Suspicious bot Cpanel-HTTP-Client hitting our server
Hello,
Recently I have noticed a suspicious bot with user-agent "Cpanel-HTTP-Client" is hitting random sites on my server.
Bot has random IP, one IP that i tracked down was -188.165.1.62its ovh.com IP from France.
Here are few domlog entries for this -
Is this a cpanel bot that is crawling the sites or some other fake bot? Thanks
192.151.150.194 - - [04/Mar/2017:15:20:22 +0530] "GET /58A810076709351BB352D5A0F7A263A9.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
192.151.150.194 - - [04/Mar/2017:15:20:22 +0530] "GET /4BD8B306C063E8DB7E48005F1390263A.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
192.151.150.194 - - [04/Mar/2017:15:20:22 +0530] "GET /DF2BD665D1FB1672BDF4899ADB78D068.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
188.165.1.62 - - [04/Mar/2017:15:28:25 +0530] "GET /CCCBFFF482A7B1141E29B334DED8B533.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
188.165.1.62 - - [04/Mar/2017:15:28:25 +0530] "GET /7C87B9F2240EAC4147670392155C21BE.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
188.165.1.62 - - [04/Mar/2017:15:28:25 +0530] "GET /AD5E703D0406C3522A145EEACCD8BB28.txt HTTP/1.1" 404 - "-" "Cpanel-HTTP-Client/1.0"
Is this a cpanel bot that is crawling the sites or some other fake bot? Thanks
-
So what I think is happening is, those are servers where the domain USED to reside on, and their AutoSSL checker is still running on the domains as they most likely still exist on that server, but since the DNS is pointing to your server they are now hitting your server. If you go to each IP: - Removed - You can see they are cPanel servers as well. Its safe to ignore them, they are not doing anything malicious, once the domains are removed from the old server, they will stop. 0 -
@Jcats dont think so coz some domains are hosted with us since long time and never used OVH server. Random domains random bot IPs give me feel of a fake bot pretending to be from cpanel. 0 -
Not sure what else it could be, I don't see the significance behind what they are trying to do. They are trying to find locations of scripts that are used to simply verify the ownership of a domain, even if they did hit on one of the files, it contains no information at all that can be used in anyway. Try grepping those IP's through all your domlogs and see if they are doing anything else, if it seems malicious just block the IPs. # grep -r '192.151.150.194\|188.165.1.62' /usr/local/apache/domlogs/0 -
Hello @caisc, Could you open a support ticket using the link in my signature so we can take a closer look at the log files to see what's happening? Please post the ticket number here so we can update this thread with the outcome. Thank you. 0
Please sign in to leave a comment.
Comments
4 comments