I have a website, and I get some strange POST request every day. The request IP is different every day.
The interval between two requests is two minutes, and these last for several hours.
Here are some of the logs from Nginx today, the last item of every row is the request body.
68.2.122.219 - - [05/Mar/2017:02:47:14 +0800] "POST / HTTP/1.1" 200 2597 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" "F6BalN/BMT7wx1mr2qUHw6NKNerhd48AR/SfLoWpA9qneyTE4erO5DpSkeRutrJMpDjm1MRCpMinEhQ8W3kpsHJMqQ9TW+lTxAXyLslIV1N51/DVUygQRlvd3fAvREo1DalJlbEKbTItNb1EhbjLb7cYL631QfCwk9jkUUywb9oVmwuldzDrwgOycH4xzTeXnYesvLLKqQj7tioqGcPKk0q/u9otCVoQQCkNXuRd3oZvYRRwgEjvJaaTAyHeb5Zim1j2DOR1DAHi767jPLpVZV5dZC18/gB8wsztnJOB1r3U/pY1Eb8EYk6Yns/fIN3H2W2eARr4PZnCnYm4sZEKDW7vNajyyi6FRMLtBvz3kTGRiN1S5oSd1Whw" 68.2.122.219 - - [05/Mar/2017:02:49:14 +0800] "POST / HTTP/1.1" 200 2597 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" "SqZZk4nKZxnLVbk3N638kNB7jLTgdJqowSIB3DAvf1qFEhUPI8b4BnJzP/arzARH/FG7kCqpkozJl3ma//L1lk2rIFlpFz3iIv14FNkHqCLhAOdznDTM2328MGAyFY+Y7esrYwNOur4jvt6i8IOYDg9U7p8VI2VspTkP2TpjLB+gsbjevgxrVAys02yWvmSOhzFxmDTAOCQjEQUuW859RmzpezIHIro4G32wtRXCknm42xzFX++E2ADmd+G74LV2uc6HcHqLJVJgzIh5j45C17xYt25WRNlswCbWuswTZTapd0BbwF5nEWjSg9PHz2k65MBJ6GLu+6MTlUfk1wdODVEyKnlrEyMLOeu96n+mvFglcarFAv9nITMkqxhCGHEsRXCc6nKMJ4DeiqpFYjllnLV1/0ctBLPtX+3xePEguA==" 68.2.122.219 - - [05/Mar/2017:02:51:14 +0800] "POST / HTTP/1.1" 200 2597 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" "RqJYxt6ZZVFh811Tel5cH8ip4w+zl1fuJ0PJTM6Mdghbfh2yihGMo7H1/pKC57Yw6nRVQsphJxSYsjJDjA5xONOmTcqrAIilupI9Odqhg2rNbJ4MrgMLSnjjmUji72mT0CKav/bzubbk7ZhYor944yyji+oF8kNBIV5Ti+K/0T/Tjl1Aev0tAHH13QbFf5ARFTC19k5lojJZbFyhGXq+jRDFKLAPDulLCFYl1Zovuew7bcbAhf6CFAiFnxu/yutLNdwl2mRws5Lj7jtxA/yhkcoGTo27gXBvuRxgDN+vQ3jvUVqqbyzQh0aWyq0Du4OU3KPFN6DA76NhoD59F+NHrz3pO/3nmR5XKVE8QErsIgV4LsGgr/EiWQ==" 68.2.122.219 - - [05/Mar/2017:02:53:15 +0800] "POST / HTTP/1.1" 200 2597 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" "E6JawtybNX9sCC6lSod2Qam8J/uZAjuSzI9YAhnDIAnhmaxqXWV1XnMz+AdzqFuRreARv1F5fTLa+J2Jmcet+SUxWTQ8WLbNUemscrO3/9kKpTw4BdPj7HD1Q/VouM8Yfh71sTNd9CBKZeF1ysqyZY9LGsE1/GzXTkv92zR7L4EeYp1qyNJs/nDAUClfI80+/uRRRKQNcWX/avwif7LYuGntqdtmnVSIepJGJgyCWIjBGAKmcgGIVz5HVN5lVcWbWRLKxAo7rTn7o1R4I2TSBLpb59o7xE4xLz4Aj4c3IQp6t6EoIuB4OmfZLB3pzR6D9imt2e7gX3LWCgYTYgKHS/G6psVRelPqq8Nl76llGb4UischUHPhMY+a7Tdnp713Qvmn3NqNOA==" 68.2.122.219 - - [05/Mar/2017:02:55:15 +0800] "POST / HTTP/1.1" 200 2597 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" "FPMPx9/OYex0jPlrLAbHN6HpbERjBv9lTy17LvSkX1QB2VDUj5COMN4YXSdCkLz0sJCCVbaQbKGVKQd8arBE24NraKtu1HSg2WLyqJGm06I8sfUQvYLJSWMoh2H8m1TmWan3TlqU7Ay62PBIVKBiRv3wYTf/LYcGhms2mYcayjHbOn5CffTNYA+cgc6Difpcul83a33b7njHWgTK8Yi+yACHkqhSu40xVUFF0UORDR8vkUa1FUpDBC1IMjL/2ZjOO+chV2W44ZwmB9KrMZ7e9pm/ox8X6obVFdUE/slJrdFxIo+pzpT+zbEWmkfQ7TdQy7pyEaslaIhmA345kzItn/2+lgY3swMZOFc7AN0qkKFTMPOIBswOi+w=" 68.2.122.219 - - [05/Mar/2017:02:57:16 +0800] "POST / HTTP/1.1" 200 2597 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" "QaZYxYjNYaJxZAcHMtK5FpjVT7U0wMMuQVRk8lCqpq4OMSwNnhSzws3IVGQU5flmBBBowd4zS66jRuRpil3kf0IjbKk3VstjNyvlarNoh2Cy5jv1q5gefcqEnVDgbiZjkjlucorQWdNeMtovXsRU9Daau0vxA2rj2ih6O3wlskCbAwhPh3wUV7gvuKwAtKgSs+lqCHtn2+SAO+pj+Vsmt7lTmOGc067/CUdH8d1aYUPJZyWVxXKJGn2MazuWHbbv6x2k/P3QCvYJqBkvvriLUpNFwtUbLw45qc/IF5DrQCGAUsFNwyaU6wSt0o/pF/GbS2b93laNBcsyiFwb1aQc0M6xGr1TpbWSGWgr" ...... 68.2.122.219 - - [05/Mar/2017:03:23:21 +0800] "POST / HTTP/1.1" 200 2597 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" "FKZcl4ydbeNCQ+nct2+wosy3Z5BMNOVDY5OHfyJUeKN0E9Cscfo9HcxRi6OQAOWULQNK9DQOLjrJP8iA3Pk54IJcO8f9wAyubDdYX4aerbmASZ6pYyfTe8v8a9t/Al+AGVP2Nw1PcCfQVlrDEDIq7jjs3Ul3qvvfr8F8FB4kmVRwVrMEpDnRHbEUgn2WPGdmRzVXJeY3L/cOU2Ys+2bdo/dRwpU0rimpH3iXFa0lpHP29YH0jAekSXx/kjDm+d2QlfLHVQihThsXIw+tmd+CZbiQo5CdCjgW9C1JaqMXVSp9QQBkjwjBWxPs9DNQM6lLgSybZw0GnGcGxFoIhVEL1GDLj7WPsDD4g7fEa73M/mc="
I've tried to decode the request body using base64, but I can't find out anything human-readable.
What are these requests trying to do? Are they harmful?
Aucun commentaire:
Enregistrer un commentaire