March 22, 2013

Being attacked – What's that?

Question by Ariel

Seems like my website is being attacked.
I looked at the Apache logs and I saw thousands of lines like these;
Some random folders which don’t even exist. Looks like some brute force for websites…
Any ideas on what it is?

84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/console HTTP/1.1" 404 211
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /account/Admin/config.php HTTP/1.1" 404 222
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/ini HTTP/1.1" 404 208
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/wp-includes HTTP/1.1" 404 213
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/test.php" 200 58
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/readme.txt HTTP/1.1" 404 215
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/logs//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini HTTP/1.1" 404 269
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /jscripts/tiny_mce HTTP/1.1" 404 215
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/addons HTTP/1.1" 404 210
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "POST /account/logs/logs_process.php?adm=1&JsygZ81Q=1 HTTP/1.1" 302 23349
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/iishelp HTTP/1.1" 404 209
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/_include HTTP/1.1" 404 213
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /account/Admin/config.inc.php HTTP/1.1" 404 226
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/test.php%2f HTTP/1.1" 404 217
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/README HTTP/1.1" 404 211
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/logs//%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd HTTP/1.1" 404 280
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "OPTIONS / HTTP/1.1" 200 3405
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/pass HTTP/1.1" 404 209
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /jscripts/tinymce HTTP/1.1" 404 214
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/invoker HTTP/1.1" 404 211
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/iisadmin HTTP/1.1" 404 210
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/test.php%5c HTTP/1.1" 404 217
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /Images/config.php HTTP/1.1" 404 215
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /changelog/logs//%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/windows/win.ini HTTP/1.1" 404 285
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /account/Admin/localconfig.php HTTP/1.1" 404 227
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /etc/tsweb HTTP/1.1" 404 207
84.220.206.177 - - [22/Mar/2013:19:45:28 +0100] "GET /files/cp HTTP/1.1" 404 206

Answer by Starx

Those are requests made on your domains to access resources. May and may not be related to threats.

But looking at it briefly, seems like vulnerability scanning to find loop holes in your application.

Author: Nabin Nepal (Starx)

Hello, I am Nabin Nepal and you can call me Starx. This is my blog where write about my life and my involvements. I am a Software Developer, A Cyclist and a Realist. I hope you will find my blog interesting. Follow me on Google+

...

Please fill the form - I will response as fast as I can!