Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 11th November 2012, 19:19
blinky blinky is offline
Member
 
Join Date: Sep 2012
Posts: 34
Thanks: 0
Thanked 0 Times in 0 Posts
Default identifying threats and dealing with the appropriately

I'm very new to Ubuntu, so installing my own home-based web, file and mail server has been a truly incredibly fascinating experience. I'mve been amazed at the sheer number of hits my web server gets and I haven't told a sould it's up and running. (Other than my domain name registrar.)

Anyways, while having my tea after lunch today I happend to have a window open that was monitoring Apache's access.log as I've been trying to eliminate a variety of bots lately.

Anyways, as I'm sitting there sipping my tea the screen is suddenly a flurry of activity and the following spews across the screen until I temporarily shut down the Apache server:
Code:
149.3.152.246 - - [11/Nov/2012:12:34:26 -0500] "GET /index.php HTTP/1.1" 404 392 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/pma/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:27 -0500] "GET /admin/phpmyadmin/index.php HTTP/1.1" 401 587 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /db/index.php HTTP/1.1" 404 394 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /dbadmin/index.php HTTP/1.1" 404 398 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:28 -0500] "GET /myadmin/index.php HTTP/1.1" 404 398 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:29 -0500] "GET /mysql/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:29 -0500] "GET /mysqladmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /typo3/phpmyadmin/index.php HTTP/1.1" 404 404 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /phpadmin/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:30 -0500] "GET /phpMyAdmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin/index.php HTTP/1.1" 404 399 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin1/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:31 -0500] "GET /phpmyadmin2/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /pma/index.php HTTP/1.1" 404 395 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /web/phpMyAdmin/index.php HTTP/1.1" 404 403 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:32 -0500] "GET /xampp/phpmyadmin/index.php HTTP/1.1" 404 403 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /web/index.php HTTP/1.1" 404 395 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /php-my-admin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:33 -0500] "GET /websql/index.php HTTP/1.1" 404 397 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpmyadmin/index.php HTTP/1.1" 404 399 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpMyAdmin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:34 -0500] "GET /phpMyAdmin-2/index.php HTTP/1.1" 404 402 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /php-my-admin/index.php HTTP/1.1" 404 400 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /phpMyAdmin-2.2.3/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:35 -0500] "GET /phpMyAdmin-2.2.6/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.1/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.4/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:36 -0500] "GET /phpMyAdmin-2.5.5-rc1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5-rc2/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 405 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:37 -0500] "GET /phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:38 -0500] "GET /phpMyAdmin-2.5.6-rc1/index.php HTTP/1.1" 404 410 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:38 -0500] "GET /phpMyAdmin-2.5.6-rc2/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.6/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.7/index.php HTTP/1.1" 404 406 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:39 -0500] "GET /phpMyAdmin-2.5.7-pl1/index.php HTTP/1.1" 404 409 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1"
149.3.152.246 - - [11/Nov/2012:12:34:40 -0500] "GET  HTTP/1.1" 400 226 "-" "-"
Er... um... hello? WTF?

As near as I can figure out, something at 149.3.152.246 is banging away at my server trying to access phpMyAdmin but my server is configured such that it's at least sending back 404 error... if I'm reading this right.

I an plop that IP address in a "Deny from" statement in an .htaccess file, I can block it on the router, but I would have thought something like fail2ban would have caught this.

Hmmmm... the fact that someone would try to access this piddly system is more amusing than the fact that I feel compelled to actually do anything about it.

What the best way to deal with this sort of stuff?
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 19:00.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.