Exploit attempt from Baidu

Forum Moderators: open

Message Too Old, No Replies

Exploit attempt from Baidu

keyplyr

9:32 pm on Mar 22, 2018 (gmt 0)

180.76.106.*** - - [21/Mar/2018:22:42:12 -0700] "GET /install.php?finish=1 HTTP/1.1" 403 4500 "http://www.example.com/install.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"

180.76.106.*** - - [21/Mar/2018:22:42:14 -0700] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 403 4500 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"

I do allow this range without prejudice.

Host: Baidu
180.76.0.0 - 180.76.255.255
180.76.0.0/16

TorontoBoy

1:02 am on Mar 23, 2018 (gmt 0)

Not your typical Baidu UA. I get this from Baidu usually:
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)

deny from 180.76.135.0/24

Huhnm. I have this range recorded, so they must have tried to spam me in the past. This is Beijing Baidu. They have different locations.

keyplyr

1:17 am on Mar 23, 2018 (gmt 0)

What I reported isn't Baiduspider, it's a lone gunman using a Baidu range.

As I said above, I would never block the Baidu /16. I get a lot of valid human traffic from Baidu. Both these attempts were blocked... but it wasn't because of the IP range.

TorontoBoy

1:26 am on Mar 23, 2018 (gmt 0)

I assumed that only someone that works for Baidu can use the Baidu range. Can others use the the Baidu range?

keyplyr

1:29 am on Mar 23, 2018 (gmt 0)

As you know, these Chinese tech companies are not very transparent about what they do. Most IP ranges from China RDS to either Chinanet or China Unicom, even though there are hundreds (thousands?) of commercial companies in there, so it's difficult to know who it really is IMO.