1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 10:57 am May 21, 2026

Forum Moderators: open

Message Too Old, No Replies

A curious set of php file requests today

From an IP that should not have made it...

         

SumGuy

11:18 pm on Jun 12, 2022 (gmt 0)

5+ Year Member Top Contributors Of The Month



I came across a curious set of php file requests today in the logs. Haven't seen this before I don't believe.

Some background: My router is blocking about 29.5% of all allocated IPv4 IP's (my web server is only reachable via IPv4) so this particular set of requests might happen with some substantial frequency that others might see, but for me - this one "got through".

The files requested were:

/abc.php
/popcorn.php
/up.php
/upl.php
/upload.php
/uploader.php
/ups.php
/uvuveve.php

For those that might have such files on their server, I suggest you move them or secure their access.

Each file was requested twice, with the UA changing every time. For those that block on UA, here's what they were:

Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML like Gecko) Version/14.1.1 Mobile/15E148 Safari/604.1"
Mozilla/5.0 (Linux; Android 10; HRY-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Mobile Safari/537.36"
Mozilla/5.0 (Linux; Android 10; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.127 Mobile Safari/537.36"
Mozilla/5.0 (Linux; Android 7.1.1; Nokia 2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.83 Mobile Safari/537.36"
Mozilla/5.0 (Linux; Android 8.0.0; PRA-TL10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.116 Mobile Safari/537.36"
Mozilla/5.0 (Linux; Android 9.0; Pixel 2 XL Build/PPP4.180612.004; Windows 10 Mobile) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3552.0 Mobile Safari/537.36"
Mozilla/5.0 (Linux; Android 9; FLA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Mobile Safari/537.36 OPR/59.1.2926.54067"
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.105 YaBrowser/21.3.3.230 Yowser/2.5 Safari/537.36"
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36"
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/62.0

Maybe some of those are legit, maybe some are well-known fakes, I don't know.

And the IP where the hits came from?

69.71.169.32 (dev.lis.ncgr.org)

Located in a /19 assigned to Visionary Communications (AS10835). Some of that AS is assigned to CenturyLink, which (aside) continues to baffle me (are they an ISP or hoster or what?).

Unless this was a DDOS (ie unless the IP was spoofed, but I don't see the point of requesting PHP's as part of a dos attack) the requesting IP must be compromised, and in this case the organization behind the IP (ncgr.org) is -> National Center for Genome Resources. So that should trouble some people.

dstiles

8:48 am on Jun 13, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I have a file of about 250 such, at least, abbreviated to a regex lookup. There is little point in blocking the IP as they generally come from hacked IPs. Purpose as far as I know is to look for exploits.

Dimitri

2:26 pm on Jun 13, 2022 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



Peace first, then ...

I don't know if "uvuveve" means something, but there are a lot of site with this file.

lucy24

3:51 pm on Jun 13, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I don't see the point of requesting PHP's as part of a dos attack
If the file actually exists, then a .php on average is more work for the server than plain .html. And if your motive is to bring down the server, every little bit helps. Then again they may just be using .php as the generic extension most likely to be used by a CMS, which in turn represents an increasing proportion of web pages. And once there's a CMS involved, even a file that ultimately turns out not to exist is a fair amount of work for the server.

It is an unusual list, though. Not like all those generic wp files that are requested by all malign robots on all sites.

SumGuy

10:58 pm on Jun 13, 2022 (gmt 0)

5+ Year Member Top Contributors Of The Month



Ever see this request?

/web_shell_cmd.gch

I've never until today. From 139.144.18.165 -> Linode. Or, I should say - "linodeusercontent".

Linode has metastasized some new IP's. They are:

139.144.0.0/18
139.144.64.0/20

lucy24

2:06 am on Jun 14, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Not yet. But then, I only run logs three times a week, so who knows what will show up tomorrow.

:: wandering off to learn what on earth .gch is, leading to tentative answer “something you would never expect to find in a publicly accessible location” ::

Linode. Or, I should say - "linodeusercontent"
Somehow, that makes me think of the robots who think they stand a better chance if they claim to be the baiduspider.

SumGuy

12:00 am on Jun 17, 2022 (gmt 0)

5+ Year Member Top Contributors Of The Month



While we're on the topic of naughty requests:

POST/_ignition/execute-solution
GET/index.html
GET/script
GET/login
GET/jenkins/login
GET/manager/html
GET/index.html?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=xcinmgex
GET/users/sign_in

No idea who or what "jenkins" is. Nice touch there with the POST.

All that came from 103.179.57.35 (some cloud-hoster in Indonesia).

dstiles

8:42 am on Jun 17, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I block all posts that do not contain my specific POSTing URLs.

jenkins, script, login etc are amongst the 250 regex entries in my kill-file, which returns a 403 and, ultimately, drops the IP into iptables.

My experiences in this are at [webmasterworld.com...] if you are interestedhttps://www.webmasterworld.com/php/5041968.htm

Dimitri

12:13 pm on Jun 18, 2022 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



This is the opportunity to remind to sanitize, and validate every single parameter a script is receiving ... for those still programming things themselves.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 10:57 am May 21, 2026