My mail send spam from localhost[127.0.0.1] client from helo=mega.nz

Hello everyone and marry christmas! I wish you all the best!
My mail server sending spam from client=localhost[127 0 0 1] with helo=mega nz
Please help me to stop this...

Mail log

Dec 27 10:04:06 panel postfix/smtpd[187414]: warning: empty macro name: "REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6."
Dec 27 10:04:06 panel postfix/smtpd[187414]: warning: regexp map /etc/postfix/blacklist_helo, line 26: bad replacement syntax: skipping this rule
panel postfix/smtpd[187414]: connect from localhost[127 0 0 1]
Dec 27 10:04:07 panel postfix/smtpd[187414]: CFEC2340F8C: client=localhost[127 0 0 1]
Dec 27 10:04:08 panel postfix/cleanup[187417]: CFEC2340F8C: message-id=<BIEUKJTQTKSRPNYZFPEIHFOI @ mega nz>
Dec 27 10:04:08 panel postfix/cleanup[187417]: CFEC2340F8C: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 5.7.1 Spam message rejected; from=<anmdtwvg @ mega nz> to=<[email protected]> proto=ESMTP helo=<mega nz>
Dec 27 10:04:09 panel postfix/smtpd[187414]: disconnect from localhost[127 0 0 1] ehlo=1 mail=1 rcpt=1 data=0/1 commands=3/4

My ip is in many blacklist for that.
I have 2 emails. I try to change the passwords with ispconfig generating, but no success. Try to setup blacklist_helo but maybe I'm doing something wrong. Trying to change DNS provider with clouddns. In the moment i haven't MX, SPF and DMARC because of changing DNS. I have a single server and my MX was like my FQDN panel ivald eu not mail ivald eu
What I'm doing wrong? Thank you!
My IP is 78 83 83 26
My 2 emails are:
admin @ ivald eu
alexcho @ ivald eu

 

If your server is sending spam, maybe you have malware infection that sends the spam.
Stop email system:

Code:

systemctl stop postfix

Now no mails are being sent.
Then examine what you have in mailq, as root:

Code:

mailq

Search post on this forum on how to remove e-mails from queue so they are not sent.
For example ISPPProtect can scan your server for malware, it may not find it always.

 

I examine 'mailq' and have 1 unsend mail.

Next run the isppprotect for /var folder and found 61 malware

==============================
Starting WP plugin version scan. This could take a while ...
Scan Level 4 (SQL) skipped.
================================
Found 61 malware file(s)
================================
Malware {ISPP}suspect.selfdelete in /var/softaculous/bbpress/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/bbpress/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/classicpress/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/classicpress/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/joomla30/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/joomla310/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/openb/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/ossn/_index.php
Malware {ISPP}suspect.globals.eval in /var/softaculous/phplist/_index.php
Malware {ISPP}suspect.globals.eval in /var/softaculous/phplist/index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/razor/softaculous_install.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp49/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp49/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp49/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp49/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp49/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp50/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp50/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp50/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp50/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp50/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp51/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp51/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp51/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp51/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp51/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp52/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp52/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp52/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp52/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp52/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp53/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp53/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp53/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp53/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp53/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp54/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp54/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp54/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp54/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp54/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp55/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp55/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp55/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp55/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp55/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp56/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp56/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp56/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp56/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp56/sign_on.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp57/_index.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp57/add_user.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp57/plugin_activate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp57/plugin_deactivate.php
Malware {ISPP}suspect.selfdelete in /var/softaculous/wp57/sign_on.php

Now does have to run for all folders manualy one by one?

 

I checked all files and didn't suspect anything.
Next i scan with rkhunter and this is the log.

alexcho@panel:~$ sudo cat /var/log/rkhunter.log | grep -i warning
[16:12:08] Info: No mail-on-warning address configured
[16:12:09] Info: Using syslog for some logging - facility/priority level is 'authpriv.warning'.
[16:12:50] /usr/bin/lwp-request [ Warning ]
[16:12:50] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
[16:14:43] Checking for suspicious (large) shared memory segments [ Warning ]
[16:14:43] Warning: The following suspicious (large) shared memory segments have been found:
[16:15:20] Checking for passwd file changes [ Warning ]
[16:15:20] Warning: User 'web5' has been removed from the passwd file.
[16:15:20] Warning: User 'web6' has been removed from the passwd file.
[16:15:21] Checking for group file changes [ Warning ]
[16:15:21] Warning: Changes found in the group file for group 'sshusers':
[16:15:21] Checking if SSH root access is allowed [ Warning ]

Web5 and Web6 i deleted from panel because have to tryed. I can delete the softaculous folder and check but i wanna know from where came this problem. Thanks again.

