28Tem
Help on what to do with these suspicious logs
Just set up my first linode server this last Wednesday, and today I tried to take a look on the nginx
access logs, and found this suspicious logs.
47.96.15.13 - - [28/Jul/2018:14:54:05 +0800] "GET /webdav/ HTTP/1.1" 404 6303 "-" "-" "-"
47.96.15.13 - - [28/Jul/2018:14:54:06 +0800] "PROPFIND / HTTP/1.1" 404 6303 "-" "-" "-"
47.96.15.13 - - [28/Jul/2018:14:54:09 +0800] "POST /wuwu11.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:09 +0800] "POST /xw.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:10 +0800] "POST /xw1.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:10 +0800] "POST /9678.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:23 +0800] "POST /xx.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:25 +0800] "POST /wc.php HTTP/1.1" 499 0 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:27 +0800] "POST /w.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:30 +0800] "POST /sheep.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:30 +0800] "POST /db.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:31 +0800] "POST /db_session.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:32 +0800] "POST /db__.init.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:33 +0800] "POST /mx.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:33 +0800] "POST /wshell.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:39 +0800] "POST /xshell.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /qq.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /lindex.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:40 +0800] "POST /conflg.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:41 +0800] "POST /phpstudy.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:51 +0800] "POST /ak47.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:51 +0800] "POST /xiao.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:55 +0800] "POST /defect.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:54:55 +0800] "POST /webslee.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:02 +0800] "POST /hm.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:10 +0800] "POST /zuoshou.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:22 +0800] "POST /system.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:22 +0800] "POST /l7.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:27 +0800] "POST /q.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
47.96.15.13 - - [28/Jul/2018:14:55:27 +0800] "POST /qaq.php HTTP/1.1" 404 6303 "-" "Mozilla/5.0" "-"
I call it suspicious because the app hosted there is not even written in php
.
I was thinking is to block the ipaddress but I am hesitant because it could be a dynamic ip and will be re assigned to a legit user and they will be blocked.
Any advice how to deal with this, I will appreciate it greatly.