I have a project I use as an “API”. It basically is a gateway for me to use my database with other things. I noticed that I was getting weird requests that weren’t from me.
::ffff:127.0.0.1 - HEAD /wp/ HTTP/1.1 404 143 - 2.818 ms
::ffff:127.0.0.1 - HEAD /wordpress/ HTTP/1.1 404 150 - 1.038 ms
::ffff:127.0.0.1 - HEAD /blog/ HTTP/1.1 404 145 - 2.360 ms
::ffff:127.0.0.1 - GET /flex2gateway/amf HTTP/1.1 404 155 - 0.869 ms
::ffff:127.0.0.1 - GET /robots.txt HTTP/1.1 404 149 - 4.103 ms
::ffff:127.0.0.1 - GET /CFIDE/Administrator/index.cfm HTTP/1.1 404 168 - 0.624 ms
::ffff:127.0.0.1 - HEAD / HTTP/1.1 200 2 - 0.916 ms
::ffff:127.0.0.1 - GET /.hg/hgrc HTTP/1.1 404 147 - 0.692 ms
::ffff:127.0.0.1 - GET /sftp_config.json HTTP/1.1 404 155 - 0.677 ms
::ffff:127.0.0.1 - GET /scripts/cfformhistory.cfm HTTP/1.1 404 164 - 0.564 ms
::ffff:127.0.0.1 - GET /cf_scripts/scripts/cfformhistory.cfm HTTP/1.1 404 175 - 0.600 ms
::ffff:127.0.0.1 - GET /CFIDE/scripts/cfformhistory.cfm HTTP/1.1 404 170 - 0.886 ms
::ffff:127.0.0.1 - GET /wwscripts/cfformhistory.cfm HTTP/1.1 404 166 - 0.613 ms
::ffff:127.0.0.1 - GET /FormScripts/cfformhistory.cfm HTTP/1.1 404 168 - 0.553 ms
::ffff:127.0.0.1 - GET /SSMWeb/login?1 HTTP/1.1 404 151 - 0.582 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.597 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 1.605 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.579 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.595 ms
::ffff:127.0.0.1 - GET /v2/keys/?recursive=true HTTP/1.1 404 147 - 0.555 ms
I don’t know where the requests are coming from, or who got the domain, but this shouldn’t be happening.
Probably, but the question is, how did they get the project name or the domain. All the code I use for this is backend code.
You would be surprised. I’ve looked through my access logs before and I see weird bots in there.
I searched /v2/keys/?recursive=true and it looks like it is apart of this.
Are you coding in ColdFusion? Why all the .cfm requests.
No, the entire project is express and the database.
Hmm, pretty odd. I’m interested, I am going to do some more research on this and tell you if I find anything.
Ok, so I looked into this a little bit more and all of the .cfm files seem to be names of standard ColdFusion files (on was for forms I think). What probably happened was a bot checked your site to see if it was a CF site? Maybe somebody made a typo? It would really help if you got the user agents.
Usually these are attacks that tries to identify what you’re running on your server, and attempt to find vulnerabilities within them.
1 Like
If this is the case, I might as well log the IPs and Request to a file or database to block them later.
That would make scence. If you are using CF in 2020, you are asking to get hacked.
A lot of crawlers check many vulnerable endpoints regardless of what your site is actually made in. The most common is /wp-admin.php
3 Likes
But what caught me off-guard was that the first few requests were to /blog or /
Since this is an issue, Would it be bad if I logged requests like these to a database to block.
Do what you want with them, but they will come from many ips and user agents
What I mean is, to block it, to prevent it from duing further damage. All of this happend within the same minute. And this happened two hours ago. So banning the IP would help other people as well.
Its not actually doing any damage and if you want to ban the ips on your site, go ahead
1 Like
I have maybe 8 banned on my site.