Background data article. Very high levels of boring.

I pulled a recent list of HTTP404s from the access log at work. These are not links on our servers, these are not links advertised anywhere. As far as these are deeplinks to tech assets, not webpages these are step 1 in an attack bot. I would advise no-one makes these links public on any server.

HTTP OPTIONS requests 1

  • / (33 times)
  • /IPC$ (1 time)
  • /compiled/2.3.5-b23/ (72 times) ~ this is a valid base URL, but doesn't make sense. Why would you support HATEOS for static script assets?
  • I would have expected the attacks to come from random client IPs, as its more efficient, and therefore in JS; therefore many more OPTIONS.

HTTP CONNECT 2 3

  • We aren't a proxy, so not allowing these
  • All for port 443, all chinese language domain names, or IP addresses
  • total 230 times
  • Attempting to proxy past some security layer?

HTTP GET 4

  • There are no GETs listed here, as GETs are likely to GET a page, even if its an error page asking for better formed param. The software has good levels of defaulting, do you can just walk up without knowing what you are doing.

HTTP POST 5

  • There are many of these, I have grouped them abit.
  • Unless you think *all* users of your site are stupid and ignorant, URLs should be considered “typable”, and are part of your user interface. I don't understand why I would put the current implementation tech in the URL, its like showing my cheap gone-grey mid-week underwear.
  • Attack URLs that look like shells in some fashion
    • /command.php (20 times)
    • /hndUnblock.cgi (18 times)
    • /CGI/Execute (2 times)
    • /RPC2 (11 times)
    • /cgi-sys/php5 (11 times)
    • /jbossmq-httpil/HTTPServerILServlet? (1 times)
    • /_vti_bin/_vti_aut/author.dll (2 times)
    • /command.php (1 times)
    • /cmd.php (205 times)
    • /system.php (205 times)
    • /dns-query (1 times)
    • /web_shell_cmd.gch (9 times)
    • /wshell.php (215 times)
    • /xshell.php (214 times)
    • /tomcat.php (149 times)
  • URLs that look like blog + extra “smart” bits, like WP RPC.
    • /RPC2 (3 times)
    • /xmlrpc.php (2 times)
    • /zabbix/jsrpc.php (4 times)
    • /zabbix/api_jsonrpc.php (1 times)
    • /blog/xmlrpc.php (2 times)
    • /wp-admins.php (198 times)
    • /HNAP1/ (1 times)
    • /ws/v1/cluster/apps/new-application (23 times)
    • /client/en/community/supportcli.php (1 times)
  • My PUBLIC PHP/DB config obviously ?
    • /phpini.php (15 times)
    • /conf1g.php (137 times)
    • /conflg.php (283 times)
    • /confg.php (505 times)
    • /conf.php (132 times)
    • /db.init.php (238 times)
    • /db_session.init.php (235 times)
    • /db__.init.php (217 times)
    • /getcfg.php (42 times)
    • /db.php (87 times)
    • /mysql.php (21 times)
    • /db_dataml.php (198 times)
    • /db_desql.php (196 times)
  • The default page that you see will be a login page, due to security architecture; so you try to make an account?
    • /login/login.jsp (12 times)
    • /login/indexAction.action (12 times)
    • /indexAction.action (12 times)
    • /index.action (14 times)
    • /login.action (14 times)
    • /login.do (12 times)
    • /login.jsp (12 times)
    • /user/register (4 times)
    • /register.jsp (12 times)
    • /admin/newuser.php (1 times)
