Join Log in
Score:1
John Dalsgaard avatar Server

Is someone trying to hack into our system?

cn flag
John Dalsgaard

I have a CentOS 6 server that has misbehaved over the last couple of weeks. I have tried to trace network, adjust settings, and asked a lot of clever people about it (see more in this question: Something is closing connections in my CentOS VMs - how to best troubleshoot?)

The issue has not been there the last 3-4 days so I was getting closer to perhaps believing that some of the adjustments had made a difference. But now it just happened twice within an hour. I started looking in logs. And I stumbled over this in the /var/log/nginx/access.log:

:
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
34.78.120.99 - - [13/Aug/2021:15:18:34 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
:

... and many more of them!

This occurred around both of the times that I saw the issue. Does anyone know if this is Ok - or if not, what is the best way forward to block it?

Thanks!

/John

Edit

I reported it as suggested - and then blocked that IP address in my Nginx.

So today I checked again - and now I have a bunch of similar requests - just from another IP.

104.155.101.3 - - [18/Aug/2021:13:54:36 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:45 +0200] "GET / HTTP/1.1" 200 26314 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:45 +0200] "GET / HTTP/1.1" 200 26313 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:46 +0200] "GET / HTTP/1.1" 200 26348 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:46 +0200] "GET / HTTP/1.1" 200 26325 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:46 +0200] "GET / HTTP/1.1" 200 26280 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:48 +0200] "GET / HTTP/1.1" 200 26325 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:49 +0200] "GET / HTTP/1.1" 200 26280 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:02:49 +0200] "GET / HTTP/1.1" 200 26299 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:25 +0200] "GET / HTTP/1.1" 200 26298 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:25 +0200] "GET / HTTP/1.1" 200 26349 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:27 +0200] "GET / HTTP/1.1" 200 2379 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:27 +0200] "GET / HTTP/1.1" 200 26279 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:28 +0200] "GET / HTTP/1.1" 200 26349 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:29 +0200] "GET / HTTP/1.1" 200 26318 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:30 +0200] "GET / HTTP/1.1" 200 26348 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:30 +0200] "GET / HTTP/1.1" 200 26319 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:32 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:32 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:32 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"
104.155.101.3 - - [18/Aug/2021:16:06:32 +0200] "GET / HTTP/1.1" 499 0 "-" "python-requests/2.26.0" "-"

Should I be concerned about some of the new ones (with code 200)???

219
0 + 1
ph flag
Gordon Davisson
34.78.120.99 reverse-resolves to 99.120.78.34.bc.googleusercontent.com. Apparently, that means it's something on Google Cloud Platform; others have had similar problems ([1](https://support.google.com/webmasters/forum/AAAA2Jdx3sUSM9lJTs7mF8/?hl=en&gpf=%23!topic%2Fwebmasters%2FSM9lJTs7mF8), [2](https://support.google.com/webmasters/thread/8947965/i-need-to-know-definitively-what-these-visitors-with-xxx-xxx-xx-bc-googleusercontent-com-are?hl=en)), but don't seem to have been able to get much info. You could [report it](https://support.google.com/code/contact/cloud_platform_report?hl=en)...
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.