 

yes i fix it this

 

I tryid to get ID of message but how? No mail in queue.... I reject port 25,465,587 from UFW and from panel and the messages from localhost continues. My rspamd for last week is

reject 720
soft reject 0
rewrite subject 5
add header 0
greylist 0
no action 279

Total messages: 1004

 

Last auth.log

Dec 27 17:45:04 panel sshd[309991]: error: connect_to 216.211.21.221 port 25: faile>Dec 27 17:45:08 panel sshd[309991]: error: connect_to 67.195.204.80 port 25: failed.Dec 27 17:45:08 panel sshd[309991]: error: connect_to 67.195.204.74 port 25: failed.Dec 27 17:45:09 panel sshd[417292]: error: kex_exchange_identification: Connection >Dec 27 17:45:16 panel sshd[417293]: Unable to negotiate with 128.199.42.55 port 575>Dec 27 17:45:47 panel sshd[309991]: error: connect_to 67.195.204.74 port 25: failed.Dec 27 17:45:55 panel sshd[309991]: error: connect_to 203.183.218.23 port 25: faile>Dec 27 17:46:01 panel CRON[417295]: pam_unix(cron:session): session opened for user>Dec 27 17:46:01 panel CRON[417296]: pam_unix(cron:session): session opened for user>Dec 27 17:46:01 panel CRON[417295]: pam_unix(cron:session): session closed for user>Dec 27 17:46:01 panel CRON[417296]: pam_unix(cron:session): session closed for user>Dec 27 17:46:28 panel sshd[416203]: pam_unix(sshd:session): session closed for user>Dec 27 17:46:28 panel systemd-logind[787]: Session 1018 logged out. Waiting for pro>Dec 27 17:46:28 panel systemd-logind[787]: Removed session 1018.
Dec 27 17:46:40 panel sshd[309991]: error: connect_to 98.136.96.76 port 25: failed.
Dec 27 17:46:44 panel sshd[417342]: Unable to negotiate with 140.246.36.47 port 357>Dec 27 17:46:50 panel sshd[309991]: error: connect_to 185.132.182.190 port 25: fail>Dec 27 17:47:01 panel CRON[417344]: pam_unix(cron:session): session opened for user>Dec 27 17:47:01 panel CRON[417345]: pam_unix(cron:session): session opened for user>Dec 27 17:47:01 panel CRON[417344]: pam_unix(cron:session): session closed for user>Dec 27 17:47:01 panel CRON[417345]: pam_unix(cron:session): session closed for user>Dec 27 17:47:25 panel sshd[309991]: error: connect_to 204.50.231.189 port 25: faile>Dec 27 17:47:25 panel sshd[309991]: error: connect_to 102.129.78.43 port 25: failed.Dec 27 17:47:48 panel sshd[309991]: error: connect_to 108.166.43.2 port 25: failed.
Dec 27 17:47:54 panel sshd[31522]: pam_unix(sshd:session): session closed for user >Dec 27 17:47:54 panel systemd-logind[787]: Session 744 logged out. Waiting for proc>Dec 27 17:47:54 panel systemd-logind[787]: Removed session 744.
Dec 27 17:48:01 panel CRON[417383]: pam_unix(cron:session): session opened for user>Dec 27 17:48:01 panel CRON[417384]: pam_unix(cron:session): session opened for user>Dec 27 17:48:01 panel CRON[417383]: pam_unix(cron:session): session closed for user>Dec 27 17:48:01 panel CRON[417384]: pam_unix(cron:session): session closed for user>Dec 27 17:48:02 panel sshd[417381]: Accepted keyboard-interactive/pam for uucp from>Dec 27 17:48:02 panel sshd[417381]: pam_unix(sshd:session): session opened for user>Dec 27 17:48:02 panel systemd-logind[787]: New session 1062 of user uucp.


Last mail.log
Dec 27 17:45:02 panel postfix/smtpd[417281]: connect from localhost[127.0.0.1] Dec 27 17:45:02 panel postfix/smtpd[417281]: lost connection after CONNECT from loc>Dec 27 17:45:02 panel postfix/smtpd[417281]: disconnect from localhost[127.0.0.1] c>Dec 27 17:45:02 panel dovecot: pop3-login: Disconnected (no auth attempts in 1 secs>Dec 27 17:45:02 panel dovecot: pop3-login: Disconnected (no auth attempts in 0 secs>Dec 27 17:45:02 panel dovecot: pop3-login: Disconnected (no auth attempts in 0 secs>Dec 27 17:45:03 panel dovecot: pop3-login: Disconnected (no auth attempts in 0 secs>Dec 27 17:45:03 panel dovecot: pop3-login: Disconnected (no auth attempts in 0 secs>Dec 27 17:45:04 panel dovecot: pop3-login: Disconnected (no auth attempts in 0 secs>Dec 27 17:45:04 panel dovecot: pop3-login: Disconnected (no auth attempts in 0 secs>Dec 27 17:47:03 panel postfix/smtpd[417360]: connect from localhost[127.0.0.1] Dec 27 17:47:04 panel postfix/smtpd[417360]: 56494341125: client=localhost[127.0.0.>Dec 27 17:47:04 panel postfix/cleanup[417363]: 56494341125: message-id=<OFQWOUIPHOH>Dec 27 17:47:05 panel postfix/cleanup[417363]: 56494341125: milter-reject: END-OF-M>Dec 27 17:47:05 panel postfix/smtpd[417360]: disconnect from localhost[127.0.0.1] e>Dec 27 17:50:02 panel dovecot: imap-login: Disconnected (disconnected before auth w>Dec 27 17:50:02 panel dovecot: pop3-login: Disconnected (no auth attempts in 0 secs>Dec 27 17:50:02 panel postfix/smtpd[417656]: connect from localhost[127.0.0.1] Dec 27 17:50:02 panel postfix/smtpd[417656]: lost connection after CONNECT from loc>Dec 27 17:50:02 panel postfix/smtpd[417656]: disconnect from localhost[127.0.0.1] c>

till i haven't mail in queue...

