38

A curious question this time. Someone just made the following HTTP requests to my server:

127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //xmlrpc.php?rsd HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET / HTTP/1.0" 200 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //blog/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:00] "GET //web/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //website/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //news/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //2018/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //2019/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //test/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //media/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:01] "GET //site/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:02] "GET //cms/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -
127.0.0.1 - - [02/Jun/2021 15:28:02] "GET //sito/wp-includes/wlwmanifest.xml HTTP/1.0" 404 -

Anyone any idea why someone would try this. I know it has something to do with WordPress (that I don't use/have installed anyway) But I still wonder why someone would try to make these requests.

Thx a lot, Jules

P.S. The server says it comes from localhost but that is because it goes through Nginx

Jules Hummelink
  • 584
  • 1
  • 6
  • 14
  • 4
    Just standard bot traffic on the internet. One giveaway, besides the known-URLs, is that they are using HTTP/1.0 which is pretty much [bot-only these days](https://stackoverflow.com/a/40076230/231316). Why is someone even [bothering with it](https://security.stackexchange.com/a/189814/86698)? Mostly like script-kiddie bots that just have a list of tests that never get pruned. They have every exploit from the past 25+ years and it doesn't really hurt them to try them all, and they also don't really know what they are doing, so they just try it all. – Chris Haas Jun 03 '21 at 01:25

1 Answers1

19

This is commonplace. Today more than 40% of the world's internet traffic are bots and 25% are malicious bots. They are just bots that are constantly looking for possible security flaws in as many indexed domains as possible in order to compromise the site. There are tools that can help you detect these requests and take action. For example fail2ban.

SEOAlexRamon
  • 316
  • 2
  • 3
  • Could you link to a reference for those numbers please? – Liam Sep 28 '22 at 15:44
  • 2
    @Liam https://www.cpomagazine.com/cyber-security/bad-bot-traffic-report-almost-half-of-all-2021-internet-traffic-was-not-human/ https://www.imperva.com/resources/resource-library/reports/bad-bot-report/ – Fabian Barney Oct 31 '22 at 16:36