Bot Traffic?
I have regular visitors from geographical areas that I assume are proxies, every time I see activity I don't like and block the "source", it seems to come up elsewhere. At the moment I've redirected the port to a junk Apache site to see how quickly it stops.
Is this waterfall snapshots using the Kiwiclient? (each are repeated three times)
Yes I should just use the client in various configurations to see the format of the GET request, I do understand I should RTFM was just looking to save time as I have to work.
Thanks for any shortcuts, also if anyone else is seeing these connections?
Stu
Comments
So this is still ongoing and the IP's seem related to vultr.com which offers cloud compute services.
[27/Jan/2021:09:43:12 +0000] "GET /1611802593/W/F HTTP/1.1"
Connections from Singapore (45.77.252.20) preface the request with /kiwi/ and have only two repeats so either the scripts are not the same or it looking for a different response / layout.
Some might ask why I don't just turn port forward off completely but where is the fun in that?
In the same vein I view passwords on everyday FTP attempts, it is instructive to learn what they are looking for or what exploit has just got out in the wild (default accounts on CCTV, servers, routers, SIP accounts and other IOT items mainly).
I doubt this is anything to do with Korea or Singapore but as I do have a lot of addresses elsewhere blocked I guess someone is paying for the virtual host time. I assume a large number of other Web SDR's will be on the scan list (or it would have stopped after days of 404 errors). Many users might not care who is scraping data but I think we are in unprecedented times of information warfare and I have no wish to assist some foreign actors profile the UK airwaves.
I also see regular port scans from alibaba-inc.com addresses, that is only for ports that I previously ran the PI tests on. Beware those cheap clones guys I virtually guarantee they have "undocumented features".