I'll try with defer mod for test.

 

I make the rule! Only authenticated users stay in deffer... This spam pass the rule... I'll learn to fly from 4-th floor...


PS:: Okey finaly i did it! Stop rspamd and the message came to deferrer. Take the id and this is from postcast

*** ENVELOPE RECORDS deferred/5/585E33413CE ***
message_size: 985 679 1 0 985 0
message_arrival_time: Mon Dec 27 19:01:49 2021
create_time: Mon Dec 27 19:01:49 2021
named_attribute: log_ident=585E33413CE
named_attribute: rewrite_context=local
sender: [email protected]
named_attribute: log_client_name=localhost
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=48726
named_attribute: log_message_origin=localhost[127.0.0.1]
named_attribute: log_helo_name=mega.nz
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost
named_attribute: reverse_client_name=localhost
named_attribute: client_address=127.0.0.1
named_attribute: client_port=48726
named_attribute: server_address=127.0.0.1
named_attribute: server_port=25
named_attribute: helo_name=mega.nz
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;[email protected]
original_recipient: [email protected]
recipient: [email protected]
*** MESSAGE CONTENTS deferred/5/585E33413CE ***
Received: from mega.nz (localhost [127.0.0.1])
by panel.ivald.eu (Postfix) with ESMTP id 585E33413CE
for <[email protected]>; Mon, 27 Dec 2021 19:01:49 +0000 (UTC)
Message-ID: <[email protected]>
From: "CANADA-DRUGSTORE" <[email protected]>
Reply-To: "VIA... SHOP" <[email protected]>
To: <[email protected]>
Subject: Drugs Online
Date: Mon, 27 Dec 2021 11:01:47 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--2453414445602334"
X-Priority: 1
X-MSMail-Priority: #PRIORITY_STRING

----2453414445602334
Content-Type: text/plain;;
Content-Transfer-Encoding: quoted-printable

Check our new offers and save HUGE on the best medications!

Via- $0.86
Cia`lis- $1.59
Pink Female Via- $0.72

Limited period offer till stocks last

http://www.curingsafesupply.ru?50hSze

(If url blocked copy this link to browser)





70MDte10cEwe
10IVje30XHye

----2453414445602334--
*** HEADER EXTRACTED deferred/5/585E33413CE ***
*** MESSAGE FILE END deferred/5/585E33413CE ***

 

Now i see the login client port is 48726... Every message is with diffrent port...
I didn't open those porst... I'll check the router settings... Maybe i have turn on server on DMZ... I'll go to see what's happening...

PS: I'm addind this rule to all my php.ini files

 

Ok for now i found solution but i don't know that is good solution. I didn't catched any smtp connections all night...
I just remove permit_mynetwork, add some rules from /etc/postfix/main.cf and now all connections from localhost[127.0.0.1] is blocked with relay access denied.

Added -
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination

Deleted -
From smtpd_sender_restrictions - delete permit_mynetwork

Dec 28 11:46:08 panel postfix/smtpd[667906]: connect from localhost[127.0.0.1]
Dec 28 11:46:09 panel postfix/smtpd[667906]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mega.nz>
Dec 28 11:46:09 panel postfix/smtpd[667906]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Please write if someone find better solution.
I test to send from roundcube and mail was sent with no problem.

 

