Bad 404 Http Requests

Looking at my web server access error log I have noticed the following logs:

85.92.85.75 - - [13/Mar/2011:04:10:12 -0400] "GET //admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 389 "-" "libwww-perl/6.00"
93.190.48.203 - - [13/Mar/2011:04:10:49 -0400] "GET //admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 389 "-" "libwww-perl/5.805"
93.190.48.203 - - [13/Mar/2011:04:10:49 -0400] "GET //admin/categories.php/login.php?cPath=&action=new_product_preview HTTP/1.1" 404 389 "-" "libwww-perl/5.805"

The above means that someone is using a Perl scrip to locate a vulnerable OsCommerce and hopefully to compromise my site. If you come upon similar 404 errors in your access log make sure that you are not using a vulnerable (outdatedd) OsCommerce. If you are seek fast website security services.

Here are some other funny logs:

188.138.84.178 - - [07/Mar/2011:21:06:34 -0500] "GET /user/soapCaller.bs HTTP/1.1" 404 389 "-" "Morfeus F***ing Scanner"
123.232.108.195 - - [08/Mar/2011:16:03:38 -0500] "GET //phpmyadmin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:38 -0500] "GET //phpmyadmin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:38 -0500] "GET //phpMyAdmin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:39 -0500] "GET //pma/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:39 -0500] "GET //dbadmin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:40 -0500] "GET //myadmin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:41 -0500] "GET //phppgadmin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:41 -0500] "GET //PMA/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:42 -0500] "GET //admin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
123.232.108.195 - - [08/Mar/2011:16:03:42 -0500] "GET //MyAdmin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
62.193.224.144 - - [09/Mar/2011:02:43:48 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.0" 404 389 "-" "-

It seems that attackers also look for PhpMyAdmin... So if you have one installed make sure to protect it properly and have a password for your MySQL root user.

It is essential for your website security to check your access logs frequently. First you have to make sure that everything the bots target is secure. Then you may consider to block some bad robots such as Morfeus or Made by... according to your logs:

RewriteCond %{HTTP_USER_AGENT} "^Morfeus.*" [OR]
RewriteCond %{HTTP_USER_AGENT} "Made by.*"
RewriteRule ^.*$ index.php [L]

The above rules can be put in an .htaccess file on a web server supporting rewrite rules (Apache, LiteSpeed).

blog comments powered by Disqus