35

I am running a web server and watching what people request. I have been getting frequent traffic like:

GET /phph/php/ph.php HTTP/1.1

or

GET /mrmr/mrm/mr.php HTTP/1.1

Are these scans? Are the clients checking if my server is already compromised or are they checking if I am vulnerable?

As far as I can tell, since I don't host such directories, such traffic is a scan for compromised machines; I do not know for sure because I think it unsafe to click the links Google provides when I search such things.

Xander
  • 35,525
  • 27
  • 113
  • 141
user2738698
  • 859
  • 9
  • 18
  • 6
    Another non-malicious explanation for requests like these might just be that the previous owner of that IP address used to host the requested file, and somewhere on the internet there's a device/software that's been forgotten and left there, desperately trying to access that file. –  Feb 27 '15 at 05:51
  • Another malicious explanation for requests like these might be that the URLs are the standard ones used by some webshell. – Kartoch Mar 03 '15 at 20:30

4 Answers4

33

These types of spurious requests are very, very common. They are either looking to see if you are already compromised, or looking to get your server to throw an error to gather info about your server (from error messages).

You aren't the only one:

http://shadow.wolvesincalifornia.org/awstats/data/awstats092014.shadow.wolvesincalifornia.org.txt

# URL with 404 errors - Hits - Last URL referer
BEGIN_SIDER_404 193
/admin.php 1 -
/root/back.css 1 -
/drdr/drd/dr.php 2 -
/hkhk/hkh/hk.php 1 -
/wp/2011/07/19/&amp 6 -
/ahah/aha/ah.php 1 -
/andro/back.css 1 -
/wp/comments/feed/ 1 -
/wjwj/wjw/wj.php 1 -

We all get spammed by these requests.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • How shall we prevent them, do they deserve a notice? I get these calls on my nodejs server. not sure how to prevent them. Moreover, the IP gets changed after some time so can not block them at all – Tarun Gupta Sep 19 '19 at 05:42
  • They cannot be prevented – schroeder Sep 19 '19 at 06:30
12

The attacker tries to find out if you have certain premade web software installed by requesting files which are typical for them.

When they find out you use, say, wordpress or phpbb or mediawiki, they can then try to use exploits specific to these applications to take over your site.

The best countermeasure against this is to avoid installing too much software on your webserver and keep the software you have installed always up-to-date.

Philipp
  • 48,867
  • 8
  • 127
  • 157
10

Yes, those are scans.

If you Google those strings you will see that they show up in the web logs of numerous sites throughout the Internet, usually cheap webhost sites which put their logs up where Google can see them. This is sufficient indication that some tool is trolling for that URL.

There is not enough information to indicate what the scan is meant to do - probably simply to help determine if PHP is supported and if so how the server deals with an invalid URL for PHP.

These scans can probably be safely ignored as background noise.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
0

These look like the results of an automated scan such as one offered by Nikto or a directory brute-force discovery tool such as DirBuster. This is an attempt to identify/discover files and directories on your server and possibly provide a better fingerprint of the application or reveal sensitive files. This reveals information about what modules u might be using and might be used to leverage a more advanced attack later or sensitive information depending on what files are found. If the request logs include further requests such as :

/../../etc/passwd

../../../../blah/etc/passwd

this would be an attempt to look for Path Traversal vulnerabilities.

More about, Path Traversal at: https://www.owasp.org/index.php/Path_Traversal Nikto: http://sectools.org/tool/nikto/ DirBuster: https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

racec0ndition
  • 581
  • 4
  • 10