-1

I've noticed sometimes that I'd receive very random requests coming to a live server that I'd be hosting in realtime through my log. It would usually look something like:

[14/Mar/2019 02:05:36] "GET /php/admin HTTP/1.1" 200 2090
[14/Mar/2019 02:05:36] "GET /wordpress/admin HTTP/1.1" 200 8072
[14/Mar/2019 02:05:36] "GET /myphpadmin/login HTTP/1.1" 200 289535

Thankfully, I wouldn't touch PHP with a ten foot pole, so I don't have to worry about any kind of injection attacks or brute force login attempts.

But whenever I track the IPs of these bots/hackers, they seem to be coming from very random places, one I can recall was a German IP address. This incident happened at around 3AM Eastern Time.

The press has been yammering on about this for over two years now, but I'm very confused. If my hackers could easily just assault my servers through a VPN to fake their attack positions, then how exactly would an investigator conclude that their assailants are coming from the cyber red army???

schroeder
  • 123,438
  • 55
  • 284
  • 319
Matt Andrzejczuk
  • 99
  • 1
  • 1
    Your title seems to have nothing to do with the question. And your tags are also not applicable. I changed both to reflect what you asked. – schroeder Mar 14 '19 at 12:23
  • the press has been yammering on about what for two years? – schroeder Mar 14 '19 at 12:24
  • 1
    "I don't have to worry about any kind of injection attacks or brute force login attempts" - yes you do. Just because you do not use PHP does not mean that you are protected from these things. I also notice that your webserver is responding to these probes with a `200`. You might get fewer probes if you stopped telling the probes that you have PHP installed. – schroeder Mar 14 '19 at 12:28
  • I think what you are asking for can be found in the answers here: https://security.stackexchange.com/questions/81215/how-are-attacks-and-apts-attributed – schroeder Mar 14 '19 at 12:30

1 Answers1

0

It is not an attack, it's probing. Just like e-mail servers are probed to be later used as relays in an attack, this is just recon. Some types of attacks (about 5000 known ones) require the HTTP Response option to be enabled on target servers so the attacks can proceed. Since you don't even use php, if all requests are php-related, there's no danger for them getting anything.

Usually, as a good practice, I block these IPs in the Firewall anyway, even they do no pose no direct threat.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • But I'll notice that these types of bots never target any home page at all. Every attack that takes place will specifically go through a list of default `HOSTNAME/administration` urls. Almost as if a bot is deployed to go through a list of registered domain names and see if any of them had forgotten to change the default URL to the admin panel. I use Django which has something similar, but it's usually a moderate security risk to have the URL to the admin panel login known to the public. The IP address of the request looks as if it doesn't want to be traceable. – Matt Andrzejczuk Mar 14 '19 at 22:55