2

I have a website with Joomla and 404shSEF installed. The component logs all 404 requests and the log is really interesting. The site is getting requests on components and also a file called this: "7c334.php". Here an example:

wp-admin/admin-ajax.php
wp-content/plugins/contus-video-gallery/hdflvplayer/download.php
wp-content/plugins/document_manager/views/file_download.php
wp-content/themes/antioch/lib/scripts/download.php
wp-content/themes/epic/lib/scripts/download.php
wp-content/themes/trinity/lib/scripts/download.php
ftpchk3.php
image?format=raw&id=30&type=img&view=image
image?format=raw&id=31&type=img&view=image
image?format=raw&id=45&type=img&view=image
images/post.php
images/stories/explore.php
images/stories/petx.php
modules/7c334.php
modules/7c34.php
modules/mod_banners/sysm.php
modules/mod_search/tmpl/index.php
modules/mod_xsystemx/7c334.php
modules/mod_xsystemx/7c34.php

Is this "normal scanning" behaviour or should I be concerned? The passwords are safe, or at least should be strong enough on the site, and the scripts are always actual. Are these requests made to all websites? I have scanned the site on sucuri and everything looks normal.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Owl
  • 123
  • 2

2 Answers2

3

That is the background noise of the Internet: a bot scanning for commonly used admin interfaces, potentially vulnerable pages and software and well-known PHP backdoors.

In itself, this doesn't gives you any indication about the status of your server: it just tells you that a bot scanned it for common PHP entry point. It doesn't indicate if any was found, if any of the (potentially) detected entry point is exploitable, if any (potentially) vulnerable entry point was successfully exploited nor the extend of any (potential) breach.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • I would want to add that it's not necessarily a bot scanning for PHP vulns, it could also be an enumerator like Dirbuster trying to find unauthorized access to pages where you should have authorization in the hopes of finding a new way into your service. If this is the case it's most likely not an automated search but rather a manual attack. – Voidpaw May 18 '15 at 12:46
0

As you have a website, you will be used to such requests in your log file. The bots or someone manually have scanned for the files on your server, probably on the list of 'compromised' files.

If you would have one of those, they would try to inject something or exploit the file.

Is this "normal scanning" behaviour or should I be concerned?

All web admins can surely say it's getting 'normal'. Concerned? A little bit - especially if you don't update.

balex
  • 272
  • 1
  • 11