Error Log shows nosy visitors trying to access various admin pages

This is unlikely to be "visitors" (real people) but is likely to be automated software testing for vulnerabilities in the software run by your website. I've seen these types of requests for years. The most common for my servers is requests for WordPress administration pages and Microsoft FrontPage extensions.

If you are not running the software, these requests should have very little impact or risk for your website.

The standard advice for keeping your software secure applies to web software as well: Keep the software up to date. Security vulnerabilities in content management systems are discovered often. My web host even offers to automatically upgrade WordPress for me when new versions come out.


Unfortunately general website security is too broad for this "Pro Webmasters Stackexchange" format. How you handle this depends entirely on the size of your company and what you're trying to secure.

If its a simple website without confidential data, just ignore them and make sure any control panels are hard to find / ip restricted.

Example:

  1. Change the admin panel from website.com/admin to website.com/schwpzhashkey
  2. Put ip restrictions in the web server configuration to only allow control panel access to certain ip addresses.

There is likely nothing you have done. Welcome to the world of hackers.

This is something I research.

There are many software packages designed to landscape and hack websites. The access for admin, wordpress, and so on are at the very least landscaping attempts to figure out what systems you are using and what vulnerabilities exist for your site. Some accesses may be actual hack attempts.

Looking at the log snippets you provided, these are landscaping attempts. They are attempting to access various possible vulnerable PHP software. I say possible, because at this point, they are trying to figure out what is installed. That is step 1. Step 2 is to then probe any software you have installed for version which is then compared to a vulnerability database to determine what vulnerabilities that they can attempt next. Step 3 are actual hack attempts whether it is successful or not.

Most of the time, these are Trojan horse software from systems that are compromised. The hacker is working through an anonymous proxy to give hack commands/code to these Trojan systems.

I would highly advise you to keep an eye on your log files and begin blocking any domain names and IP addresses immediately.

Update: I had to run away earlier- one of my contractors showed up early.

There are some security tools out there, but for web servers the best seems to be mod_security found at https://www.modsecurity.org/. I will get back to this in just a second.

The advice to update your software often is not always a good one. New installs can open new vulnerabilities. Ironically, the safer installs can be older ones. Case in point the Heart Bleed vulnerability was due to a recent update, however, if you had not updated right away, there was no vulnerability. Another example are older installs of RedHat 6.2 with Apache 1.2 which do not seem to be compromised like newer installs. You have to take this on a case by case basis. A blanket update your software has the potential to be dangerous advice. Hackers are almost always looking for recent vulnerabilities, or vulnerabilities that are likely still installed. There is a moving window style view of security. As newer versions of software comes out, older ones are less likely to be hacked.

Still, all and all, it is a good idea to keep in mind any update for software and check to see if a vulnerability exists on your system before installing an update. It is often wise to defer an update if there is nothing to fix from an security or feature perspective. Make it a habit to check for updates and vulnerabilities. The best way to do this is to check http://web.nvd.nist.gov/view/vuln/search?execution=e2s1 from time to time (actually frequently) to see if there are issues. There is an e-mail list somewhere that I am trying to find. The e-mail list keeps you up to date immediately With the web address you can find all the known details there are. Again, only install updates that are vulnerable or needed.

Back to mod_security. Mod_security is like a WWW firewall. It can block most if not all hack attempts but you do have to maintain it. It is wise to install software like this to prevent the attack attempts from reaching your web server. You can also use an HTTP filter in your firewall if you have one. If you are familiar with regular expressions, this is a very powerful option for you. The point is, the hack should not reach your web server, PHP, PHP application. Mod_security is a far more powerful option than updating several PHP applications, PHP as they come out which is the most frequently hacked platform there is by a huge margin. In fact, PHP is textbook what not to do when writing a secure software platform.

Remember- this is what I do for a living and have for a long time for all of the major telecoms and research for security protocols for the nations infrastructure. Pay attention to security if not each day, several times a week and set up alerts for announcements where you can.

Tags:

Spam

404

Error

Related

How do I find excessively suppressed redirects in MediaWiki? Is there a way to disallow crawling of only HTTPS in robots.txt? Need to add 30K new pages to a 10K page website - troubles ahead? (SEO) Massive 404 attack with non existent URLs. How to prevent this? How can I change the Google Analytics timezone? Prevent XML sitemaps from showing up in Google search results Unwanted hyperlinks containing 'msocom1' inserted into my WordPress content How can I serve all resources under HTTPS instead of HTTP without changing their URLs in the HTML code Can't access website from same network Why do we have to wait 60 days between each domain transfer? How can I tell how big my Amazon RDS database (MySQL) is? Is it better to have one website with two languages or two websites with different languages in terms of SEO?

Recent Posts