Webserver background noise

Here are the requests my webserver with no actual traffic gets from automated scripts and bots. These act as a constant background noise in the logs and I just find it interesting what trends are going on.

Open port 80, see what happens

I have my port 80 open (after all this is a webserver, what can be accessed by http) and I have my trusty logs ready to log the requests I get, so I though someone might be interested what kind of requests an empty webserver gets, here is a (probably not complete list):

     ~1000 /cgi-bin/common/attr?id=260714&r=0.0024761750734912 # I get tons of these, with different "id" and "r" parameters, all from a single IP "115.230.124.164", even though I put him in my firewall backlist it doesn't stop him from trying this every day a few dozen times.
     ~100 /search?q=wczasy&num=100&start=100 # I get many of these, with different q= strings, like google, onet.pl, wakacje, I have no idea what are these, and it's name makes it hard to make a Google search on it.
     51 /httptest.php  # Proxy tests
     45 /testproxy.php
     39 /_asterisk # Got these from 2 IPs from USA, no idea what are these, maybe the IP?
     36 /user/soapCaller.bs
     32 //phpMyAdmin/scripts/setup.php # Not sure about the "//" at front, makes these easy to spot
     32 /muieblackcat # lovely PHP exploit script
     29 //phpmyadmin/scripts/setup.php # They really like PhpMyAdmin, aren't they? Want to install it to my server, how nice of them.
     27 /phpmyadmin/scripts/setup.php
     27 //MyAdmin/scripts/setup.php
     27 //myadmin/scripts/setup.php
     26 //pma/scripts/setup.php
		 #There were a few dozen more ways to write PhpMyAdmin, but removed it to decrease redundancy
     12 /themes/elastixneo/ie.css # Tricky, only tried to download a CSS, but probably want to know if ELASTIX
     11 /x # University of Michigan have fun with there fast network
     10 /websql/
     10 /webdb/
     10 /webadmin/
     10  <title>phpMyAdmin # Ahm, whut?
     10 /sqlweb/
     10 /sqlmanager/
     10 /sql/
     10 proxytest.zmap.io:80 # Students at Michigan are having more fun
     10 /admin/
      8 /wp-login.php    # Everybody likes WordPress
      6 //web/install/
      6 //webc/install/
      6 //WebCalendar/install/
     #Many more ways to write webcalendar
      6 //w6/install/
      6 /util_gw.js    # file in rtl819x firmware
      6 /tmUnblock.cgi # I'm not a router!
      6 //install/
      6 //                    # Can't even get the slash number right
      5 /?author=1
      4 /rom-0    # Buy a rom yourself, I'm not a router BTW
      4 /?q=user
      4 /index.php/admin/
      4 /bitrix/admin/
      4 /admin.php
      4 /administrator/index.php
      3 www.msftncsi.com:443              # even more proxy scan
      3 /w00tw00t.at.blackhats.romanian.anti-sec:) # Hey, nice to meet you
      3 /HNAP1/
      3 /a2billing/customer/iridium_threed.php
      2 /README_FOR_DECRYPT.txt # Whoever wrote this script is such an a$$hole. Read up on this if you haven't heared about it. Though an admin who doesn't make any security copies maybe deserve it.
      2 /mtree.htm
      2 /js/lib/ccard.js
      2 /index.action
      2 /.bash_history
      2 /admin/module-builtin.xml
      2 /admin/config.php
      1 /zmeu/zmeu.jsp
      1 /zecmd/zecmd.jsp
      1 /xmlrpc.php
      1 www.wikipedia.org:443 # Proxy-moxy
      1 /wstats/wstats.jsp
      1 /wp-content/plugins/revslider/
      1 /wml
      1 /webdav/
      1 /web-console
      1 /wap
      1 /upload
      1 /unAuthorizedAccess.action
      1 /tools
      1 /tmp
      1 /test
      1 /temp
      1 /tasktracker.jsp
      1 /system
      1 /.svn/entries
      1 /.svn
      1 /struts2-blank/example/HelloWorld.action
      1 /struts2
      1 /struts
      1 /status.jsp
      1 /.ssh
      1 /src
      1 /.sh_history
      1 /server-status
      1 /server-info
      1 /search
      1 /rs-status
      1 /rpt
      1 /~root
      1 /register.do
      1 /rc
      1 /?qb=94.102.49.210/  # At least you let me know your IP (thou I see it in the logs as well)
      1 /plugins
      1 /?PHPSESSID=aab45f4f00143PZ%5BJPH%40OKZZQG # Ohm? Whose session id is this?
      1 /phpinfo.php
      1 /orig
      1 /none
      1 /nagios
      1 /menuBcm.js
      1 /master.jsp
      1 /loginUI.action
      1 /log
      1 /lib
      1 /js/general.js
      1 /jobtracker.jsp
      1 /jmx-console
      1 /invoker/JMXInvokerServlet
      1 /invoker/EJBInvokerServlet
      1 /interfaces
      1 /index.login.action
      1 /.htaccess
      1 /.history
      1 /.hg
      1 /folder
      1 /flumemaster.jsp
      1 /doLogin.do
      1 /doc
      1 /dfshealth.jsp
      1 /deFrgbVgtsFD
      1 /data
      1 /CVS/Entries
      1 /CVS
      1 /css/css
      1 /crossdomain.xml
      1 /corp
      1 /copy
      1 /content
      1 /config
      1 /conf
      1 /cgi-sys/FormMail-clone.cgi # and many other
      1 /cgi-mod/index.cgi
      1 /cgi-mod
      1 /cgi-bin/welcome # and many other under cgi-bin
      1 /cgi-bin
      1 /cgi
      1 /CFIDE/administrator/
      1 /cache
      1 /browseDirectory.jsp
      1 /bak
      1 /backup
      1 /axis2-admin
      1 /axis2
      1 /audio
      1 /ar
      1 /a/pwn.jsp
      1 /administrator/
      1 /admin
      1 /adm
Article was created by helospark (2015-12-12 19:15:22)
Rate article: 0
Ask questions or share your opinion.
You need to login to comment.
helospark (2016-01-09 23:31:22)
First