Access log full of PHPSESSID

[dove_g]

My forum access log is full of IP address from "Microsoft"?
I noticed that server is very slow and there is full access to index.php?PHPSESSION from few IP addreses.

SMF forum version is smf 2.0.15.

When I rename index.php server starts responds normally.
Currently forum is down now, stopped (denied access for all in .htaccess) because it slows down the server so that nothing works properly.

How to deal with that?
Thank you.



Apache access log, this is current log, forum is down, but those IP's still trying to reach the forum.

Code Select Expand


13.77.151.8 - - [20/May/2020:22:07:09 +0200] "GET /forum/index.php?PHPSESSID=20bd9c2a5a2ea4ba95df1da1f860bafb&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:07:13 +0200] "GET /forum/index.php?PHPSESSID=0d79e2d414b39efe3db4fdb7662d4f8b&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.183.43.161 - - [20/May/2020:22:07:16 +0200] "GET /forum/index.php?PHPSESSID=1c89c78791862ef01c04b5f56058498a&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.237.137 - - [20/May/2020:22:07:16 +0200] "GET /forum/index.php?PHPSESSID=7c0110bbc8c17bdde6651c15a82de4ec&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.237.137 - - [20/May/2020:22:07:17 +0200] "GET /forum/index.php?PHPSESSID=3b200cbbda36dc5f21c667e60d9bd093&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.160.193 - - [20/May/2020:22:07:18 +0200] "GET /forum/index.php?PHPSESSID=50a3999b7931a0ab29ddcdb5bc5847d6&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.151.8 - - [20/May/2020:22:07:19 +0200] "GET /forum/index.php?PHPSESSID=70b5d0a18ab4117e478f7388a31f30b1&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:07:23 +0200] "GET /forum/index.php?PHPSESSID=48b4a51ef87b73a97ae4443183384c27&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.160.193 - - [20/May/2020:22:07:26 +0200] "GET /forum/index.php?PHPSESSID=7d32f8fde0f60e6a0b026a8b0b67cbce&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:07:26 +0200] "GET /forum/index.php?PHPSESSID=9a6e1c42cc54f45918e5820bd0f0555e&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:07:27 +0200] "GET /forum/index.php?PHPSESSID=7ee983e4987db6c8cfd088aa6846a591&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.151.8 - - [20/May/2020:22:07:28 +0200] "GET /forum/index.php?PHPSESSID=59e7114004dbe3b3d3f0f8ca5f4f0afb&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.151.8 - - [20/May/2020:22:07:29 +0200] "GET /forum/index.php?PHPSESSID=839380f94efed35adaddb85cb38b9127&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:07:34 +0200] "GET /forum/index.php?PHPSESSID=d39bf7435c2c14b4a5ff5226b63a9201&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:07:36 +0200] "GET /forum/index.php?PHPSESSID=a0999dcbeba51cff683a2389e7e6aa5f&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.151.8 - - [20/May/2020:22:07:36 +0200] "GET /forum/index.php?PHPSESSID=9265e0cf8ab6fe772c21c9675bb38ebb&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
114.119.167.30 - - [20/May/2020:22:07:37 +0200] "GET /forum/index.php?PHPSESSID=14ad21db6c75a82dfa66b5bd1c34aa8a&board=19.0%3Bsort=views HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Peta
lBot;+https://aspiegel.com/petalbot)"
52.175.223.195 - - [20/May/2020:22:07:37 +0200] "GET /forum/index.php?PHPSESSID=bf668c54457f684a7bfaa91ee43442c7&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:07:39 +0200] "GET /forum/index.php?PHPSESSID=476a972a0d479e3e68c1e7c10a3c248f&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
51.141.162.107 - - [20/May/2020:22:07:39 +0200] "GET /forum/index.php?PHPSESSID=274163ccd8b3137c92b3c74d7ca612d7&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:07:43 +0200] "GET /forum/index.php?PHPSESSID=b9b9a3c54d9dbf1d918ca4e88719b833&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:07:46 +0200] "GET /forum/index.php?PHPSESSID=f489fdcbd30f95f11db2f79dbdd9cee6&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:07:46 +0200] "GET /forum/index.php?PHPSESSID=01a9d29649b8b01775acaaea1b806b96&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.160.193 - - [20/May/2020:22:07:47 +0200] "GET /forum/index.php?PHPSESSID=d35bcd0bbe2032779cc4a604f7a96c9e&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.183.43.161 - - [20/May/2020:22:07:48 +0200] "GET /forum/index.php?PHPSESSID=ae4faf6661eaac1c69145e075c9dc95c&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.237.137 - - [20/May/2020:22:07:53 +0200] "GET /forum/index.php?PHPSESSID=9ab679c8f9e40729778a350d3e6eee0c&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:07:56 +0200] "GET /forum/index.php?PHPSESSID=8beb6f4fb7e320ef8f7fa61a7d69f466&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:07:56 +0200] "GET /forum/index.php?PHPSESSID=bbcb6c7315780a9cade0ea1b5997c0c7&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:07:57 +0200] "GET /forum/index.php?board=9.100 HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
52.175.223.195 - - [20/May/2020:22:07:57 +0200] "GET /forum/index.php?PHPSESSID=c376f789facc1d9ea0a8af529c65a885&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
114.119.160.223 - - [20/May/2020:22:07:57 +0200] "GET /forum/index.php?PHPSESSID=d1014f03f452d1f2919dff44ab06c440&action=profile%3Bu=24454 HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Pe
talBot;+https://aspiegel.com/petalbot)"
