All geek questions in one place

Suspicious requests in the Apache web server log file

I found Folowing requests on my apache web server. are these hacking attempts? it will depend on the server.

My server often crashes and has no reason to,

GET /muieblackcat HTTP/1.1" 302 214 GET //index.php HTTP/1.1" 302 214 GET //admin/index.php HTTP/1.1" 302 214 GET //admin/pma/index.php HTTP/1.1" 302 214 GET //admin/phpmyadmin/index.php HTTP/1.1" 302 214

/user/soapCaller.bs HTTP / 1.1 "302 214

 GET /robots.txt HTTP/1.0" 302 214.

We see a lot of requests for nonexistent setup.php files

 GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 214 GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 214 GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 214 GET /myadmin/scripts/setup.php HTTP/1.1" 302 214 GET //typo3/phpmyadmin/index.php HTTP/1.1" 302 214 GET /pma/scripts/setup.php HTTP/1.1" 302 214 GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 302 214

The below request is also available on the server. What is this request. 95.211.124.232 - - [16/Aug/2012:18:14:52 +0800] "CONNECT yandex.ru:80 HTTP/1.1" 302 214

Someone please help with this to understand the server crash problem.

+4
source share
3 answers

Yes, this is probably due to hacking your server. A hacker makes URL calls with known flaws. However, you are safe until these files exist on your server.

What you need to worry about is if you have a file with a known weakness.

One temporary solution would be to block the ip address from which these calls are made. You should also check to see if any calls from this particular ip address have found the existing page.

The only permanent solution is to update all your software so that you are not vulnerable to known weak security systems.

These HTTP calls cannot explain the cause of your server failure.

PS: /robot.txt is not a hack attempt. This is the file where search engines such as google look for instructions on how to index your site. This is normal.

+4
source

I would like to ask if you use php at all, most web spaces support many functions, if you do not use php, cgi, ssi, etc., you can disable it. it might also be an idea to watch your messages (linux? tail -f / var / log / messages) where you can see live actions. Another idea would be to move the known ssh and other deamon ports other than http to the top weird ports above 1024 - or if you have your own public IP address from where you access the Internet, you can configure the firewall only to connect with these ports from your own ip.

0
source

A good solution would be if you use Apache / WHM to install Mod_security and CSFirewall. Mod_Sec will monitor malicious activity and run ips on the firewall if they often run the same security rule.

Another solution, which is quite extreme, would be to block all ip traffic in the firewall based on the country code. For example, if you notice that most of your attacks come from Ukraine, and 99% of your user base goes outside the United States, then block the entire offending country. As I said, its extreme.

Also note that starting mod_sec and csf can slow down the server, as it must check the firewall database for all incoming traffic.

0
source

Source: https://habr.com/ru/post/1434543/

More articles:


All Articles