Ok i'm hacked!
I tryed many things.. so much many, that my ispconfig is no more functional like before. My SMTP server is down, i can't connect it from mxtoolbox for example, and so on.
I reject all ports from UFW and panel. The sending messages continues. I reject the port 25 from router.. no effect...
Last thing that i make is to check 22 port traffic. I have traffic on all ports by the way... I see that have minimum 13 users in ssh estabilished connection. I check the sessions and what to see... User UUCP what i suspected earlier. All this connections was from UUCP user as a root. I deside to limit the SSH connection. The traffic stop for all ports. Next i make a new domain for old client and click on Statistics tab in Sites->Client ID and voala...error appear:
[INTERFACE]: PHP IDS Alert.Total impact: 45<br/> Affected tags: xss, csrf, id, rfe, lfi<br/> <br/> Variable: POST.ssl_key | Value: -----BEGIN PRIVATE KEY----- MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCr7PkeVmnssOIv 508Y/cgbE5orWmi9aJvnr0Kol18LLPfdiwCTnw5WAb9CixpzoSlm48K0eHh2CAYf g1roSaxsmqhgeVM6pcd7iYFrT3GAjEG7A4Vgi/7jEuR2z0o+Ms/+wdHa6T3jzjoE QZWGKZKajfn3LzAYPP7BKPZYkrpD5UunXEvoa+xIrtZcmN1N5GziemwTKr9rEfqx TEUJOaHpE2K4zq2PS4TjvlvgIgiL05261oo+xPpZaDARxA/qLJXn30uUkvOeBO9i eWR4sgAEDHPnx4AjCex7YWoqIiTIws+1XDFSpk7Gq7R9DrNvzHxj+Q/DFHE3QyKq dRnJsiq+EGS/ZapW6vLqeNViXPnUAKkYNn1EJ0ucVcLPP8EE8zmu9odXuwNCcn5l xOsxpq0si+6rhPoouq5QXH4hkOxXfGCNzCAPoO1GSMEKuoI27WHXDffETiyEw7Kx Xkz3WjtjaOhGqbAZ7Hv5xct613Y+tIX7PdWk7Ryh3ctq1h2ClQMI8zuBdzsJ43p1 6lgYVqxVfTUjhZqfoQzXmg1d9hMtZ/RCL5sJkD6g7mZVYqFHjfyC841F0EKD2IRm UdKYpGitmnMJU5kooIJPftcyyf66H0D/ywdkuZLl+ATwFC2Ttx836djJNx2ZKQFw QzCbmbfvcb6GhzpAAJGkv5x+wuSEvQIDAQABAoICAQCQBsdzaMT36f6yTr5umzul ozhGFUklU5s37hSTk6ulexhyWd4zzM1/s5r8LfgM4fgDH86ezUVs66/lem8PpZhy quVfXIQi33pLvZfTxAu7usPd3UdA6EaxB8So22LA1GR2cPxSvY6BZuQnaKHQcMdF /qZnMvrBc2effadR8Clmc5J7M9DLdo3NHdqqW80ZUcD9wb0EGY2eLsOq/8/duJAw 53KOi2XOY1+CQphJHXm3WaILQWsyxmVLvQJ3/52teYhjZSa14p1/xXadMkC+868b tSrsAq8Pq2KWwbbkcRILtVe4APG44WWg/XsIQOaFQ/L49U8FB/0IZI+H6O2fkEhI 7Tg9GczFFwfYJ1qkPNOHT5NkUHULb+wAe9VLKmOVeqiY8FA2lpPqJ4l6w21BxMmi pmItxaYtCot1LqF7iodqHyJPa55ShVRkKxbIc/S2WxqBxLMddD+TrTyDDcyle4XO i4CAlo+3l/DUmYPRzFu7ml0ylKk5/miYfqRuOvIxIJQ9X2Rsl3XZJIXszP5tJlAN GFWaMrAvAkSuR6SpUu+H5p791RYLrrXJb9bDJLynCuIrTHwump2ueGVX4Ay9ey3g MreDs8EaQk/GatB2b1z1Lg/fm+mpaf3vANMy9/YCJP8HUEy7PHWVRTg0Mt/uZF9r 5zpxQXVpSfzBy+m8HXaM6QKCAQEA2rUxG7NesRIayUbiKqhCf8nHJ65xVXmzJPbq tQ+xk7NO3jDMz/Hkf2/cuvgY3A42Aa24B8QH0s/0eZOx0b/iiztIDCGqxGM6pOQ6 qQgbtSS2epoPKd8VL84Xxpa07y2k7XGq0U7MLKK4AePS5F0NqFFVGoZfhhCcp6NF +gElOt8H47gsqmGKrjYY0aR0NiK4ZjHAkQkVm7oh00rg1f5zA3/LYluhFivDovSL nqsb68/wg0ZXcbC3+ythl0iRqMrD+tZN+p/Buy/sBEk6+UMa5ffrtrjzM3w2AOei OaA0gaDzFN/8HfaAnrug25FI9HYCzIj0LnhvZRuzKIIslQmCpwKCAQEAyT2yXrJF