0

In my apache error log I am getting these errors (there are 100s of these lines), most of these IPs are from China.

I guess some bots are trying to find vulnerable files. Is there any way to protect the server against such attacks?

script '/var/www/public_html/bbr.php' not found or unable to stat
script '/var/www/public_html/ioi.php' not found or unable to stat
script '/var/www/public_html/uuu.php' not found or unable to stat
script '/var/www/public_html/qiqi.php' not found or unable to stat
script '/var/www/public_html/qiqi1.php' not found or unable to stat
script '/var/www/public_html/config.php' not found or unable to stat
script '/var/www/public_html/db_session.init.php' not found or unable to stat
script '/var/www/public_html/wp-admins.php' not found or unable to stat
schroeder
  • 123,438
  • 55
  • 284
  • 319
Hashu
  • 11
  • 2
  • 3
    What "attack" do you want to prevent? You cannot prevent external sources from accessing your webserver. Your webserver exists to be accessed. The list you showed are PHP pages that would potentially give an attacker access to your webserver, which means that you protect yourself by not exposing admin pages to the world. So, what is your question? – schroeder Jul 15 '19 at 12:07
  • This is normal. It is how the various botnets of the world say "Welcome to the internet!" I'm sure there is a question about this somewhere on this site... – Conor Mancone Jul 15 '19 at 12:20
  • 2
    Possible duplicate of [Script Kiddies - how do they find my server IP?](https://security.stackexchange.com/questions/113456/script-kiddies-how-do-they-find-my-server-ip) – multithr3at3d Jul 15 '19 at 16:16
  • 1
    There are plenty of other questions on the site similar to this. – multithr3at3d Jul 15 '19 at 16:17

2 Answers2

3

That is just normal background traffic. All domains are crawled all the time in order to find common vulnerabilities:

  • Unsecured or default passworded admin areas (like the wp-admins.php in your listing)
  • Files containing credentials (config.php)
  • Files or directories that are publicly available but not linked on the page (resulting in some people thinking that makes them somewhat private)

There is nothing you can do to prevent such probes.

If there is a huge influx from a specific IP range, and you don't expect any 'legit' traffic from that range, you can blacklist it. But a lot of these scans might come from botnets, so will have a huge variety of originating IP ranges.

fleitner
  • 129
  • 5
2

There are tools like Fail2Ban that temporarily restrict access from IPs that have tried for non-existing files in a short time range too often (it is configurable what "too often" means exactly). This will reduce the scanning traffic on your site, but as @fleitner already wrote, you cannot exclude it completely.

jk - Reinstate Monica
  • 1,658
  • 1
  • 11
  • 18