Strange requests from VPS IP address

Question

In the Apache logs, I found out that strange requests are coming from the IP address of my VPS, which I did not make. Usually, requests from my VPS that I run through the CRON scheduler are as follows.

domain.ru:443 **.**.**.** - - [20/Sep/2021:19:55:01 +0300] "GET /test.php HTTP/1.0" 200 421 "-" "Wget/1.19.4 (linux-gnu)" 118650

Strange queries look like this

domain.ru:80 **.**.**.** - - [21/Sep/2021:09:06:52 +0300] "GET / HTTP/1.0" 400 0 "-" "-" 48

domain.ru:80 **.**.**.** - - [21/Sep/2021:08:10:59 +0300] "GET / HTTP/1.0" 400 0 "-" "-" 53

domain.ru:80 **.**.**.** - - [21/Sep/2021:07:27:17 +0300] "GET /boaform/admin/formLogin?username=adminisp&psd=adminisp HTTP/1.0" 400 0 "-" "-" 51

domain.ru:80 **.**.**.** - - [21/Sep/2021:06:25:03 +0300] "GET / HTTP/1.0" 400 0 "-" "-" 145

domain.ru:80 **.**.**.** - - [21/Sep/2021:04:11:17 +0300] "GET / HTTP/1.0" 400 0 "-" "-" 41

domain.ru:80 **.**.**.** - - [21/Sep/2021:02:52:44 +0300] "GET / HTTP/1.0" 400 0 "-" "-" 41

domain.ru:80 **.**.**.** - - [21/Sep/2021:02:36:17 +0300] "GET / HTTP/1.0" 400 0 "-" "-" 41

domain.ru:80 **.**.**.** - - [21/Sep/2021:01:51:52 +0300] "GET / HTTP/1.0" 400 0 "-" "Mozilla/5.0" 38

These requests are especially alarming.

domain.ru:80 **.**.**.** - - [21/Sep/2021:07:27:17 +0300] "GET /boaform/admin/formLogin?username=adminisp&psd=adminisp HTTP/1.0" 400 0 "-" "-" 51

domain.ru:80 **.**.**.** - - [21/Sep/2021:01:51:52 +0300] "GET / HTTP/1.0" 400 0 "-" "Mozilla/5.0" 38

domain.ru:80 **.**.**.** - - [20/Sep/2021:19:51:34 +0300] "GET / HTTP/1.0" 400 0 "-" "YahooBot" 54

As you can see, UserAgent YahooBot and Mozilla / 5.0 are transmitted, and even a strange request to the page /boaform/admin/formLogin?username=adminisp&psd=adminisp

Tell me what to do. Is it a virus?

Answer 1

These are bots probing for vulnerabilities. I suggest you modify LogFormat to include the client IP in case you want to block those. Here is what I use:

LogFormat "%h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog ${APACHE_LOG_DIR}/access.log combined

Here is the relevant documentation for LogFormat variables. If you want, the next step is to block abuse traffic. I use fail2ban for that. Consider enabling the unique_id module, that way you can log that id in both access and error log.