Exception HMAC does not match

ℹ️ Support
, ,
38

For me this posting was really helpful. I checked my Apache log files and found out that some IPs tried out several non existing URLs (HTTP error 404). Here’s an example:

68.218.114.244 - - [26/Dec/2025:10:54:11 +0100] "GET /wp-content/plugins/hellopress/wp_filemanager.php HTTP/1.1" 404 8933 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:12 +0100] "GET /nc4.php HTTP/1.1" 302 1291 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:13 +0100] "GET /nc4.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:14 +0100] "GET /d4.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:14 +0100] "GET /ad.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:15 +0100] "GET /dlex.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:16 +0100] "GET /classwithtostring.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:16 +0100] "GET /pass.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:18 +0100] "GET /good.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:18 +0100] "GET /ext.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:19 +0100] "GET /class20.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:20 +0100] "GET /css/index.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:20 +0100] "GET /aa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:21 +0100] "GET /npi.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:22 +0100] "GET /ahax.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:23 +0100] "GET /pop.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:23 +0100] "GET /file17.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:24 +0100] "GET /wp-includes/fonts/themes.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:25 +0100] "GET /about.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:25 +0100] "GET /litanies.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:26 +0100] "GET /g.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:27 +0100] "GET /readme.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:27 +0100] "GET /kwm4.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:28 +0100] "GET /just2.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:29 +0100] "GET /png.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:30 +0100] "GET /geger.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:31 +0100] "GET /let.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:32 +0100] "GET /np.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:33 +0100] "GET /ask.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:33 +0100] "GET /CLA.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:34 +0100] "GET /wp-admin/index.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:35 +0100] "GET /mek.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:36 +0100] "GET /fjpeb.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:36 +0100] "GET /ex.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:37 +0100] "GET /asd67.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:38 +0100] "GET /zwso.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:38 +0100] "GET /alfa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:39 +0100] "GET /shlo.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:40 +0100] "GET /sec.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:41 +0100] "GET /natural.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:42 +0100] "GET /1.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:43 +0100] "GET /z.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:43 +0100] "GET /law.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:44 +0100] "GET /bluejackets.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:45 +0100] "GET /php.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:45 +0100] "GET /sx21_1.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:46 +0100] "GET /1aa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:47 +0100] "GET /nx9.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:47 +0100] "GET /file.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:48 +0100] "GET /aw.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:49 +0100] "GET /sfvul.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:49 +0100] "GET /icdwb.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:50 +0100] "GET /ticket.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:51 +0100] "GET /elp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:52 +0100] "GET /k.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:53 +0100] "GET /amphicyon.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:53 +0100] "GET /wsad.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:54 +0100] "GET /lock1.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:55 +0100] "GET /xp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:55 +0100] "GET /e.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:56 +0100] "GET /v3.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:57 +0100] "GET /akcc.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:57 +0100] "GET /minik.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:58 +0100] "GET /asasx.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:59 +0100] "GET /nx.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:54:59 +0100] "GET /themes.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:00 +0100] "GET /acp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:01 +0100] "GET /xpw.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:02 +0100] "GET /lufix.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:03 +0100] "GET /akp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:03 +0100] "GET /cwsd.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:04 +0100] "GET /tll.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:06 +0100] "GET /Okxob.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:06 +0100] "GET /idea.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:07 +0100] "GET /pepe.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:08 +0100] "GET /v2.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:09 +0100] "GET /yca.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:10 +0100] "GET /lock360.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:10 +0100] "GET /ot.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:11 +0100] "GET /bolt.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:12 +0100] "GET /j.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:13 +0100] "GET /s.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:13 +0100] "GET /ucp.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:14 +0100] "GET /zse.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:15 +0100] "GET /0x.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:15 +0100] "GET /403.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:16 +0100] "GET /gfile.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:19 +0100] "GET /doc.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:20 +0100] "GET /orm.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:20 +0100] "GET /ay.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:21 +0100] "GET /buy.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:22 +0100] "GET /test.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:22 +0100] "GET /wsa.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:23 +0100] "GET /wolv.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:24 +0100] "GET /ea3f.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:24 +0100] "GET /price.php HTTP/1.1" 404 5737 "-" "-"
68.218.114.244 - - [26/Dec/2025:10:55:25 +0100] "GET /gmo.php HTTP/1.1" 404 5737 "-" "-"

I added a fail2ban jail for that (found a definition in the german ubuntuusers wiki) and used maxretry = 5 and findtime = 10 (seconds) since they try several URLs within a short period of time as one can see in the example above.

EDIT 2026-02-13: This turned out to be a bad idea, I had false positives and banned some of my users…