How do I react when somebody tries to guess admin directiories on my website?

Question

I've been getting these messages in apache error.log for quite a while:

[client 217.197.152.228] File does not exist: /var/www/phpmyadmin
[client 217.197.152.228] File does not exist: /var/www/pma
[client 217.197.152.228] File does not exist: /var/www/admin
[client 217.197.152.228] File does not exist: /var/www/dbadmin
[client 217.197.152.228] File does not exist: /var/www/myadmin
[client 217.197.152.228] File does not exist: /var/www/PHPMYADMIN
[client 217.197.152.228] File does not exist: /var/www/phpMyAdmin

And many more different addresses. Looks like somebody is trying to guess where my admin applications are located. What should I fear in this situation, and what a knowledge of my admin addresses can give to attacker, if everything is password protected?

Answer 1

If everything is locked down well, fear nothing. These are just automated attacks that happen to every URL in existence. Same thing happens to me, and I don't even run PHP on my server.

If you don't have the latest patches (like on say, WordPress), then yes this is a big problem, but one that's relatively easy to fix.

Answer 2

if you have admin or restricted folders you could configure it in htaccess to restrict access only to your ip or ip range like this

<Directory /var/www/AdminFolder/>
    Options FollowSymLinks
    Order Deny,Allow
    Deny from all
    Allow from 128.98.2.4 # your ip only
</Directory>

It will only be a good solution if you have static ip, but then you will be completely sure that you ll be the only one to get inside adminfolder

Answer 3

If they find a login page they could try to do a brute force attack or other password cracking approach.

In these cases if there is an IP that is consistently displaying such behaviour we block it with denyhosts and ModSecurity.

Answer 4

Firstly... Never install in a default folder.

Secondly... If you "Must" use a prefab program, rename the admin folders to something less tasty, like, "homework". No-one will ever look there for anything important. (Due to many poor coding techniques of prefab programs, they do not operate willingly when you relocate and rename folders. You would think security would be their primary goal, but, having an admin-folder at www/home level, and no ability to select the location or name, is your first sign of poor programming.)

Thirdly... Move all your INCLUDES above www/home. (Move above = move back one level, to the folder that contains the www/home folder.) Again, expect to get your hands wet with code, as the programmers most-likely did not follow that simple security commonplace with code. You will have to tell your code to look in the new includes path, which is now above the www/home folder.

Fourthly... Where possible, setup a LOCK-OUT on your admin folder. Use your FTP or C_Panel to unlock the folder, only when it is needed. You should not be logged-in daily, or as a common login. For all you know, you have a virus on your computer and it is watching you type-in your password every time, or capturing your cookies, or injecting worms on your server once you have logged-in. The better alternative is to find programs with external admin controls. EG, no software on the server. The software stays on your PC, and it only accesses your server to update changes, briefly.

Fifthly... Get a blacklist plugin for your server, or request one. Your HOST should be blocking those types of obvious scans at the router level, sending repeated requests to a black-hole. Hosts that don't provide the lowest level of security, should not be used. That is what the hackers use, since they don't block them when they attack. (Expect that your NETWORK NEIGHBORS are potentially hackers on a shared-server. They will be fishing inside your shared-temp-files for sessions, cookie data, backup-code, sql-ram data, etc... Looking for anything important. Usually your clients e-mails and passwords, CC info, paypal info, telephone numbers, addresses, and anything else not nailed down, to sell.)

Sixthly... Find a host which does not have prefab programs available. Why? Because they are all poor security, free-ware yester-years versions, unpatchable, poorly configured, and your neighbors are using them too. If you have no neighbors, great... but that does not make you any safer. The installers have decreased your server security, so they can gain access to installing the programs, even if you never install one of them. Hackers exploit that also, installing thing they know they can hack, that exist in your c-panel or server-control, and then they hack in through those exploited installed programs.

LOL, just print books... J/K, that is hackable too!

You know what is not hackable... Pure HTML, on a server without PHP, ASP, MySQL, FTP, e-mailers, and all the other things we all love to play with so much. Oh, but the HTML has to be on a CD, or a hard-drive with the erase-heads unwired. Hehe...

Answer 5

It seems he's looking for PHPMySQLAdmin installations, probably to automatically try and use known exploits on old versions.

If you're not using PHPMyAdmin you should be fine. If you do, make sure it's updated to the latest version, and maybe move it to a non-guessable URL.

Answer 6

If you have protected everything it's no real big deal. http://217.197.152.228/phpmyadmin/ <- that's where your phpmyadmin is running. Seems it's pass protected etc so don't worry too much!

There are some exploits that will reveal info in fact, your phpmyadmin is vulnarable to some attacks:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0204

Maybe you should check for exploit docs on your phpmyadmin version.