tt3D/FminscXHfOGpOFTgoats+OTTDT6MLWhb6FxSZmmQ3b49jdfxOz8Csk8fdYl J6dzT+lamveAnX3ysg/0IkqRVfqoPBcMFb0sqlvvWxh09HDujsUeX5+pwSPe5GF/ sxIJ4k4EqjrBR1Owmh68sHmOT/TsUim3/pCtRVUmggcDS7C9qO/M85wqTEdGdGKH mBCF4MiLxMAVhcMf0g0OFqxm9mlouXicMmsjKUOkthSj6bbojvw5BmZ+KRyfZHp4 PCmkI/OyQ9ouBgkpXJC+OFMYO4SA3CRyqF8EWQhzrYVaH8QoVsnx2kQFegeVl68R FCT8/hH0qied+wKCAQEAiUVck1RbxKvmYBq7baa6RlaxR3i37bw68qJ/4jD9dgT/ JXpfsszSbCIb2sZJZCUPRLJyZX1mo6yed4h5/XqAiH8m02Z2NllJv6D4KIvMSD/I wN7dUZyRQbYLOjvxSIXPlLDZVBIvGHzxHU6PWYIGRnT2A3X/krfue1GBZE8/vNmr rAQ3FKGwV3Pg1ARyZGAaeRoVEXMwOtPy0xmWUPop2jJlx1BXpQDHBAqVb3taRQH4 pYyK6fLPJzitQjTsJ5NMuq2zt/B5ujFz46TK/RRfV6PqMH+ZNeFqS9sW+TBShGIu 8BU9utizFe4SIn3n2ngPfa0gBeLVmBJwuqYpsUmM1QKCAQEAusZyeIWJQrINJnej AS7S+898VidztJ9/NIixu3coBnFtRghW9vKOZ+tSImM+la1GOFSRulE45tb5pV91 4oJ4crPkvvMjqXf/8AbWgf76Dmsnu23cd3X5hq4SG5xEFog/q6y5QMplFTRWzB2R ItWpcaPxMvn4Mup+9SLi+1cRGEn7J3BibyhHHMcLIHKAjFGSyH0WnQqdwrsDJp+7 aX7F+wIg1Hmda9nTLjyjIBEbF4hsd+36P6xkfZRvv9XEr3YM/ec84KryURRs7ZlP CL7FHIEATJNimTA2O3c9ihSh/jdB98hqZNBx1y3eKr7/o46ibqH/a2rmtQWnccAE jrB6ZQKCAQAZ0s/PsE0k0nCsCwi2Tfjow5jYQ1wzh57QsqAQAP1A0TAfywTUkLPD VlQgWa97E46CjscrPyJHi9yzYGxslhG1EEYgbT0Dy0ypaKCxGZeHliGpJZDlr65c p0+V7iG9oRZr7+3AwmLbFCG3zVmjm10JyiGbaxIRCxnlvp/MVoeedNslB21Av6fr 75zUb8x8cjtKdNy1g2V7KNFY3M3GuFn+At+aU9nZs6sQRZ60LA8/1KWbIIq/lvPk kMthYc2hzjAEOIlZdXp1ZWVqcCGgcBwxZdyrpHw0hUXDqa77c/p0AOY/J7ymK1Kz A+gth7KHq3tRVN008AKD1FmdnGlFpFNw -----END PRIVATE KEY----- <br/> Impact: 12 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/> Variable: POST.ssl_request | Value: -----BEGIN CERTIFICATE REQUEST----- MIIEiDCCAnACAQAwQzELMAkGA1UEBhMCQUYxETAPBgNVBAMMCGl2YWxkLmV1MSEw HwYJKoZIhvcNAQkBFhJ3ZWJtYXN0ZXJAaXZhbGQuZXUwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCr7PkeVmnssOIv508Y/cgbE5orWmi9aJvnr0Kol18L LPfdiwCTnw5WAb9CixpzoSlm48K0eHh2CAYfg1roSaxsmqhgeVM6pcd7iYFrT3GA jEG7A4Vgi/7jEuR2z0o+Ms/+wdHa6T3jzjoEQZWGKZKajfn3LzAYPP7BKPZYkrpD 5UunXEvoa+xIrtZcmN1N5GziemwTKr9rEfqxTEUJOaHpE2K4zq2PS4TjvlvgIgiL 05261oo+xPpZaDARxA/qLJXn30uUkvOeBO9ieWR4sgAEDHPnx4AjCex7YWoqIiTI ws+1XDFSpk7Gq7R9DrNvzHxj+Q/DFHE3QyKqdRnJsiq+EGS/ZapW6vLqeNViXPnU AKkYNn1EJ0ucVcLPP8EE8zmu9odXuwNCcn5lxOsxpq0si+6rhPoouq5QXH4hkOxX fGCNzCAPoO1GSMEKuoI27WHXDffETiyEw7KxXkz3WjtjaOhGqbAZ7Hv5xct613Y+ tIX7PdWk7Ryh3ctq1h2ClQMI8zuBdzsJ43p16lgYVqxVfTUjhZqfoQzXmg1d9hMt Z/RCL5sJkD6g7mZVYqFHjfyC841F0EKD2IRmUdKYpGitmnMJU5kooIJPftcyyf66 H0D/ywdkuZLl+ATwFC2Ttx836djJNx2ZKQFwQzCbmbfvcb6GhzpAAJGkv5x+wuSE vQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAHGtI3dtmefL0FMHlxWjo4P/maP7 ilkqYzp1ZVDAcvZ4hU2BPBK+jYnazFM1fcTCALSqABTQmItsidpTn0OXDn6b/rRe +/pWX0oy5I+ggrwb4lj/g6A4YdIkhFd1WbzZrnPyQQvkdcSXgc5ZFjQ7jJptu/Bz o0OVS7OstQE6ml9yJ0YBVm/rti5YXn/hNJoghEG6uc45ZaErMebhT60cBNukHrFP