Add notes for 2019-02-09

content/posts/2019-02.md

@@ -400,4 +400,43 @@ Error sending email:
 
 - I tried to log into Outlook 365 with the credentials but I think the ones I have must be wrong, so I will ask ICT to reset the password
 
+## 2019-02-09
+
+- Linode sent alerts about CPU load yesterday morning, yesterday night, and this morning! All over 300% CPU load!
+- This is just for this morning:
+
+```
+# zcat --force /var/log/nginx/{access,error,library-access}.log /var/log/nginx/{access,error,library-access}.log.1 | grep -E "09/Feb/2019:(07|08|09|10|11)" | awk '{print $1}' | sort | uniq -c | sort -n | tail -n 10
+    289 35.237.175.180
+    290 66.249.66.221
+    296 18.195.78.144
+    312 207.46.13.201
+    393 207.46.13.64
+    526 2a01:4f8:140:3192::2
+    580 151.80.203.180
+    742 5.143.231.38
+   1046 5.9.6.51
+   1331 66.249.66.219
+# zcat --force /var/log/nginx/{oai,rest,statistics}.log /var/log/nginx/{oai,rest,statistics}.log.1 | grep -E "09/Feb/2019:(07|08|09|10|11)" | awk '{print $1}' | sort | uniq -c | sort -n | tail -n 10
+      4 66.249.83.30
+      5 49.149.10.16
+      8 207.46.13.64
+      9 207.46.13.201
+     11 105.63.86.154
+     11 66.249.66.221
+     31 66.249.66.219
+    297 2001:41d0:d:1990::
+    908 34.218.226.147
+   1947 50.116.102.77
+```
+
+- I know 66.249.66.219 is Google, 5.9.6.51 is MegaIndex, and 5.143.231.38 is SputnikBot
+- Ooh, but 151.80.203.180 is some malicious bot making requests for `/etc/passwd` like this:
+
+```
+/bitstream/handle/10568/68981/Identifying%20benefit%20flows%20studies%20on%20the%20potential%20monetary%20and%20non%20monetary%20benefits%20arising%20from%20the%20International%20Treaty%20on%20Plant%20Genetic_1671.pdf?sequence=1&isAllowed=../etc/passwd
+```
+
+- 151.80.203.180 is on OVH so I sent a message to their abuse email...
+
 <!-- vim: set sw=2 ts=2: -->