"We attempted connections to the entire public IPv4 space (excluding private/reserved ranges and other blocks excluded in the default masscan exclude list), meaning that we reached out to almost 4 billion servers (though many of these packets may have been filtered by a firewall before reaching their intended destination)," Masspoem4u said.
The actual number of systems reached would be lower. "There appear to be approximately 55 million servers open to connections on port 80 (the standard port for HTTP)," the group continued -- these servers could have recognised the communication being sent. Of those, around 30 million returned "non-empty responses" and therefore "would be likely to have logged our poem."
I got two of them, but only on home.mcom.com and mosaic.mcom.com: they didn't probe jwz.org or dnalounge.com or any of my other domains. Should I feel snubbed?
151.217.177.200 - - [29/Dec/2015:17:28:51 -0800] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 2593 "-" "masspoem4u/1.0"
151.217.177.200 - - [29/Dec/2015:22:05:04 -0800] [...same...]
Well they seem to like burlesque...
hubbarevue.com-access.log.1:151.217.177.200 - - [30/Dec/2015:02:54:11 +0000] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 166 "-" "-" "-" 0.255
Well, if you have multiple domains on one ip, only the default will log the probe, right?
Most of my sites are on .20; no hits there, but .23 and .24 were hit. So that's not why.
https://www.jwz.org/blog/2015/01/the-great-firehose-of-china-is-aimed-at-me-again/ looks like you've got a bunch of special case stuff for .20 when no vhosts are invoked.
I thought maybe you'd done that for all of them, but of course 23 and 24 rather unavoidably can't do that, can they?
Not my job to teach Grandmother Jamie to suck eggs, but, you didn't by any chance redirect the logs for that special case to /dev/null did you?
The non-vhost host also has an access_log.
I got it!
/var/log/httpd/access_log-20160103:151.217.177.200 - - [29/Dec/2015:22:20:22 -0500] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 317 "-" "masspoem4u/1.0"
Evidently my server helpfully trims all that extra cruft from the request:
151.217.177.200 - - [29/Dec/2015:19:27:28 -0800] "DELETE y" 400 147 "-" "-" -