Unclear attack(?) on web server: GET requests for tar files



  • I am currently looking at the logs of my server and it is currently targeted by an IP address in the Netherlands performing requests to routes such as /X.tar.gz, where they increment X from a to z and 0 to 9. The same happens without the gz extension.

    I don't serve such content and all of these requests are actually responded to with 400/410, as they should. I am reasonably familiar with attacks coming in that try to exploit vulnerabilities in e.g. wordpress and other tools (so far none of them that I could see for the actual software used on the server), but this strikes me as a bit odd, because most attacks that I see either POST, or have query parameters.

    What could the intention here be? Are they trying to scrape my data (how common could it possibly be to store just single character/digit tar files)? Is this some kind of botnet thinking that my server is their server? Something completely different?



  • I doubt this is a targeted attack, similar to what most people said in the comments, this is a bot probing for tarballs created by a naive webmaster or archiving software. Don't pay these bots much attention as they likely scan the entire IPv4 space.

    If you are still unsure if the attack was targeted, you can use IP reputation tools like Greynoise and AbuseIPDB to determine if the attack has been seen by others.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2