naxBaD2JrXgO5tq0qk/lD9RCgoPrkUrJbxG6an462xSh1TBYhfrm7XoLat/BzNlw lHDdsur2YNl8vcvf7CculZxgBmCZD4PWLB7W+PWFDoZ6pyCRVe5ML5Q1fq9raK0p 4BN8d9wK+y/jqQv8hBOPI9b/4aQYdANqY5iKigPTFUc5rg/2Qgp6zy2EEryjvphs of7udKWKADfpHqDYfnPvjCPOb50rMX+A8MojLbaMXtGj61I5kf7ouXGc+d/mEamp Teaal9LnYk9a/cW+1WNbWZfiQ5NpT1WUqcZdR7dn507193ErTBc+67qls93SUqyd bV0IyOS3MXoYaj1h/HJ0HkDEK3vNgX+KvACQeqaZDqMi5eO0cFPA6csgbdS8f0oW zNWY3v1mCggmr4aNOFdcvApj/qZ1IBeOYIj10wTofslblPf6F525dZTzaQc3MTXo JablP/AWphy/sF6X -----END CERTIFICATE REQUEST----- <br/> Impact: 12 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67<br/> <br/> Variable: POST.ssl_cert | Value: -----BEGIN CERTIFICATE----- MIIFDTCCAvUCFDYBLbWR7jMOsyVFKjcHcSrlmVYuMA0GCSqGSIb3DQEBCwUAMEMx CzAJBgNVBAYTAkFGMREwDwYDVQQDDAhpdmFsZC5ldTEhMB8GCSqGSIb3DQEJARYS d2VibWFzdGVyQGl2YWxkLmV1MB4XDTIxMTIyODE2NDUwM1oXDTMxMTIyNjE2NDUw M1owQzELMAkGA1UEBhMCQUYxETAPBgNVBAMMCGl2YWxkLmV1MSEwHwYJKoZIhvcN AQkBFhJ3ZWJtYXN0ZXJAaXZhbGQuZXUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ggIKAoICAQCr7PkeVmnssOIv508Y/cgbE5orWmi9aJvnr0Kol18LLPfdiwCTnw5W Ab9CixpzoSlm48K0eHh2CAYfg1roSaxsmqhgeVM6pcd7iYFrT3GAjEG7A4Vgi/7j EuR2z0o+Ms/+wdHa6T3jzjoEQZWGKZKajfn3LzAYPP7BKPZYkrpD5UunXEvoa+xI rtZcmN1N5GziemwTKr9rEfqxTEUJOaHpE2K4zq2PS4TjvlvgIgiL05261oo+xPpZ aDARxA/qLJXn30uUkvOeBO9ieWR4sgAEDHPnx4AjCex7YWoqIiTIws+1XDFSpk7G q7R9DrNvzHxj+Q/DFHE3QyKqdRnJsiq+EGS/ZapW6vLqeNViXPnUAKkYNn1EJ0uc VcLPP8EE8zmu9odXuwNCcn5lxOsxpq0si+6rhPoouq5QXH4hkOxXfGCNzCAPoO1G SMEKuoI27WHXDffETiyEw7KxXkz3WjtjaOhGqbAZ7Hv5xct613Y+tIX7PdWk7Ryh 3ctq1h2ClQMI8zuBdzsJ43p16lgYVqxVfTUjhZqfoQzXmg1d9hMtZ/RCL5sJkD6g 7mZVYqFHjfyC841F0EKD2IRmUdKYpGitmnMJU5kooIJPftcyyf66H0D/ywdkuZLl +ATwFC2Ttx836djJNx2ZKQFwQzCbmbfvcb6GhzpAAJGkv5x+wuSEvQIDAQABMA0G CSqGSIb3DQEBCwUAA4ICAQCK1Si9P6PC5ZaZrJ0+kOjokpNrGZaM8WtnfYUjjJtp skaOW7PM9JXuWr2f8dnHYPdgzDykdERbYuscJGX9UcBYPzB37pueuxvhupMtrPmq xB1/f9g8hPd/1dgbEHyeqZLCuSILZb4NdnsFhkZptqJDPQUXDDwASlmVJKOCmilq qVCzWHnvwgkXPIXvYbWojtYtqj7a9hMXyZSayhonoVvsAl4UIZfdDZ6AtlOdyOEl bef1GqnhTiPz4xSvd/Cr5w2jf+SYcataZepHzDWZK309S3R1ITFNUjxtDt2kpRsT Z8qzNIx+KEq87MhLGIjKNMJTV/rKyLJhSEKrM8sT6HENUNZ8AtPs1esArGqVWP9w wNeoZI5PeVvFNtFkT0nXLbfes6vrWY0GUARlE0AFDYtDi5YICTphtZHupyk4jcbv E/P2OMqOXtl2dUYVaEvOQptM2WEQX7SH4P8w4fWHYWOXyPDuz/56GO7qAxc8L0Ni RKyQneqdiR5DBe0VoPgMvE8+fT540ean9zxhHK1GcXWNomAXyE2JjVifc5blPUPJ Y9Sr0AG+nGFDWopVH33jwgTuIcp0egQATh50fMBQsinYAx8bxqE4KRSUaW7gfSvw 8ica+Qd2o4jrmq7C40l6rsHAFzNOZOfkVtHOXSzzrph7b9zU+LbnpbwFswmOZrxc 3w== -----END CERTIFICATE----- <br/> Impact: 21 | Tags: xss, csrf, id, rfe, lfi<br/> Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID 7<br/> Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID 25<br/> Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID 31<br/> Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID 67

