Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

some form of scanning going on

Discussion in 'Security' started by keat63, Oct 24, 2016.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    884
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I've returned in to the office this morning to find a number of entries that i'm concerned with.

    CSF is blocking based on 60 x 404 hits, this I'm fine with.

    However, I have entries for a number of IP's (probably proxies), where they've been scouring /usr/local/apache/htdocs.

    They are obviously looking for something, but what.
    And is there anything I can do to block them earlier in thier scanning process, ie if they even attempt to look inside /usr

    Code:
    [Sat Oct 22 05:01:58 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:01:59 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:00 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
    [Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
    [Sat Oct 22 05:02:02 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
    [Sat Oct 22 05:02:03 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
    [Sat Oct 22 05:02:04 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
    [Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
    [Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
    [Sat Oct 22 05:02:06 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
    [Sat Oct 22 05:02:07 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
    [Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
    [Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
    [Sat Oct 22 05:02:09 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
    [Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
    [Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
    [Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
    [Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
    [Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
    [Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
    [Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
    [Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/database
    [Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
    [Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
    [Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/sqlmanager
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqlmanager
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
    [Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/php-myadmin
    [Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
    [Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy-admin
    [Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
    [Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqladmin
    [Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
    [Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql-admin
    [Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
    [Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
    [Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:26 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    884
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I'm using Owasp and Comodo, but i've no idea what a custom ruleset is if i'm being honest
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm referring to your own custom ruleset, or a vendor such as OWASP or Comodo. If OWASP rules don't block this by default, then the best course of action here is to lower the threshold configured with CSF if you'd like to see the IP address blocked sooner in the process. I'll leave this thread open for others to add their feedback or advice.

    Thank you.
     
  5. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    63
    Likes Received:
    28
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    Hello keat63,

    These settings will auto block IPs according to the settings you enter. I use this and it works really well against repeat attacks from an IP. You can check your CSF Firewall Deny IPs each day to see if and what IPs have been blocked after setting these.

    whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_404

    whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_403

    Personally i set these at:

    Alerts/LF_APACHE_404 at 3
    LF_APACHE_404_PERM at 86,400 (24hours)

    LF_APACHE_403 at 5
    LF_APACHE_403_PERM AT 84,600 (24hours)
     
    cPanelMichael likes this.
Loading...

Share This Page