Scraper botnet? Check for CSS/images not being grabbed. Possibly using ISPs (compromised routers) from countries that don't usually send much traffic.

Regards...jmcc

jmcc,
thanks.
These strings are added to each and every log entry. Regardless of IP, file type, or UA.
On a full page request (html and all accompanying files, each request has a different unique string).

Is this unique to my host?

Probably. Poring over Apache docs [httpd.apache.org] suggests there's nothing to stop them from adding a section with literal asterisks, and there are all kinds of things that might have a numerical value. They're just not included in default log configurations.

I don't know how communicative your host is--mine has grown less helpful over the years--but it can't hurt to ask. It might even be something they put in to track a server tweak, and then forgot to take out again.

Is there any pattern to the IP ranges? I've seen botnet activity where a unique string was being used in the UA but this looks slightly different. Is the traffic coming from ISPs or data cenrres? (Digitalocean, OVH, Leaseweb, Nobis etc)?

Also, has there been any change to the webserver's configuration?

Regards...jmcc

I've seen botnet activity where a unique string was being used in the UA but this looks slightly different.

That was my first thought, but then I reread OP and saw that he's describing something appended after the UA string.

Once again, a different string to the end of each and every log entry. (lucy, I was unable to locate anything on google).

Another EX.
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /houtai/login.php HTTP/1.1" 403 - "-" "-" **0/23637**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /admin/login.php HTTP/1.1" 403 - "-" "-" **0/22443**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /wang/login.php HTTP/1.1" 403 - "-" "-" **0/26660**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /jian/login.php HTTP/1.1" 403 - "-" "-" **0/39580**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /dede/login.php HTTP/1.1" 403 - "-" "-" **0/16846**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /dedea/login.php HTTP/1.1" 403 - "-" "-" **0/32524**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /chen/login.php HTTP/1.1" 403 - "-" "-" **0/34054**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /caiyuan/login.php HTTP/1.1" 403 - "-" "-" **0/45859**
112.x.x.x - - [29/Aug/2020:03:49:14 -0700] "HEAD /guanli/login.php HTTP/1.1" 403 - "-" "-" **0/42047**
112.x.x.x - - [29/Aug/2020:03:49:16 -0700] "HEAD /dede123/login.php HTTP/1.1" 403 - "-" "-" **0/30708**

Those seem to be Chinese probes for Chinese market CMSes. They might be coming from Chinese ISPs or from Alibaba ranges. The appended numerical strings look odd. They are being 403ed though.

Regards...jmcc

jmcc,
The IP, file types (and/or requests) and even UA are all irrelevant.

The focus is ONLY the string appended to end.

Are all the requests 403s or are there any 200s? It is possible to append a compression ratio/size with mod_deflate (Apache) and it could be something to do with the webserver configuration file in the logging format section.The asterisks are odd though.

Regards...jmcc

compression ratio

Huh. I couldn’t think what would fit the pattern of:
non-sequential
each number different
overall variation by a factor of 2-3, all the same order of magnitude

I thought it might be %I which is the size in bytes of the request, not the response, but unless I'm overlooking something, all those values are off by two orders of magnitude (should be in the hundreds, not in the tens of thousands).

Don, the reason we're asking about UA is just for reassurance that the UA is present in logs in other cases, whenever one is sent. (Malign robots of the cheapest kind don't bother to send a UA string, which makes them easy to block.)

My hunch is that the asterisks are delimiters supplied by the config file, not part of the string being logged. In fact it's something you might choose to do if you wanted to draw attention to a less-standard aspect of logs. (I was going to say “non-standard”, but there's a finite list of things that can be logged at all.)

lucy,
here's two requests from Google this morning.

66.249.73.39 - - [29/Aug/2020:05:06:29 -0700] "GET /MySub/Sub-sub/MyPage.html HTTP/1.1" 200 15395 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.92 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" **0/35617**
66.249.73.39 - - [29/Aug/2020:05:07:00 -0700] "GET /MySub/Sub-sub/MyPage.html.html HTTP/1.1" 200 15395 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" **0/11271**

Definitely mystifying. So in this specific case, the mobile Googlebot's request involved three ... something ... as much/many as the vanilla Googlebot for the identical page. But this seems to be a red herring, based on other log entries.

Could it be time? either
%D
%{us}T
where "us" (I assume that's an ASCII approximation of mu) in the %T form is microseconds.

Numbers in five figures would mean something in the tens of milliseconds. Is that a reasonable server processing time? (I have no idea, so I hope someone else does.)

17th day and strings continue.

Could be a bunch of things. Process ID, port number, bytes in/out, time taken to serve the request... check your httpd.conf for the LogFormat and you'll know. Or, as previously noted, ask your hosting provider if the Apache configuration is not under your control.

Seems harmless though, just some diagnostic probably. Maybe someone forgot to remove it.

Just curious ... is this till happening?

Or has it gone away?