Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

some form of scanning going on

Discussion in 'Security' started by keat63, Oct 24, 2016.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,030
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I've returned in to the office this morning to find a number of entries that i'm concerned with.

    CSF is blocking based on 60 x 404 hits, this I'm fine with.

    However, I have entries for a number of IP's (probably proxies), where they've been scouring /usr/local/apache/htdocs.

    They are obviously looking for something, but what.
    And is there anything I can do to block them earlier in thier scanning process, ie if they even attempt to look inside /usr

    Code:
    [Sat Oct 22 05:01:58 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:01:59 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:00 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
    [Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
    [Sat Oct 22 05:02:02 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
    [Sat Oct 22 05:02:03 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
    [Sat Oct 22 05:02:04 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
    [Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
    [Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
    [Sat Oct 22 05:02:06 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
    [Sat Oct 22 05:02:07 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
    [Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
    [Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
    [Sat Oct 22 05:02:09 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
    [Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
    [Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
    [Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
    [Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
    [Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
    [Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
    [Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
    [Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
    [Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/database
    [Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
    [Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
    [Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/sqlmanager
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqlmanager
    [Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
    [Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/php-myadmin
    [Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
    [Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy-admin
    [Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
    [Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqladmin
    [Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
    [Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql-admin
    [Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
    [Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
    [Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
    [Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
    [Sat Oct 22 05:02:26 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,197
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,030
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I'm using Owasp and Comodo, but i've no idea what a custom ruleset is if i'm being honest
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,197
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I'm referring to your own custom ruleset, or a vendor such as OWASP or Comodo. If OWASP rules don't block this by default, then the best course of action here is to lower the threshold configured with CSF if you'd like to see the IP address blocked sooner in the process. I'll leave this thread open for others to add their feedback or advice.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    Hello keat63,

    These settings will auto block IPs according to the settings you enter. I use this and it works really well against repeat attacks from an IP. You can check your CSF Firewall Deny IPs each day to see if and what IPs have been blocked after setting these.

    whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_404

    whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_403

    Personally i set these at:

    Alerts/LF_APACHE_404 at 3
    LF_APACHE_404_PERM at 86,400 (24hours)

    LF_APACHE_403 at 5
    LF_APACHE_403_PERM AT 84,600 (24hours)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice