On Friday, 5 February 2021 01:48:09 GMT Adam Carter wrote: > On Thu, Feb 4, 2021 at 6:07 PM Adam Carter <adamcart...@gmail.com> wrote: > > On Thursday, February 4, 2021, <the...@sys-concept.com> wrote: > >> I'm perplex with this entry in apache log. > >> I'm sure it was done by same person as the timing is very sequential and > >> same file-name request, but how they were able to lunch an attack from a > >> different IP's different geographical locations. > >> Can they spoof an IP? > > > > Probably just different instances of the same bot scanning for > > vulnerabilities. I imagine you will keep seeing that log from many > > different ips > > FWIW i'm seeing the same traffic. Here's some numbers; > > $ zgrep -ic wlwmanifest.xml access.log* > access.log:16 > access.log-20210110.gz:0 > access.log-20210117.gz:0 > access.log-20210124.gz:34 > access.log-20210131.gz:0
Bot herders have acquired many geographically dispersed IP addresses to run their reconnaissance scripts from. When you block one subnet or ISP block, they will usually popup in the logs almost immediately from another ISP in the same or different country. Their calls seem to coordinate with evening or day time hours in their respective countries of origin. Script kiddies tend to use mobile IPs, indicating they're using their phone or SIM as a modem. When you block them they don't come back at least until their PAYG phone contract runs out. There may also be state agents, but I would think it unlikely you'll find their fingerprints on your apache logs. :p Depending on your server's IP address featuring on some target list, the volume of calls can become quite high. Trying to manually block the bots is a tedious and ineffective task, because the professionals will add yet one more compromised IP address to their herd faster than you can block them. A scripted honeypot to automatically block typical mass scans, e.g. for wordpress installations, would be more effective.
signature.asc
Description: This is a digitally signed message part.
