Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Spam-bots hunting for blogs. How to stop this?

Discussion in 'General Discussion' started by jols, Jan 26, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Lately I've been seeing a ton of these in the apache access logs:

    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /file/forms/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.1" 404 -
    70.85.51.20 - - [26/Jan/2006:02:26:43 -0600] "GET /html/xmlrpc.php HTTP/1.1" 404 -


    I take it that the "404" means that the target of the hunt was not found, but I am sure that this spiking bandwidth like crazy. I am wondering if there is a way to tweak, or add a new rule to the BFD package, or maybe PortSentry that would stop this after only a few seeks. Anyone?


    P.S. What the heck are these about:

    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:03 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:03 -0600] "-" 408 -

    These entries sometimes goes on for miles...
     
  2. dball

    dball Member

    Joined:
    Dec 19, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Alabama
    Code:
    P.S. What the heck are these about:
    
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -
    210.196.127.184 - - [25/Jan/2006:23:25:02 -0600] "-" 408 -

    408 is "Request Time-out"

    210.196.127.184 is apparently in Japan (JPNIC Address Space) and allocated to
    Network Information:
    a. [Network Number] 210.196.127.176/28
    b. [Network Name] YOKOHAMA-SSS
    g. [Organization] Yokohama Sogo Shasin Corporation​

    -- David
     
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168

    Great. Thanks. That what the heck do you suppose that this is all about? DoS attack?
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice