some form of scanning going on

I've returned in to the office this morning to find a number of entries that i'm concerned with. CSF is blocking based on 60 x 404 hits, this I'm fine with. However, I have entries for a number of IP's (probably proxies), where they've been scouring /usr/local/apache/htdocs. They are obviously looking for something, but what. And is there anything I can do to block them earlier in thier scanning process, ie if they even attempt to look inside /usr


[Sat Oct 22 05:01:58 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:01:59 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:00 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
[Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
[Sat Oct 22 05:02:02 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Sat Oct 22 05:02:03 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
[Sat Oct 22 05:02:04 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
[Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
[Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
[Sat Oct 22 05:02:06 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
[Sat Oct 22 05:02:07 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
[Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
[Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
[Sat Oct 22 05:02:09 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
[Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
[Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
[Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
[Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
[Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
[Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
[Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/database
[Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
[Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
[Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/sqlmanager
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqlmanager
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
[Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/php-myadmin
[Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
[Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy-admin
[Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
[Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqladmin
[Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
[Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql-admin
[Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
[Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
[Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:26 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql

cPanelMichael

October 31, 2016 22:42

Hello, Are you using any custom Mod_Security rulesets? I believe OWASP has rules to protect against known scanner software: OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation Thank you.

keat63

November 02, 2016 08:27

I'm using Owasp and Comodo, but i've no idea what a custom ruleset is if i'm being honest

November 02, 2016 19:45

Hello, I'm referring to your own custom ruleset, or a vendor such as OWASP or Comodo. If OWASP rules don't block this by default, then the best course of action here is to lower the threshold configured with CSF if you'd like to see the IP address blocked sooner in the process. I'll leave this thread open for others to add their feedback or advice. Thank you.

danielpmc

November 05, 2016 04:54

Hello keat63, These settings will auto block IPs according to the settings you enter. I use this and it works really well against repeat attacks from an IP. You can check your CSF Firewall Deny IPs each day to see if and what IPs have been blocked after setting these. whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_404 whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_403 Personally i set these at: Alerts/LF_APACHE_404 at 3 LF_APACHE_404_PERM at 86,400 (24hours) LF_APACHE_403 at 5 LF_APACHE_403_PERM AT 84,600 (24hours)

some form of scanning going on

Comments

Didn't find what you were looking for?