Then i decide to check some logs more detailed

Many of document logs have more from thise: 78.83.89.173 - - [29/Dec/2021:20:45:11 +0000] "GET / HTTP/1.0" 400 528 "-" "-"

 

But this document log have much more:
/var/log/ispconfig/httpd/localhost.localdomain/20211229-access.log
78.83.89.173 - - [29/Dec/2021:20:45:11 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 78.83.89.173 - - [29/Dec/2021:20:45:11 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 78.83.89.173 - - [29/Dec/2021:20:45:11 +0000] "GET / HTTP/1.1" 302 5503 "-" "Mozilla/5.0 (Windows NT >78.83.89.173 - - [29/Dec/2021:20:45:12 +0000] "GET /login/ HTTP/1.1" 200 9080 "-" "Mozilla/5.0 (Windo>78.83.89.173 - - [29/Dec/2021:20:45:12 +0000] "GET /HNAP1/ HTTP/1.1" 404 5066 "http://78.83.83.26:808>78.83.89.173 - - [29/Dec/2021:20:45:12 +0000] "GET /hudson/script HTTP/1.1" 404 5066 "http://78.83.83>78.83.89.173 - - [29/Dec/2021:20:45:12 +0000] "GET /script HTTP/1.1" 404 5066 "http://78.83.83.26:808>78.83.89.173 - - [29/Dec/2021:20:45:12 +0000] "GET /sqlite/main.php HTTP/1.1" 404 5066 "http://78.83.>78.83.89.173 - - [29/Dec/2021:20:45:12 +0000] "GET /sqlitemanager/main.php HTTP/1.1" 404 5066 "http:/>78.83.89.173 - - [29/Dec/2021:20:45:15 +0000] "GET /SQLiteManager/main.php HTTP/1.1" 404 5066 "http:/>78.83.89.173 - - [29/Dec/2021:20:45:15 +0000] "GET /SQLite/main.php HTTP/1.1" 404 5066 "http://78.83.>78.83.89.173 - - [29/Dec/2021:20:45:15 +0000] "GET /SQlite/main.php HTTP/1.1" 404 5066 "http://78.83.>78.83.89.173 - - [29/Dec/2021:20:45:15 +0000] "GET /main.php HTTP/1.1" 404 5066 "http://78.83.83.26:8>78.83.89.173 - - [29/Dec/2021:20:45:15 +0000] "GET /test/sqlite/SQLiteManager-1.2.0/SQLiteManager-1.2>91.148.152.235 - - [29/Dec/2021:20:45:15 +0000] "GET /datalogstatus.php HTTP/2.0" 200 540 "https://pa>78.83.89.173 - - [29/Dec/2021:20:45:15 +0000] "GET /SQLiteManager-1.2.4/main.php HTTP/1.1" 404 5066 ">78.83.89.173 - - [29/Dec/2021:20:45:16 +0000] "GET /agSearch/SQlite/main.php HTTP/1.1" 404 5066 "http>78.83.89.173 - - [29/Dec/2021:20:45:16 +0000] "GET /phpmyadmin/ HTTP/1.1" 200 10333 "http://78.83.83.>78.83.89.173 - - [29/Dec/2021:20:45:16 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 5066 ">9
195.54.160.149 - - [29/Dec/2021:22:15:02 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 46.174.191.30 - - [29/Dec/2021:22:30:32 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 92.118.234.202 - - [29/Dec/2021:22:39:13 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 185.204.1.186 - - [29/Dec/2021:22:50:18 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 185.204.1.186 - - [29/Dec/2021:22:50:18 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 185.204.1.186 - - [29/Dec/2021:22:50:18 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 185.204.1.186 - - [29/Dec/2021:22:50:19 +0000] "GET / HTTP/1.1" 302 5503 "-" "Mozilla/5.0 (Windows NT>185.204.1.186 - - [29/Dec/2021:22:50:19 +0000] "GET /login/ HTTP/1.1" 200 9080 "-" "Mozilla/5.0 (Wind>92.118.234.202 - - [29/Dec/2021:22:59:06 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 192.241.207.54 - - [29/Dec/2021:23:02:05 +0000] "GET / HTTP/1.1" 200 5844 "-" "Mozilla/5.0 zgrab/0.x" 196.196.41.68 - - [29/Dec/2021:23:09:41 +0000] "GET / HTTP/1.0" 400 528 "-" "-"

