Joel Richards
Website vulnerability scanning tips
If you view your server logs, you may occasionally notice hits to obscure pages on sites that don’t exist, for example URLs like:
/phpmyadmin/scripts/setup.php /PSUser/ /login_outasp
Over a few months I have been gathering these requests for compilation of a list of common URLs that are typically used in vulnerability scanning.
These URLs are hit on an automated basis by bots looking for scripts to exploit (for example above, it’s looking for phpMyAdmin). If you run a server with any third party scripts, particularly those using PHP & ASP as these are the most common you should be aware that there are regular hits to most sites looking for exploitable scripts and should take measures to prevent this.
In most cases you won’t be aware of anything until a script is exploited, this can be prevented by blocking IPs that hit these common URLs.
I’ve made a simple PHP Class that detects if a requested page is likely originating from one of these bots. The code is available at GitHub: github.com/joelr/bottrap which also includes some sample code on how to implement this.
This includes a text file containing the list of common target URLs.
Using this data it is possible to check when a 404 error occurs if the requested page was a common target URL, if so an action can be taken.
Actions taken may include submitted the IP for inclusion in one of the many public DNSBLs or honey pot, emailing or logging for further investigation, alternatively simply blocking the IP.
If you’re using Apache this can be simply be achieved by adding lines to a .htaccess or vhost file using the deny directive.
deny from 123.45.6.7Also to simply block bots based on the user-agent, wget seems to be used most, this can also be implemented using the mod rewrite directive. For example:
RewriteCond %{HTTP_USER_AGENT} wget [NC]
#if we just want to 403
RewriteRule .* - [F]
#Alternatively forward the requests to a file for logging if required
#RewriteRule .* log.php [NC,L]Obviously this method isn’t foolproof as the user-agent can be spoofed easily, although in most logged cases it seems wget was shown.
Why do this?
If any domains on your server run 3rd part scripts, particularly those with known vulnerabilities such as Wordpress, phpMyAdmin & osCommerce for example it’s worth banning malicious IPs preemptively before a potential attack takes place. These IPs are also occasionally used for log poisoning and referrer spam. Although generally neither of these are an issue unless your access logs are publicly accessible, but referrer spam can fill up Google Analytics for example with irrelevant URLs which are worth removing before they get logged.
Tags: referrer, spam, apache, security, vulnerability, logs
Tweet