Cable Forum - My webserver security

Cable Forum (https://www.cableforum.uk/board/index.php)

- Internet Discussion (https://www.cableforum.uk/board/forumdisplay.php?f=25)

- - My webserver security (https://www.cableforum.uk/board/showthread.php?t=33667490)

mr_bo

20-07-2010 22:27

My webserver security

I am running a www server and all is well except for Awstats on one of the domains is logging hits on:

Code:

/webmail/src/left_main.php

/webmail/src/right_main.php

/webmail/src/login.php

/webmail/src/webmail.php

/webmail/src/read_body.php

/webmail/src/compose.php

There is only 2 email accounts on this domain for which both have imap disabled and passwords have been changed, robots.txt is also covering these but still receiving 140 hits in 3 days!

Another domin is logging hits on:

Code:

/mysqladmin/scripts/setup.php

/phpmyadmin/scripts/setup.php

/phpMyAdmin/scripts/setup.php

Am I being targeted? Am I safe or should I be worried?

Thanks in advance.

Xaccers

20-07-2010 22:48

Re: My webserver security

My web sites often get brute force attacks, and my ftp site had nothing but attacks.
None got it, and I shunted things around so the ftp was locked down to just the IP address which needed access.

They do a port scan, find a potentially vulnerable service running and start hammering it.

Kymmy

21-07-2010 00:05

Re: My webserver security

Quote:

Originally Posted by mr_bo (Post 35059698)

I am running a www server and all is well except for Awstats on one of the domains is logging hits on:

Code:

/webmail/src/left_main.php

/webmail/src/right_main.php

/webmail/src/login.php

/webmail/src/webmail.php

/webmail/src/read_body.php

/webmail/src/compose.php

Code:

/mysqladmin/scripts/setup.php

/phpmyadmin/scripts/setup.php

/phpMyAdmin/scripts/setup.php

Am I being targeted? Am I safe or should I be worried?

Thanks in advance.

Check the httpd logs and see if they're getting responses back from those hits or just 404 (or similar errors)

mr_bo

21-07-2010 00:20

Re: My webserver security

1 Attachment(s)

Quote:

Originally Posted by Kymmy (Post 35059766)

Check the httpd logs and see if they're getting responses back from those hits or just 404 (or similar errors)

A snip from the logs shows plenty of 404's but also a few 200's which I'll pick the bones out of tomorrow

"morfeus-strikes-again" also shows up and a quick google gives:

Quote:

They are automated attempts to find potential exploits on your system. Bots will probe your webserver for things the owner might be able to exploit like forums, phpmyadmin etc. There's nothing you can do about it, really, just keep the software you do have up to date.

Also looks like fail2ban is not working properly so something else to look at!

ooh so much to do with so little time!

Kymmy

21-07-2010 00:25

Re: My webserver security

Is the PMA install one of your own? If so get rid of the setup.php file and even update to a version 3

mr_bo

21-07-2010 09:32

Re: My webserver security

Quote:

Originally Posted by Kymmy (Post 35059782)

Is the PMA install one of your own? If so get rid of the setup.php file and even update to a version 3

I think I did delete it, do you know the directory where it's stored so I can check?

Kymmy

21-07-2010 09:38

Re: My webserver security

Check the logs, they should all be from the web root. Just that PMA could be installed anywhere on any web folder..

I normally have it on a subfolder of a domain that way it's not in the usual place because if you look at the logs it's probing for default locations of various version 2s of PMA

mr_bo

21-07-2010 09:44

Re: My webserver security

Thanks, I'll look this evening and I also need to look at fail2ban.

mr_bo

23-07-2010 00:28

Re: My webserver security

PMA now on 3.3.4, no setup.php, fail2ban configured ok and tested.
Will need to keep an eye on awstats now but should be ok (fingers crossed)
Thanks
:)

Kymmy

23-07-2010 10:39

Re: My webserver security

:clap:

All times are GMT +1. The time now is 10:19.