apr 16, 2018 at 5:18 AM, in forum: E-mail Discussions
    Replies:
    1
    Views:
    46
    cPanelMichael
    Apr 16, 2018 at 10:26 AM
  3. John Manning

    Configure SpamAssassin to block outgoing form mail

    John Manning, Apr 13, 2018, in forum: E-mail Discussions
    Replies:
    11
    Views:
    81
    cPanelLauren
    Apr 13, 2018
  4. Bashed

    Malicious Spam Scripts

    Bashed, Apr 10, 2018, in forum: Security
    Replies:
    2
    Views:
    68
    cPanelMichael
    Apr 11, 2018
  5. Bob Suhaili

    Blacklist disappeared in SpamAssassin?

    Bob Suhaili, Apr 8, 2018, in forum: E-mail Discussions
    Replies:
    1
    Views:
    50
    cPanelMichael
    Apr 9, 2018

Share This Page