  • You think the server is already cracked, so you try a POST to the “special access door”
    • /picture/yts166.jpeg (1 times)
    • /getimage/151580.gif (1 times)
    • /connectors/system/phpthumb.php (1 times)
  • other URLS
    • These are random, and mostly look hand typed. The numbers of attempts tend to cluster, adjacently. This seems to reinforce the “hand typed” feel. There is an above average density on number sequences that match gambling sequences, eg 666, and very low density on people's names.
    • They add up to a scary 30171 attempts
Full List of URLs
  • /phppath/php (1 times)
  • / (32 times)
  • /invoker/readonly (10 times)
  • /wls-wsat/CoordinatorPortType? (120 times)
  • /GponForm/diag_Form (6 times)
  • /sdk (34 times)
  • /asdfi23piuypiuh.php (3 times)
  • /3r1ep1lgqypc440u.php (3 times)
  • /ubus (1 times)
  • /wls-wsat/CoordinatorPortType (3 times)
  • /wuwu11.php (240 times)
  • /xw.php (243 times)
  • /xx.php (446 times)
  • /s.php (409 times)
  • /w.php (245 times)
  • /sheep.php (241 times)
  • /wc.php (222 times)
  • /xw1.php (215 times)
  • /9678.php (219 times)
  • /mx.php (213 times)
  • /7788.php (4 times)
  • /8899.php (4 times)
  • /qq.php (814 times)
  • /lindex.php (216 times)
  • /phpstudy.php (406 times)
  • /weixiao.php (216 times)
  • /feixiang.php (217 times)
  • /ak47.php (216 times)
  • /xiaoma.php (200 times)
  • /xiao.php (210 times)
  • /defect.php (209 times)
  • /webslee.php (211 times)
  • /pe.php (213 times)
  • /hm.php (213 times)
  • /data.php (196 times)
  • /log.php (195 times)
  • /fack.php (194 times)
  • /angge.php (194 times)
  • /yao.php (210 times)
  • /q.php (433 times)
  • /cainiao.php (202 times)
  • /zuoshou.php (206 times)
  • /aotu.php (202 times)
  • /l7.php (201 times)
  • /l8.php (202 times)
  • /qaq.php (264 times)
  • /56.php (201 times)
  • /mz.php (201 times)
  • /yumo.php (202 times)
  • /min.php (199 times)
  • /wanan.php (199 times)
  • /ssaa.php (199 times)
  • /aw.php (193 times)
  • /12.php (196 times)
  • /hh.php (194 times)
  • /m.php (329 times)
  • /zuo.php (194 times)
  • /bak.php (196 times)
  • /wan.php (194 times)
  • /ak.php (190 times)
  • /ip.php (191 times)
  • /infoo.php (189 times)
  • /qwe.php (190 times)
  • /1213.php (189 times)
  • /h1.php (189 times)
  • /test.php (429 times)
  • /3.php (189 times)
  • /xiaomar.php (177 times)
  • /ak48.php (195 times)
  • /post.php (188 times)
  • /phpinfi.php (186 times)
  • /xiaomae.php (176 times)
  • /aaaa.php (183 times)
  • /9510.php (181 times)
  • /index.do (12 times)
  • /index.jsp (12 times)
  • /main.jsp (12 times)
  • /default.jsp (12 times)
  • /logidfsf (1 times)
  • /python.php (174 times)
  • /default.php (174 times)
  • /sean.php (170 times)
  • /help.php (170 times)
  • /tiandi.php (169 times)
  • /xz.php (167 times)
  • /linuxse.php (169 times)
  • /zuoindex.php (169 times)
  • /zshmindex.php (169 times)
  • /ceshi.php (170 times)
  • /l6.php (170 times)
  • /miao.php (163 times)
  • /boots.php (164 times)
  • /she.php (163 times)
  • /qw.php (160 times)
  • /caonma.php (160 times)
  • /ss.php (300 times)
  • /wcp.php (159 times)
  • /1hou.php (149 times)
  • /uuu.php (148 times)
  • /1.php (589 times)
  • /2.php (280 times)
  • /qaz.php (147 times)
  • /sss.php (160 times)
