Something new just started on Jan 7, second time was today (Jan 13). A hit from 81.181.56.59 asking for some file, maybe my landing page, but because the UA contained "python" the URL was re-written to a generic 4xx.html page which they got instead.

But they appended "?checkstatus=areyouok" to the original request. The UA was "Python/3.11 aiohttp/3.9.1"

The header uri-query was "checkstatus=areyouok"

The hit today had something in the cookie field (the Jan 7 hit did not). The cookie was:

PHPSESSID=(32-character-alpha-numeric)

The IP belongs to Binbox Global Services out of Romania. The whois data contains a google docs link to a CSV file that contains some sort of GEO-based data. I downloaded it, it's a list of about 200 /24 CIDR's, each one being a specific locale (City / Country). The IP I'm seeing would therefore map to Vienna based on this. Spur says this IP is operated by Cyber Ghost VPN.

Binbox has by my count about 50 /24 CIDR's, they might all ultimately be Datacamp IP's (which I generally block) but I see that I'm not currently blocking about 1/3 of these (hence why these hits got through). I'll keep it unblocked for now and see what else comes through.