Weird traffic pattern on HTTPS . Can anyone identify what is going on?
I've recently been tightening up drive-by hacking on my systems, and a legitimate (but relatively technically illiterate user) was banned by a fail2ban rule which detected something a bit weird. The log file looks like -
websitename.nz:443 1.2.3.4 - - [20/Jul/2024:21:39:52 +1200] "GET /wp-login.php HTTP/1.1" 200 5996 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 LikeWise/96.6.6223.59"
websitename.nz:443 1.2.3.4 - - [20/Jul/2024:21:39:53 +1200] "GET /favicon.ico HTTP/1.1" 302 4085 "https://www.websitename.nz/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 LikeWise/96.6.6223.59"
websitename.nz:443 1.2.3.4 - - [20/Jul/2024:21:39:56 +1200] "GET / HTTP/1.1" 200 17370 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 LikeWise/96.6.6223.59"
websitename.nz:443 1.2.3.4 - - [20/Jul/2024:21:39:56 +1200] "GET / HTTP/1.1" 200 20758 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 LikeWise/96.6.6223.59"
websitename.nz:443 1.2.3.4 - - [20/Jul/2024:21:39:57 +1200] "GET /wp-content/uploads/wordpress-popular-posts/afile.jpeg HTTP/1.1" 200 14573 "https://www.websitename.nz/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 LikeWise/96.6.6223.59"
default:443 1.2.3.4 - - [20/Jul/2024:21:40:16 +1200] "-" 408 3362 "-" "-"
It was, of-course, the last line which my system was programmed to object to and banned "default" is the name of the default Virtualhost on the server. Note the lack of a user agent, and that this request happened about 50 seconds after the legitimate requests from the user.
My server uses SNI, and "default" is the default virtualhost - with no legitimate IP address associated with it and a self signed certificate.
I know that the user is using a VPN (1.2.3.4 - which is of-course not the actual address, but it is associated with VPN usage, and my clients client has confirmed they are using a VPN - although I don't know the name of the provider, nor why they are using it - especially as the VPN endpoint is, like the user, in New Zealand). I realize that the VPN usage may be coincidental here, and that this could be a something local to her system?
Has anyone seen this behaviour/traffic pattern before, and if so, what is the likely explanation?
Subsequent notes -
The user is using Avast AV. Not sure if this is relevant. (My Googling talks about an Avast Web Shield, but it is not clear that this would cause a hit against the raw IP of my server, or why it should if it even does!)
I have now found other users - who were not using a VPN whose systems behaved similarly. I've been unable to establish if they were using Avast - but I am now hypothesizing this may to be to do with Avast web shield, as it look unlikely to be a VPN issue