#1 2016-02-27 1:20 pm

jmaebe

Member

Registered: 2016-02-27

Posts: 3

Requests for 8-character files ending in .txt

Hi,

We run a mediawiki site. Every day, there are hundreds of requests for non-existent pages/files of the form /.{8}\.txt. The name of the file varies, but the same file is often requested tens or hundreds of times in a row by the same IP address.

Does anyone know what they are trying to achieve by this?

E.g.

120.76.72.189 - - [26/Feb/2016:23:25:57 +0100] "GET /mgxonxlq.txt [snip]
[19 more identical request]
123.57.240.1 - - [26/Feb/2016:23:45:21 +0100] "GET /hiusmmna.txt [snip]
[720 more identical requests]

Thanks,

Jonas

(I had to mangle the Apache log line to get past the spam filter)

pedigree

uıɐbɐ ʎɐqǝ ɯoɹɟ pɹɐoqʎǝʞ ɐ buıʎnq ɹǝʌǝu ɯ,ı

From: New Zealand

Registered: 2008-04-16

Posts: 7,056

Re: Requests for 8-character files ending in .txt

The complexity of the random file names points to a couple of things, a disguised HEAD type request to get details of the server or a possible spider looking for default (aka index.php?$1) type handling.

jmaebe

Member

Registered: 2016-02-27

Posts: 3

Re: Requests for 8-character files ending in .txt

Given that they request the same file from the same IP address hundreds of times in a row, it doesn't look like either spidering or finding out details about the webserver. It definitely does look like bot behaviour though.

I've now checked the log files more thoroughly, and
* those requests actually make up about 5% of our total number of requests (89123 out of 1745642 requests last week)
* all of the involved IP addresses (263 unique ones last week) seem to be from China
* all of the requests always return a 404. While mediawiki uses a 404 redirect handler, the requests from those IP addresses never end up at the redirected page
* those IP addresses don't request any other kind of page from the wiki
* all requests are with a user agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
* sometimes a single IP address interleaves requests for different files. E.g.:

112.124.114.155 - - [23/Feb/2016:05:51:16 +0100] "GET /jhpywseg.txt [snip]
112.124.114.155 - - [23/Feb/2016:05:51:17 +0100] "GET /vgpdcwyj.txt [snip]
112.124.114.155 - - [23/Feb/2016:05:51:21 +0100] "GET /jhpywseg.txt [snip]
112.124.114.155 - - [23/Feb/2016:05:51:22 +0100] "GET /vgpdcwyj.txt [snip]

* very few of the IP addresses are in any blacklist according to www.ipvoid.com (or stopforumspam). Some of them seem to be in blocklist.de, but that's it. I tried to look up a few in the botnet.global.sonicwall.com list too, but didn't get any hits.
* we keep logs up to a year back, and the first such request I can find is (also with a 404 return code)

223.96.158.3 - - [26/May/2015:16:59:00 +0200] "GET /ihsqaros.txt [snip]

It almost seems like our server is supposed to be a C&C host and they're trying to get new instructions or so. The server was compromised once about 10 years ago, I think, but after that the VM was recreated from scratch.

These requests are obviously trivially blocked via .htaccess, but I'm really wondering what it's about, and it's strange I can't find anything about it anywhere (although it's hard to come up with good search terms).

Alex Kemp

Moderator

From: Nottingham, England

Registered: 2009-12-02

Posts: 2,423

Website

Re: Requests for 8-character files ending in .txt

It almost seems like our server is supposed to be a C&C host and they're trying to get new instructions or so. The server was compromised once about 10 years ago, I think, but after that the VM was recreated from scratch.

I used to see that in the days that I ran a PHP site. Even though text files, the sources requested were script files that they were hoping to run. However, you should get a response from your searches, but I cannot get any responses either.

As long as you are sure that your site is clean, block 'em & forget about it.

For the record, and from the SFS point of view, I need to point out that what you are experiencing is abuse and not spam. Therefore, these folks can NOT be reported to SFS.

---

Alex Kemp

IP Aggregation (Help) · Easy Firewall Generator (Help)  · Conteg v0.13.14

NeoFox

Member

From: WI, USA, Earth

Registered: 2013-09-26

Posts: 830

Website

Re: Requests for 8-character files ending in .txt

I think it's a misconfigured thing on their forum spammer software. Consider this. Every line in their crappy little software is a random text line right? Maybe they are saying those random URLs are actually a GET statement, by them, to scrape a line of text off your site to include in their crappy little setup.

Just my 2 cents? Are you certain you aren't serving up that text file or anything else to them?

Last edited by NeoFox (2016-02-28 7:34 pm)

jmaebe

Member

Registered: 2016-02-27

Posts: 3

Re: Requests for 8-character files ending in .txt

Thanks for the all the feedback. I've discovered what it is. That server also runs a public ftp server. Those same IP addresses traverse the entire ftp hierarchy and try to upload a file by that name to every directory. All of those uploads fail with an error code, but they still check whether afterwards they can download the file uploaded to that directory by accessing it relative to the root of the webserver.

And now it's fail2ban time