Our webserver IIS logs indicate we are getting a lot of traffic (20k log entries/day) to '/login/token.php' , half the time a 500 error is returned. The bulk of the traffic is from one ip, which changed to a similar ip the next day.
Is a bot trying to hack into our site?
The log also often mentions 'MoodleMobile', is that the moodle mobile app? I thought the moodle mobile app generated traffic outside of web server logs?
Sample IIS log entry:
2024-01-24 02:32:08 xxx.xxx.xxx.xxx GET /login/token.php - 443 - 129.222.184.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+moodledesktop/3.9.2+Chrome/69.0.3497.128+Electron/4.2.5+Safari/537.36+MoodleMobile - 500 0 0 46
2024-01-24 00:00:03 xxx.xxx.xxx.xxx POST /login/token.php - 443 - 129.222.184.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+moodledesktop/3.9.2+Chrome/69.0.3497.128+Electron/4.2.5+Safari/537.36+MoodleMobile - 500 0 0 15
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2024-01-24 00:00:00
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
#Version: 1.0
#Date: 2024-01-24 00:00:00
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
system
moodle 3.11.5
IIS
IIS