Strange access in apache's access.log

Question

Does anyone know what that means? I found those today on apache's access logs. Thanks!

XX.82.64.68 - - [18/Jan/2016:14:30:45 -0800] "GET /wp-content/themes/Akhbar24/images/alemarah.jpg HTTP/1.0" 404 500 "-" "-"
XX.162.245.205 - - [18/Jan/2016:17:29:56 -0800] "GET / HTTP/1.1" 200 2460 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
XX.130.5.246 - - [18/Jan/2016:18:25:34 -0800] "GET /muieblackcat HTTP/1.1" 404 469 "-" "-"
XX.130.5.246 - - [18/Jan/2016:18:25:35 -0800] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 485 "-" "-"
XX.130.5.246 - - [18/Jan/2016:18:25:35 -0800] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 485 "-" "-"
XX.130.5.246 - - [18/Jan/2016:18:25:35 -0800] "GET //pma/scripts/setup.php HTTP/1.1" 404 478 "-" "-"
XX.130.5.246 - - [18/Jan/2016:18:25:35 -0800] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 482 "-" "-"
XX.130.5.246 - - [18/Jan/2016:18:25:35 -0800] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 482 "-" "-"
::1 - - [18/Jan/2016:18:25:37 -0800] "OPTIONS * HTTP/1.0" 200 125 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.14 (internal dummy connection)"

The first line is also an attack attempt I think, I had the very same log line (same ip even) yesterday. — , Jan 19 '16 at 12:03

score 2 · Accepted Answer · answered Jan 19 '16 at 04:01

2

"muieblackcat" is a vulnerability scanner which searches for misconfigured webservers. It tried different common install paths for phpMyAdmin, all of them returned a 404, meaning you're safe.

The last log entry comes from Apache, which sometimes polls its own child processes to check if they're still working correctly.

The first and the second entry log seem like normal traffic to me.

answered Jan 19 '16 at 04:01

Benoit Esnard

13,942
7
65
65

I understand the second one seems normal, but I don't have wordpress installed. Kinda got me suspicious. – EndenDragon Jan 19 '16 at 04:12
Most bad bots check every website for WordPress or another CMS and try exploits without knowing if there is this CMS installed. Just dumb bots, nothing to worry about. Also the bot accessed an image which does not exist, so far this request is harmless. – Daniel Ruf Jan 19 '16 at 08:38

score 0 · Answer 2 · answered May 03 '22 at 08:09

Consider this the background noise of the internet. You'll get scanned a lot, and they'll try every conceivable path to the various software you could have exposed on your webserver. Secure software only you should use by other means (HTTP Authentication), and keep up to date with patches on software that's supposed to be publically accessible.

Expect that if you use certain software, and one of those scripts finds it, that your IP address will be recorded somewhere, so that once a security issue becomes known on said software, your IP address will be one of the first ones to be scanned again.

If a script hammers your server too much, or over too long of a period of time, stuff like fail2ban can get rid of them - other than that, just expect that you'll keep getting scanned every so often.

Strange access in apache's access.log

2 Answers2