Whois Abdull Karem and why are they scanning?

  • Hello and sorry if this is not the right forum for this question.
    I’m working for a wehbosting company hosting a lot of wordpress sites for our customers.
    As of last Saturday our servers getting a lot of scanning traffic (other than the usual DDOS for xmlrpc and brute forces on wp-login.php) scanning for random files. The thing that stands out in this scans is the name Abdull Karem:

    GET /wp-includes/css/guide.php?php4&root&upl&wphp4&abdullkarem&
GET /wp-includes/css/log.php?php4&root&upl&wphp4&abdullkarem&45
GET /wp-includes/wp-class.php?php4&root&upl&wphp4&abdullkarem&4
GET /wp-content/themes/guide.php?php4&root&upl&wphp4&abdullkare
GET /wp-admin/log.php?php4&root&upl&wphp4&abdullkarem&450799&wp

    etc etc
    The scans are coming from dozens of different ip addresses, lots of them from cloud servers like Amazon.
    Sometimes I get more than 200pps for this scan alone per server.
    Has anybody experienced the same in their logs, and what are they looking for?

    Thanks for reading,

    Robert

Viewing 2 replies - 31 through 32 (of 32 total)
  • dun_edwards

    (@dun_edwards)

    I highly recommend:
    https://www.ads-software.com/plugins/ninjafirewall/

    as the perfect solution for filtering out all of these things (and other types of DDOS attacks). I just installed it 1 day ago (it is free) and that is why I am on this forum. Because it blocked about 500 requests that look like this:
    11/Feb/16 22:16:10 #8513631 critical 1417 46.226.45.69 GET /index.php – Suspicious bot – [GET:abdullkarem = 1]

    but also lots of others like:
    12/Feb/16 10:08:38 #6483221 medium 531 188.138.124.52 GET /index.php – Suspicious bots/scanners – [HTTP_USER_AGENT = ADmantX Platform Semantic Analyzer – ADform – ADmantX Inc. – https://www.admantx.com[email protected]]
    12/Feb/16 10:07:18 #3456836 medium 531 163.172.13.119 GET /index.php – Suspicious bots/scanners – [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; https://www.majestic12.co.uk/bot.php?+)]

    Basically, everyone is trying to break your website every minute of every day…

    David Uzelac

    (@daviduzelac)

    This technically isn’t a DDOS attack if packets aren’t being sent over any internet protocol, it’s just scanning for vulnerable websites and with a little WP security hardening can be mitigated easily.

    None the less, that’s a great plugin.

Viewing 2 replies - 31 through 32 (of 32 total)
  • The topic ‘Whois Abdull Karem and why are they scanning?’ is closed to new replies.