So this site has been up for a few hours now and already there have been multiple scans on it. To be honest I was actually wondering how little time it would take for the first scans to arrive. It took merely 15 minutes for my little web server to be found by some script that is already trying to get in through Basic HTTP authentication on it.
Just some example snippets from my log:
185.107.83.26 - admin [29/Jan/2018:01:21:55 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - cisco [29/Jan/2018:01:21:45 +0200] "GET / HTTP/1.1" 401 682 "http://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - root [29/Jan/2018:01:21:47 +0200] "GET / HTTP/1.1" 401 682 "http://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - user [29/Jan/2018:01:21:47 +0200] "GET / HTTP/1.1" 401 682 "http://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - supervisor [29/Jan/2018:01:21:59 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - Cisco [29/Jan/2018:01:22:10 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - enable [29/Jan/2018:01:22:13 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - pnadmin [29/Jan/2018:01:22:13 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
It seems to be trying out all sorts of different default user names and password combinations.
Leave a Reply