52.175.223.195 - - [20/May/2020:22:07:59 +0200] "GET /forum/index.php?PHPSESSID=097bd10397b00e822dff892b15b25ca9&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.237.137 - - [20/May/2020:22:08:03 +0200] "GET /forum/index.php?PHPSESSID=ff3b5604e5e3261c4465f63e797550ee&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.183.43.161 - - [20/May/2020:22:08:06 +0200] "GET /forum/index.php?PHPSESSID=9274ac0e721df2051ce49431890cf86f&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.183.43.161 - - [20/May/2020:22:08:06 +0200] "GET /forum/index.php?PHPSESSID=a1583d89ca76c361e8e9fd5413edac49&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:08:06 +0200] "GET /forum/index.php?PHPSESSID=b941e9e9b04ef3f3f3c3f1cff161170e&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.183.43.161 - - [20/May/2020:22:08:07 +0200] "GET /forum/index.php?PHPSESSID=7e576d90ac7c78bbcd2d9bb82f159d60&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.183.43.161 - - [20/May/2020:22:08:09 +0200] "GET /forum/index.php?PHPSESSID=b2034f112d9d3996573dec95cd7cc3c7&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:08:13 +0200] "GET /forum/index.php?PHPSESSID=19453049302dc5726c4fa5015345209b&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
51.141.162.107 - - [20/May/2020:22:08:16 +0200] "GET /forum/index.php?PHPSESSID=31f6a4d42251216909638f0801aa6099&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
114.119.162.65 - - [20/May/2020:22:08:16 +0200] "GET /forum/index.php?PHPSESSID=ef34cbb81711233f59621d30ff6af891&topic=9328.0 HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https
://aspiegel.com/petalbot)"
52.175.223.195 - - [20/May/2020:22:08:16 +0200] "GET /forum/index.php?PHPSESSID=60191ee88750ed5ec411888ed64b773b&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.160.193 - - [20/May/2020:22:08:16 +0200] "GET /forum/index.php?PHPSESSID=183aa3a2a50d9b3a0041332e63778a1b&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:08:17 +0200] "GET /forum/index.php?topic=14792.0 HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
52.175.223.195 - - [20/May/2020:22:08:19 +0200] "GET /forum/index.php?board=5.100 HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
31.217.9.150 - - [20/May/2020:22:08:22 +0200] "GET /forum/index.php?topic=22446.0 HTTP/1.1" 403 2073 "android-app://com.google.android.googlequicksearchbox/" "Mozilla/5.0 (Linux; Android 5.1.1; SM-J320F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile S
afari/537.36"
31.217.9.150 - - [20/May/2020:22:08:22 +0200] "GET /images/logo.png HTTP/1.1" 200 295 "http://www.kerman.hr/forum/index.php?topic=22446.0" "Mozilla/5.0 (Linux; Android 5.1.1; SM-J320F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36"
31.217.9.150 - - [20/May/2020:22:08:22 +0200] "GET /images/kloxo-mr.png HTTP/1.1" 200 7265 "http://www.kerman.hr/forum/index.php?topic=22446.0" "Mozilla/5.0 (Linux; Android 5.1.1; SM-J320F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36"
31.217.9.150 - - [20/May/2020:22:08:22 +0200] "GET /images/abstract.jpg HTTP/1.1" 200 2964 "http://www.kerman.hr/forum/index.php?topic=22446.0" "Mozilla/5.0 (Linux; Android 5.1.1; SM-J320F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36"
31.217.9.150 - - [20/May/2020:22:08:22 +0200] "GET /favicon.ico HTTP/1.1" 200 - "http://www.kerman.hr/forum/index.php?topic=22446.0" "Mozilla/5.0 (Linux; Android 5.1.1; SM-J320F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36"
13.77.151.8 - - [20/May/2020:22:08:24 +0200] "GET /forum/index.php?PHPSESSID=c634dadaf9f980563c72dbd38febdedb&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.160.193 - - [20/May/2020:22:08:26 +0200] "GET /forum/index.php?PHPSESSID=055709c6fccf374d576c018edc235679&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.160.193 - - [20/May/2020:22:08:26 +0200] "GET /forum/index.php?PHPSESSID=35f0f74a5408952a0e32709d24a2c250&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
13.77.160.193 - - [20/May/2020:22:08:26 +0200] "GET /forum/index.php?PHPSESSID=eb0e7628045459bf171327c3fc4ad994&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.191.163.105 - - [20/May/2020:22:08:26 +0200] "GET /forum/index.php?PHPSESSID=5fea3fa04c7787c337925893a81b3f66&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
52.175.223.195 - - [20/May/2020:22:08:27 +0200] "GET /forum/index.php?PHPSESSID=0b723d907387100ab790b8f9377df267&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
51.141.162.107 - - [20/May/2020:22:08:29 +0200] "GET /forum/index.php?PHPSESSID=bf6893eca429d56d9e8e45bb61907de3&type=rss;action=.xml HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
114.119.160.59 - - [20/May/2020:22:08:30 +0200] "GET /forum/index.php?PHPSESSID=4652d1fd7132eb1e2553f0c3877c38b0&action=profile%3Bu=30252 HTTP/1.1" 403 2073 "-" "Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Pet
alBot;+https://aspiegel.com/petalbot)"



[dove_g]

Done,
I added this "attacks" to PHPSESSID to fail2ban and fail2ban added this addresses to BAN:

Ban 52.191.163.105
Ban 52.175.237.137
Ban 52.183.43.161
Ban 51.141.162.107
Ban 13.77.160.193
Ban 13.77.151.8
Ban 52.175.223.195

All mentioned addresses are belonging to Microsoft Corporation, but after checking on Bing webmaster, they aren't official bing IPs.
So fine for now.

[Arantor]

Yup, that's a common trick we're seeing, attackers hosting their bots on Azure to make it appear like they're coming from Microsoft.