On Friday 2021-12-31 03:39, Bernhard M. Wiedemann wrote:
here are some:
139.180.217.245 - - [30/Dec/2021:23:59:59 +0000] "GET /repositories/./Apache:/Shibboleth/SLE_15/x86_64/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0" want:- give:- r:- - -:- ASN:20473 P:139.180.192.0/19 864 6757 size:- - "-" "-" 139.180.217.245 - - [31/Dec/2021:01:57:36 +0000] "GET /repositories/./Apache:/Modules/Apache_SLE_15_SP1/src/http://build.opensuse.org/ HTTP/1.1" 404 1083 "-" "curl/7.54.0" want:- give:- r:- - -:- ASN:20473 P:139.180.192.0/19 869 6757 size:- - "-" "-"
* So indeed just plain curl/libcurl, no zypp. * Who runs curl-7.54 anyway? - there is no curl-7.54 in any openSUSE product and state to be found - there is no curl-7.54 in any contemporary, proliferated distro: https://repology.org/project/curl/versions - could be your Zyxel systems
one interesting fact is that it seems to do requests with both incorrect suffixes at the same rate of around 84/s
pontifex2 (download.o.o):/var/log/apache2/download.opensuse.org # grep /software.opensuse.org/ access_log|cut -d\ -f1|sort|uniq -c|sort -n|tail -40 7700 45.63.124.224 JP, office-ten router 8031 123.59.120.44 CN, office-ten 8480 172.105.232.137 CN, office-ten 8926 223.166.174.30 CN, Huawei EchoLife HG8546M, china mobile 9281 172.104.163.142 US, zyxel mgmt 9838 180.153.180.97 CN, moxa console mgmt 9929 172.104.49.212 CN, "bai cells" mgmt 11108 45.33.42.112 bai cells 11145 172.104.98.170 Huawei USG6390 11244 123.59.120.253 HG8546M 11716 173.230.131.60 US, IIS/"redcamera" 12162 123.59.120.132 cn, TL-WR842N router 12202 123.59.120.200 cn, IIS/"redcamera" 12920 123.59.211.81 cn, "DVR components" 13032 123.59.120.201 zimbra 13093 123.59.120.35 cn, ZTE ZXHN H168N 13132 123.59.120.156 13489 172.105.17.61 moxa
only 66 of those did more than 100 requests
Interestingly, there are webservers responding on all IPs I checked. All with some login form. Some said P-660R-T1 v2 PMG5317-T20B which is a Zyxel home router, so maybe these are some hacked servers scanning the web for more stuff to hack?
We won't know ultimately. Oh well.
Somewhat unrelated: there are 6% of requests like this:
"HEAD /update/leap/15.3/oss/media.1/media HTTP/2.0" 404 1083 "-" "ZYpp 17.27.0 (curl 7.66.0) "
Guess someone has 15.3 configured with type=yast2 in .repo files from earlier days and never noticed. This scenario _is_ possible. In 15.3, openSUSE-release.rpm started forcing .repo files on us. Having a wrong URL in one of your _own_ (rpm-untracked) .repo files therefore can go unnoticed especially when a graphic frontend is used (thinking PackageKit here). The behavior of shipping .repo is unique in that 15.2 did not do it, and neither does tumbleweed.