  • /sha.php (142 times)
  • /ver.php (141 times)
  • /hack.php (139 times)
  • /qa.php (141 times)
  • /xxx.php (139 times)
  • /92.php (140 times)
  • /z.php (233 times)
  • /core.php (139 times)
  • /ppx.php (137 times)
  • /nuoxi.php (136 times)
  • /godkey.php (136 times)
  • /okokok.php (135 times)
  • /erwa.php (137 times)
  • /pma.php (137 times)
  • /ruyi.php (136 times)
  • /51314.php (137 times)
  • /5201314.php (137 times)
  • /fusheng.php (137 times)
  • /general.php (136 times)
  • /repeat.php (136 times)
  • /ldw.php (136 times)
  • /api.php (187 times)
  • /s1.php (134 times)
  • /xiaodai.php (134 times)
  • /ou2.php (138 times)
  • /zuos.php (138 times)
  • /zuoss.php (137 times)
  • /u.php (138 times)
  • /x.php (321 times)
  • /hello.php (233 times)
  • /xp.php (133 times)
  • /p.php (133 times)
  • /a.php (132 times)
  • /123.php (132 times)
  • /HX.php (133 times)
  • /diy.php (132 times)
  • /666.php (131 times)
  • /777.php (132 times)
  • /qwq.php (132 times)
  • /zuoshss.php (136 times)
  • /.php (130 times)
  • /dexgp.php (123 times)
  • /infos.php (121 times)
  • /htfr.php (119 times)
  • /zzk.php (120 times)
  • /10 (2 times)
  • /toor.php (113 times)
  • /alexa (1 times)
  • /uu.php (102 times)
  • /aa.php (97 times)
  • /wb.php (96 times)
  • /yj.php (95 times)
  • /7.php (95 times)
  • /hacly.php (89 times)
  • /xiaohei.php (89 times)
  • /cadre.php (86 times)
  • /xiaomo.php (87 times)
  • /admn.php (87 times)
  • /hell.php (87 times)
  • /cxfm666.php (84 times)
  • /xiaoyu.php (84 times)
  • /j.php (83 times)
  • /qq5262.php (82 times)
  • /MCLi.php (164 times)
  • /51.php (84 times)
  • /mm.php (83 times)
  • /1q.php (81 times)
  • /zxc1.php (121 times)
  • /zxc0.php (61 times)
  • /zxc2.php (61 times)
  • /indexa.php (61 times)
  • /qwqw.php (54 times)
  • /lucky.php (75 times)
  • /lx.php (53 times)
  • /index1.php (52 times)
  • /info.php (52 times)
  • /info1.php (52 times)
  • /aaaaaa1.php (51 times)
  • /up.php (52 times)
  • /test123.php (81 times)
  • /fb.php (53 times)
  • /1111.php (52 times)
  • /aotu7.php (52 times)
  • /lost.php (48 times)
  • /php.php (48 times)
  • /errors.php (47 times)
  • /win.php (44 times)
  • /win1.php (43 times)
  • /linux.php (44 times)
  • /linux1.php (44 times)
  • /paylog.php (78 times)
  • /cc.php (34 times)
  • /cn.php (33 times)
  • /cnm.php (28 times)
  • /lanke.php (20 times)
  • /neko.php (21 times)
  • /super.php (21 times)
  • /cere.php (21 times)
  • /aaa.php (21 times)
  • /Administrator.php (21 times)
  • /liangchen.php (21 times)
  • /meng.php (21 times)
  • /no.php (21 times)
  • /Updata.php (21 times)
  • /xxxx.php (21 times)
  • /coon.php (21 times)
  • /099.php (17 times)
  • /_404.php (17 times)
  • /Alarg53.php (17 times)
  • /lapan.php (17 times)
  • /p34ky1337.php (17 times)
  • /pk1914.php (17 times)
  • /sllolx.php (16 times)
  • /Skri.php (17 times)
  • /mazi.php (16 times)
  • /guai.php (15 times)
  • /ljb.php (15 times)
  • /www.php (15 times)
  • /chaoda.php (15 times)
  • /vuln1.php (14 times)
  • /orange.php (14 times)
  • /d.php (14 times)
  • /1ndex.php (14 times)
  • /lanyecn.php (15 times)
  • /mybestloves.php (14 times)
  • /erba.php (3 times)
  • /link.php (3 times)
  • /xiaobin.php (1 times)
  • /ppp.php (1 times)