Hi Everyone,
We see a continuous flow of requests like shown below. We are fairly
certain it is a botnet probing for weaknesses or vulnerabilities. The
source IP address slowly moves around. It looks like there was a bug
in load.php some time ago [1].
I don't have time to manually monitor this. We are looking for one of
those wiki plugins to handle it at the application layer.
How do we ban the host for making these probes for a day or a week?
Thanks in advance.
[1] https://www.mediawiki.org/wiki/Topic:Sl0d755pv10sjxl0
92.32.245.123 - - [19/Apr/2020:14:41:12 -0400] "GET
/w/load.php?lang=en&modules=mediawiki.helplink%2Cspecial%2Cui%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.special.search.styles%7Cmediawiki.ui.button%2Cinput%7Cmediawiki.widgets.SearchInputWidget.styles%7Cmediawiki.widgets.styles%7Coojs-ui-core.styles%7Coojs-ui.styles.icons-alerts%2Cicons-content%2Cicons-interactions%2Cindicators%2Ctextures%7Cskins.vector.styles&only=styles&skin=vector
HTTP/1.1" 200 28580
92.32.245.123 - - [19/Apr/2020:14:41:13 -0400] "GET
/w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Coojs%2Coojs-ui-core%2Coojs-ui-widgets%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccldr%2Clanguage%2CsearchSuggest%2Cutil%2Cwidgets%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%2Cstartup%7Cmediawiki.special.search%7Cmediawiki.widgets.SearchInputWidget%7Coojs-ui.styles.icons-editing-advanced%2Cicons-moderation%2Cicons-movement%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1rf1ap1
HTTP/1.1" 200 144182
92.32.245.123 - - [19/Apr/2020:14:41:15 -0400] "GET
/wiki/Debug_Symbols HTTP/1.1" 200 7733
92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET
/w/load.php?lang=en&modules=mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.toc.styles%7Cskins.vector.styles&only=styles&skin=vector
HTTP/1.1" 200 8880
92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET
/w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2Ccookie%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccookie%2CsearchSuggest%2Ctoc%2Cutil%7Cmediawiki.page.ready%2Cstartup%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1j07wt1
HTTP/1.1" 200 68744
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
We see a continuous flow of requests like shown below. We are fairly
certain it is a botnet probing for weaknesses or vulnerabilities. The
source IP address slowly moves around. It looks like there was a bug
in load.php some time ago [1].
I don't have time to manually monitor this. We are looking for one of
those wiki plugins to handle it at the application layer.
How do we ban the host for making these probes for a day or a week?
Thanks in advance.
[1] https://www.mediawiki.org/wiki/Topic:Sl0d755pv10sjxl0
92.32.245.123 - - [19/Apr/2020:14:41:12 -0400] "GET
/w/load.php?lang=en&modules=mediawiki.helplink%2Cspecial%2Cui%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.special.search.styles%7Cmediawiki.ui.button%2Cinput%7Cmediawiki.widgets.SearchInputWidget.styles%7Cmediawiki.widgets.styles%7Coojs-ui-core.styles%7Coojs-ui.styles.icons-alerts%2Cicons-content%2Cicons-interactions%2Cindicators%2Ctextures%7Cskins.vector.styles&only=styles&skin=vector
HTTP/1.1" 200 28580
92.32.245.123 - - [19/Apr/2020:14:41:13 -0400] "GET
/w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Coojs%2Coojs-ui-core%2Coojs-ui-widgets%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccldr%2Clanguage%2CsearchSuggest%2Cutil%2Cwidgets%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%2Cstartup%7Cmediawiki.special.search%7Cmediawiki.widgets.SearchInputWidget%7Coojs-ui.styles.icons-editing-advanced%2Cicons-moderation%2Cicons-movement%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1rf1ap1
HTTP/1.1" 200 144182
92.32.245.123 - - [19/Apr/2020:14:41:15 -0400] "GET
/wiki/Debug_Symbols HTTP/1.1" 200 7733
92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET
/w/load.php?lang=en&modules=mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.toc.styles%7Cskins.vector.styles&only=styles&skin=vector
HTTP/1.1" 200 8880
92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET
/w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2Ccookie%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccookie%2CsearchSuggest%2Ctoc%2Cutil%7Cmediawiki.page.ready%2Cstartup%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1j07wt1
HTTP/1.1" 200 68744
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l