NFT News, Updates, Sources, To Buy & Sell, Advice, Disscussions, Tips, Forum, Market, Crypto, & more!

in

I’m getting POST requests from China, a Ukrainian data center, a TOR exit node, and others to my personal project server, any idea what is going on here?

TL;DR

I'm getting POST requests from China, a Ukrainian data center, a TOR exit node, and others to my personal project server, I want to know more and don't know what to do.

For some time now, I've been building a cryptocurrency trading bot, but I've left it aside for some time now, letting it collect data while I do other stuff. It will be there when I get back to it.

Now that I am thinking of getting back to it, I decide to check in. So, I SSH into my home server, connect to the screen instance, and realize that I'm getting frequent (~1/min) POST requests from some IPs I don't recognize. Now, the only HTTP requests this app is supposed to make are GET requests to the exchange (Kraken) every 5 minutes, so something strange is going on here.

In the console, I see multiple lines that look like:

INFO:werkzeug:91.232.30.116 - - [25/Feb/2022 17:47:36] "POST / HTTP/1.1" 200 -

There seem to be 3 different IPs making requests, roughly 50 seconds apart, but not consistently spaced, eventually repeating the addresses.

EDIT: There are more than 3

I pick one of the IPs (91.232.30.116) and find a page on findip-address.com which says it's owned by Omniliance Ltd, which seems to be a data center in Nikolaev, Ukraine. My first thought is that they might be hosting a VPN service which someone is using to send the requests, but still seems unlikely to me.

I check another (185.82.219.109), and find that this one is a TOR exit node (according to abuseipdb). Very strange. I try another (217.12.208.131) and find a lot less obvious information. Again, I find an entry on abuseipdb (it is at this point that I begin to find it strange how an abuse reporting website has shown up for all 3 IPs I've tried). This one seems to be based in the Netherlands, possibly owned by an ISP? The domain listed is itl.ua which seems to be the Russian-language landing page for an ISP. Maybe this is a home IP address then?

Now, it's probably worth pointing out a few technical details:

  • It's a Flask server, not totally sure what version, or how to check without restarting it
  • Running on port 5000, which is forwarded
  • There are testnet NFTs whose metadata exists on and points to (the image as well as .json) my IP address, though the requested path and port is different. Regardless, my IP is still public and advertised in that way, though I'm the only slightly technical person who even knows about these NFTs (to my knowledge).
  • The hardware platform is fairly old now, CPU is a Pentium G3258. Probably with outdated microcode or BIOS or both.
  • OS is Debian 11

-- Side note about the CPU that I find kind of interesting --It's that 20th anniversary edition chip that that released with overclocking unlocked. To my recollection, when people (I have PC gamers in mind) noticed that this $60, cool-running, dual-core Pentium overclocked like a dream, they starting buying them up in lieu of an i3 or an i5 for their low-budget PCs, that is why I have one after all. Perhaps predictably, Intel decided to put an end to the party and released microcode update which disabled overclocking. I don't think I ever got/applied that update though, because last time I checked, I can still overclock it. Plus, I think that there's a message on boot that says something about microcode, I might be making that up though.

Any idea what might be going on here? I realize I should probably close the network port or something, but really, I'm more interested in what this is about.

EDIT: I thought I'd check back in and now I'm noticing some requests from the same, but also a GET request from China (211.149.171.222, abuseipdb) and another making POST requests from Czechia (217.12.208.131, abuseipdb) but alarmingly, according to abuseipdb, this address has been "reported 3,518 times. Confidence of abuse is 100%." Yikes.

EDIT 2: Port 8080, not 5000

What do you think?

Frontend Run Issue thumbnail

Frontend Run Issue

How to mint your JPGs with Loopring.io thumbnail

How to mint your JPGs with Loopring.io