My webserver security

mr_bo · 20-07-2010, 22:27

I am running a www server and all is well except for Awstats on one of the domains is logging hits on:

Code:

/webmail/src/left_main.php
/webmail/src/right_main.php
/webmail/src/login.php
/webmail/src/webmail.php
/webmail/src/read_body.php
/webmail/src/compose.php

There is only 2 email accounts on this domain for which both have imap disabled and passwords have been changed, robots.txt is also covering these but still receiving 140 hits in 3 days!

Another domin is logging hits on:

Code:

/mysqladmin/scripts/setup.php
/phpmyadmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php

Am I being targeted? Am I safe or should I be worried?

Thanks in advance.

Xaccers · 20-07-2010, 22:48

My web sites often get brute force attacks, and my ftp site had nothing but attacks.
None got it, and I shunted things around so the ftp was locked down to just the IP address which needed access.

They do a port scan, find a potentially vulnerable service running and start hammering it.

Kymmy · 21-07-2010, 00:05

Quote:

Originally Posted by mr_bo

I am running a www server and all is well except for Awstats on one of the domains is logging hits on:

Code:

/webmail/src/left_main.php
/webmail/src/right_main.php
/webmail/src/login.php
/webmail/src/webmail.php
/webmail/src/read_body.php
/webmail/src/compose.php

There is only 2 email accounts on this domain for which both have imap disabled and passwords have been changed, robots.txt is also covering these but still receiving 140 hits in 3 days!

Another domin is logging hits on:

Code:

/mysqladmin/scripts/setup.php
/phpmyadmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php

Am I being targeted? Am I safe or should I be worried?

Thanks in advance.

Check the httpd logs and see if they're getting responses back from those hits or just 404 (or similar errors)

mr_bo · 21-07-2010, 00:20

Quote:

Originally Posted by Kymmy

Check the httpd logs and see if they're getting responses back from those hits or just 404 (or similar errors)

A snip from the logs shows plenty of 404's but also a few 200's which I'll pick the bones out of tomorrow

"morfeus-strikes-again" also shows up and a quick google gives:

Quote:

They are automated attempts to find potential exploits on your system. Bots will probe your webserver for things the owner might be able to exploit like forums, phpmyadmin etc. There's nothing you can do about it, really, just keep the software you do have up to date.

Also looks like fail2ban is not working properly so something else to look at!

ooh so much to do with so little time!

Kymmy · 21-07-2010, 00:25

Is the PMA install one of your own? If so get rid of the setup.php file and even update to a version 3

mr_bo · 21-07-2010, 09:32

Quote:

Originally Posted by Kymmy

Is the PMA install one of your own? If so get rid of the setup.php file and even update to a version 3

I think I did delete it, do you know the directory where it's stored so I can check?

Kymmy · 21-07-2010, 09:38

Check the logs, they should all be from the web root. Just that PMA could be installed anywhere on any web folder..

I normally have it on a subfolder of a domain that way it's not in the usual place because if you look at the logs it's probing for default locations of various version 2s of PMA

mr_bo · 21-07-2010, 09:44

Thanks, I'll look this evening and I also need to look at fail2ban.

mr_bo · 23-07-2010, 00:28

PMA now on 3.3.4, no setup.php, fail2ban configured ok and tested.
Will need to keep an eye on awstats now but should be ok (fingers crossed)
Thanks

Kymmy · 23-07-2010, 10:39