Mobile app version of vmapp.org
Login or Join
LarsenBagley505

: Error Log shows nosy visitors trying to access various admin pages After experiencing a very high amount of hits on my 404 page, I've started monitoring my website's Error Log. There I've found

@LarsenBagley505

Posted in: #Error #Spam

After experiencing a very high amount of hits on my 404 page, I've started monitoring my website's Error Log. There I've found that through-out the day, there are several attempts at accessing admin folders and editors on my website that I does not exist. For instance, there are attempts at accessing Word Press and fckeditor's admin folders, but I don't have either.

Any thoughts as to what I should do about these attempts, and if they should be a cause of worry or not?

Examples from my Error Log:

[Mon Jun 23 16:17:17 2014] [error] [client 120.37.236.236] File does not exist: /home/[snipped]/public_html/admin, referer: [snipped].com/admin/editors/fckeditor/editor/filemanager/upload/test.html
[Mon Jun 23 16:16:39 2014] [error] [client 178.158.214.36] File does not exist: /home/[snipped]/public_html/administrator
[Mon Jun 23 16:16:39 2014] [error] [client 178.158.214.36] File does not exist: /home/[snipped]/public_html/wp-login.php
[Mon Jun 23 10:39:13 2014] [error] [client 120.37.236.217] File does not exist: /home/[snipped]/public_html/admin
[Mon Jun 23 08:31:49 2014] [error] [client 27.153.217.87] File does not exist: /home/[snipped]/public_html/fckeditor
[Mon Jun 23 05:34:19 2014] [error] [client 115.29.14.241] File does not exist: /home/[snipped]/public_html/editor
[Mon Jun 23 05:34:17 2014] [error] [client 115.29.14.241] File does not exist: /home/[snipped]/public_html/admin
[Mon Jun 23 05:34:16 2014] [error] [client 115.29.14.241] File does not exist: /home/[snipped]/public_html/FCKeditor
[Mon Jun 23 05:34:12 2014] [error] [client 115.29.14.241] File does not exist: /home/[snipped]/public_html/editor
[Mon Jun 23 05:34:10 2014] [error] [client 115.29.14.241] File does not exist: /home/[snipped]/public_html/admin
[Mon Jun 23 05:34:06 2014] [error] [client 115.29.14.241] File does not exist: /home/[snipped]/public_html/Fckeditor


At last, does anyone know how where I can get more information about some of the errors reported in cPanel X's Error Log?
For instance, I have lots of entries for


File does not exist: 405.shtml


but I have no idea what page or link has generated them, so I don't know where to go to fix the source of the problem.

10.05% popularity Vote Up Vote Down


Login to follow query

More posts by @LarsenBagley505

5 Comments

Sorted by latest first Latest Oldest Best

 

@Samaraweera270

I redirect those attack pages like "wp-login.php" to our security page.

10% popularity Vote Up Vote Down


 

@Berryessa370

I have the same problem, so I wrote a custom 404 page that parses the requested URL, then based on patterns I choose (from my log files), either displays the standard 404 page, or adds their IP address to a file that's checked before any of my pages are displayed. The very next time they try to access ANY page in my site they're just redirected back to their own IP. It's a quick and dirty fix but it keeps them from seeing any further into my system after just one or two tries instead of thousands.

10% popularity Vote Up Vote Down


 

@BetL925

This is unlikely to be "visitors" (real people) but is likely to be automated software testing for vulnerabilities in the software run by your website. I've seen these types of requests for years. The most common for my servers is requests for WordPress administration pages and Microsoft FrontPage extensions.

If you are not running the software, these requests should have very little impact or risk for your website.

The standard advice for keeping your software secure applies to web software as well: Keep the software up to date. Security vulnerabilities in content management systems are discovered often. My web host even offers to automatically upgrade WordPress for me when new versions come out.

10% popularity Vote Up Vote Down


 

@Alves908

There is likely nothing you have done. Welcome to the world of hackers.

This is something I research.

There are many software packages designed to landscape and hack websites. The access for admin, wordpress, and so on are at the very least landscaping attempts to figure out what systems you are using and what vulnerabilities exist for your site. Some accesses may be actual hack attempts.

Looking at the log snippets you provided, these are landscaping attempts. They are attempting to access various possible vulnerable PHP software. I say possible, because at this point, they are trying to figure out what is installed. That is step 1. Step 2 is to then probe any software you have installed for version which is then compared to a vulnerability database to determine what vulnerabilities that they can attempt next. Step 3 are actual hack attempts whether it is successful or not.

Most of the time, these are Trojan horse software from systems that are compromised. The hacker is working through an anonymous proxy to give hack commands/code to these Trojan systems.

I would highly advise you to keep an eye on your log files and begin blocking any domain names and IP addresses immediately.

Update: I had to run away earlier- one of my contractors showed up early.

There are some security tools out there, but for web servers the best seems to be mod_security found at www.modsecurity.org/. I will get back to this in just a second.

The advice to update your software often is not always a good one. New installs can open new vulnerabilities. Ironically, the safer
installs can be older ones. Case in point the Heart Bleed vulnerability was due to a recent update, however, if you had not updated right away, there was no vulnerability. Another example are older installs of RedHat 6.2 with Apache 1.2 which do not seem to be compromised like newer installs. You have to take this on a case by case basis. A blanket update your software has the potential to be dangerous advice. Hackers are almost always looking for recent vulnerabilities, or vulnerabilities that are likely still installed. There is a moving window style view of security. As newer versions of software comes out, older ones are less likely to be hacked.

Still, all and all, it is a good idea to keep in mind any update for software and check to see if a vulnerability exists on your system before installing an update. It is often wise to defer an update if there is nothing to fix from an security or feature perspective. Make it a habit to check for updates and vulnerabilities. The best way to do this is to check web.nvd.nist.gov/view/vuln/search?execution=e2s1 from time to time (actually frequently) to see if there are issues. There is an e-mail list somewhere that I am trying to find. The e-mail list keeps you up to date immediately With the web address you can find all the known details there are. Again, only install updates that are vulnerable or needed.

Back to mod_security. Mod_security is like a WWW firewall. It can block most if not all hack attempts but you do have to maintain it. It is wise to install software like this to prevent the attack attempts from reaching your web server. You can also use an HTTP filter in your firewall if you have one. If you are familiar with regular expressions, this is a very powerful option for you. The point is, the hack should not reach your web server, PHP, PHP application. Mod_security is a far more powerful option than updating several PHP applications, PHP as they come out which is the most frequently hacked platform there is by a huge margin. In fact, PHP is textbook what not to do when writing a secure software platform.

Remember- this is what I do for a living and have for a long time for all of the major telecoms and research for security protocols for the nations infrastructure. Pay attention to security if not each day, several times a week and set up alerts for announcements where you can.

10% popularity Vote Up Vote Down


 

@Murray432

Unfortunately general website security is too broad for this "Pro Webmasters Stackexchange" format. How you handle this depends entirely on the size of your company and what you're trying to secure.

If its a simple website without confidential data, just ignore them and make sure any control panels are hard to find / ip restricted.

Example:


Change the admin panel from website.com/admin to website.com/schwpzhashkey
Put ip restrictions in the web server configuration to only allow control panel access to certain ip addresses.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme