I hosted my Rails application last week. Today I was going through our log file and noticed lots of request like this.
I, [2016-03-14T00:42:18.501703 #21223] INFO -- : Started GET "/testproxy.php" for 185.49.14.190 at 2016-03-14 00:42:18 -0400
F, [2016-03-14T00:42:18.510616 #21223] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):
Someone is trying to go to testproxy.php
from different ip address. Some ip are from poland and others from hongkong. Am I getting attacked by someone. What are my options to protect myself.
Here are other outputs from log file:
I, [2016-03-14T03:09:24.945467 #15399] INFO -- : Started GET "/clientaccesspolicy.xml" for 107.22.223.242 at 2016-03-14 03:09:24 -0400
F, [2016-03-14T03:09:24.949328 #15399] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/clientaccesspolicy.xml"):
Different ip address:
I, [2016-03-14T16:03:47.793731 #15399] INFO -- : Started GET "/testproxy.php" for 178.216.200.48 at 2016-03-14 16:03:47 -0400
F, [2016-03-14T16:03:47.818519 #15399] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/testproxy.php"):
search.php
I, [2016-03-14T19:41:14.261843 #15399] INFO -- : Started GET "/forum/search.php" for 164.132.161.67 at 2016-03-14 19:41:14 -0400
F, [2016-03-14T19:41:14.266563 #15399] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/forum/search.php"):
forum/index.php
I, [2016-03-15T10:54:55.254785 #26469] INFO -- : Started GET "/forum/index.php" for 164.132.161.56 at 2016-03-15 10:54:55 -0400
F, [2016-03-15T10:54:55.266456 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/forum/index.php"):
phpmyadim/scripts/setup.php
I, [2016-03-15T13:21:36.862918 #26469] INFO -- : Started GET "/phpMyAdmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:36 -0400
F, [2016-03-15T13:21:36.867050 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/phpMyAdmin/scripts/setup.php"):
another setup.php
I, [2016-03-15T13:21:37.452097 #26469] INFO -- : Started GET "/pma/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:37 -0400
F, [2016-03-15T13:21:37.453647 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/pma/scripts/setup.php"):
myadmin/scripts/setup.php
I, [2016-03-15T13:21:38.034283 #26469] INFO -- : Started GET "/myadmin/scripts/setup.php" for 103.25.73.234 at 2016-03-15 13:21:38 -0400
F, [2016-03-15T13:21:38.041563 #26469] FATAL -- :
ActionController::RoutingError (No route matches [GET] "/myadmin/scripts/setup.php"):
and lots of other stuff. Please tell me how can I protect myself from those attacks.
There are several negative outcomes that can arise from having a server compromise take place. First, if your server is compromised not only is your company at risk and any of its employees if their private information is stored on the server, but the same is also true for the personal information of your clients.
An exploited or hacked server is one that is no longer fully under your control. Someone else is now partially controlling your server and using it for their own purposes. Here are some common reasons to exploit a server: Send out spam email. Launch attacks against other servers.
This is commonplace when you are running a public server. Here is an excerpt of my home server's auth.log:
Mar 14 19:22:36 hotdog sshd[65937]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Invalid user ubnt from 181.214.92.11
Mar 14 19:22:37 hotdog sshd[65939]: input_userauth_request: invalid user ubnt [preauth]
Mar 14 19:22:37 hotdog sshd[65939]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Invalid user support from 181.214.92.11
Mar 14 19:22:38 hotdog sshd[65941]: input_userauth_request: invalid user support [preauth]
Mar 14 19:22:38 hotdog sshd[65941]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Invalid user oracle from 181.214.92.11
Mar 14 19:22:39 hotdog sshd[65943]: input_userauth_request: invalid user oracle [preauth]
Mar 14 19:22:39 hotdog sshd[65943]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:22:40 hotdog sshd[65945]: Received disconnect from 181.214.92.11: 11: Bye Bye [preauth]
Mar 14 19:24:04 hotdog sshd[65947]: fatal: Read from socket failed: Operation timed out [preauth]
Mar 14 20:01:19 hotdog sshd[66032]: Received disconnect from 183.3.202.102: 11: [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Invalid user cacti from 199.217.117.71
Mar 14 20:40:17 hotdog sshd[66092]: input_userauth_request: invalid user cacti [preauth]
Mar 14 20:40:17 hotdog sshd[66092]: Connection closed by 199.217.117.71 [preauth]
Mar 14 21:32:09 hotdog sshd[66188]: Received disconnect from 183.3.202.102: 11: [preauth]
Mar 14 22:01:59 hotdog sshd[66256]: Invalid user user1 from 199.217.117.71
Mar 14 22:01:59 hotdog sshd[66256]: input_userauth_request: invalid user user1 [preauth]
Mar 14 22:02:00 hotdog sshd[66256]: Connection closed by 199.217.117.71 [preauth]
Mar 14 22:17:57 hotdog sshd[66280]: Did not receive identification string from 14.182.117.161
As you can see people are constantly trying to break into my server, by guessing a username. Since the server only accepts publickey login, not password, I believe myself to be fairly secure from these particular attacks.
The same applies to your PHP files. They are trying to find a php endpoint which they can run some canned exploit on. You can use tools like fail2ban which help with rate-limiting. But really these attacks will always be present on a public server. The only way is to ensure your software can resist attacks.
Some general common-sense tips:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With