<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><blockquote type="cite" class=""><div class=""><div class="">178.32.200.116 - - [10/Mar/2018:14:21:23 -0800] "GET /?cmd=die('===!'.'==='); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0”</div></div></blockquote><div><br class=""></div><div>Looks like they’re sniffing for web servers that have something set up where /?cmd=x lets you execute x. If they get back a 500, then they know that the command was tried and died. Then they know to sniff around some more because /?cmd is now a portal to executing things remotely on that server.</div><div><br class=""></div><div><br class=""></div><blockquote type="cite" class=""><div class=""><div class="">168.144.187.20 - - [16/Mar/2018:09:17:35 -0700] "POST /?q=die('z!a'.'x');&w=die('z!a'.'x');&e=die('z!a'.'x');&r=die('z!a'.'x');&t=die('z!a'.'x');&y=die('z!a'.'x');&u=die('z!a'.'x');&i=die('z!a'.'x');&o=die('z!a'.'x');&p=die('z!a'.'x');&a=die('z!a'.'x');&s=die('z!a'.'x');&d=die('z!a'.'x');&f=die('z!a'.'x');&g=die('z!a'.'x');&h=die('z!a'.'x');&j=die('z!a'.'x');&k=die('z!a'.'x');&l=die('z!a'.'x');&z=die('z!a'.'x');&x=die('z!a'.'x');&c=die('z!a'.'x');&v=die('z!a'.'x');&b=die('z!a'.'x');&n=die('z!a'.'x');&m=die('z!a'.'x');&eval=die('z!a'.'x');&enter=die('z!a'.'x'); HTTP/1.1" 200 290 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0”</div></div></blockquote></div><br class=""><div class="">Looks like they’re trying the same sort of sniffing around with a bunch of different variables, to see if any of them cause the error that they expected above.</div><div class=""><br class=""></div><div class="">In short, they’re trying the doorknob to see if the house is unlocked. On the plus side, it doesn't look like a focused attack. They’re just trying the doorknob at every site they can.</div><div class=""><br class=""></div><div class="">This kind of thing is why the idea of “Why would anyone try to hack my little website? Why do I need to be paranoid about security?” is so wrong-headed. The bad guys don’t care how big or little your website is. They just set bots to run and just sniff anywhere that might have a security hole of some kind. Doesn’t matter to them if they hack <a href="http://microsoft.com" class="">microsoft.com</a> or <a href="http://mypodunklittlewebsite.com" class="">mypodunklittlewebsite.com</a>.</div><div class=""><br class=""></div><div class="">Andy</div></body></html>