This is from client1:
Var/log/ispconfig/httpd/client1/accesslog

185.180.143.79 - - [27/Dec/2021:15:30:14 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 109.237.103.118 - - [27/Dec/2021:15:43:41 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 109.237.103.118 - - [27/Dec/2021:15:43:42 +0000] "GET /.git/config HTTP/1.1" 404 5531 "-" "Mozilla/5.>92.118.234.202 - - [27/Dec/2021:15:54:32 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 80.82.78.39 - - [27/Dec/2021:16:09:49 +0000] "GET / HTTP/1.1" 403 363 "-" "Mozilla/5.0" 80.82.78.39 - - [27/Dec/2021:16:09:51 +0000] "\x16\x03\x01" 400 392 "-" "-" 91.90.123.71 - - [27/Dec/2021:16:14:15 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 5.8.10.202 - - [27/Dec/2021:16:18:29 +0000] "GET /server-status HTTP/1.1" 403 363 "-" "Go-http-client>

34.86.35.17 - - [27/Dec/2021:19:11:44 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 179.8.105.90 - - [27/Dec/2021:19:14:18 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 146.88.240.17 - - [27/Dec/2021:19:19:12 +0000] "\x16\x03\x01" 400 392 "-" "-"
FROM HERE START WITH MY SERVER IP
78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET / HTTP/2.0" 302 634 "-" "Mozilla/5.0 (Windows NT 10>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /login/ HTTP/2.0" 200 4134 "-" "Mozilla/5.0 (Window>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/fonts.min.css HT>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/pushy.min.css HT>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/ispconfig.css?ve>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/bootstrap-dateti>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/responsive.min.c>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/themes/default/t>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/select2.css HTTP>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/select2-bootstra>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/bootstrap.min.cs>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/stylesheets/login.css HTTP/2>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/javascripts/bootstrap.min.js>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/javascripts/bootstrap-dateti>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /js/jquery.min.js HTTP/2.0" 200 30029 "https://pane>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/javascripts/modernizr.custom>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/javascripts/pushy.min.js HTT>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/javascripts/responsive.min.j>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /themes/default/assets/javascripts/ispconfig.js HTT>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /js/jquery.ispconfigsearch.js HTTP/2.0" 200 3118 "h>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /js/jquery.tipsy.js HTTP/2.0" 200 3215 "https://pan>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /js/select2/select2.min.js HTTP/2.0" 200 18989 "htt>78.83.83.26 - - [27/Dec/2021:19:27:38 +0000] "GET /js/scrigo.js.php HTTP/2.0" 200 2182 "https://panel>78.83.83.26 - - [27/Dec/2021:19:27:39 +0000] "GET /themes/default/assets/favicon/site.webmanifest HTT>78.83.83.26 - - [27/Dec/2021:19:27:40 +0000] "GET / HTTP/2.0" 302 531 "-" "Mozilla/5.0 (Windows NT 10>78.83.83.26 - - [27/Dec/2021:19:28:23 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:23 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:23 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:23 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:24 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:24 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:24 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:24 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:24 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:24 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:27 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:27 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:27 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:27 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:27 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:28:27 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:28:58 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:28:58 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:02 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:02 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:02 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:02 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:02 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:02 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:12 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:12 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:12 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:29:12 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:29:14 +0000] "\x16\x03\x01\x02" 400 392 "-" "-" 78.83.83.26 - - [27/Dec/2021:19:29:14 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:14 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:14 +0000] "\x16\x03\x01\x02" 400 392 "-" "-"
78.83.83.26 - - [27/Dec/2021:19:29:18 +0000] "GET / HTTP/2.0" 302 531 "-" "Mozilla/5.0 (Windows NT 10>
78.83.83.26 - - [27/Dec/2021:19:29:18 +0000] "GET /login/ HTTP/2.0" 200 4134 "-" "Mozilla/5.0 (Window>
78.83.83.26 - - [27/Dec/2021:19:29:18 +0000] "GET /js/scrigo.js.php HTTP/2.0" 200 2182 "https://panel>
TO HERE
192.241.204.237 - - [27/Dec/2021:21:00:50 +0000] "\x16\x03\x01" 400 392 "-" "-"
192.241.214.213 - - [27/Dec/2021:21:01:56 +0000] "\x16\x03\x01" 400 392 "-" "-"
192.241.207.18 - - [27/Dec/2021:21:02:56 +0000] "\x16\x03\x01" 400 392 "-" "-" 195.54.160.149 - - [27/Dec/2021:21:21:54 +0000] "\x16\x03\x01" 400 392 "-" "-" 103.206.100.93 - - [27/Dec/2021:21:26:19 +0000] "GET / HTTP/1.0" 400 528 "-" "-" 198.98.49.124 - - [27/Dec/2021:21:41:51 +0000] "GET / HTTP/1.0" 400 528 "-" "-"
177.91.19.244 - - [27/Dec/2021:21:42:09 +0000] "GET / HTTP/1.0" 400 528 "-" "-"
71.6.232.4 - - [27/Dec/2021:21:52:06 +0000] "GET / HTTP/1.0" 400 528 "-" "-"
109.237.103.38 - - [27/Dec/2021:21:52:21 +0000] "GET /.env HTTP/1.1" 404 397 "-" "Mozilla/5.0 (X11; L>109.237.103.38 - - [27/Dec/2021:21:52:21 +0000] "\x16\x03\x01\x01C\x01" 400 392 "-" "-"