What are Malicious Visitors Looking For

You might have been aware of some visitors were searching for something different on your website like the following sample log excerpted from /var/log/httpd/error_log.

[Fri May 16 09:27:40 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/jmx-console
[Fri May 16 09:27:42 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/manager
[Fri May 16 09:27:50 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/administrator
[Fri May 16 09:27:52 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/joomla
[Fri May 16 09:27:55 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/cms
[Fri May 16 09:27:57 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/Joomla
[Fri May 16 09:28:00 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin
[Fri May 16 09:28:03 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/phpMyAdmin
[Fri May 16 09:28:06 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/mysql
[Fri May 16 09:28:09 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/sql
[Fri May 16 09:28:12 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/myadmin
[Fri May 16 09:28:19 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/sqlite
[Fri May 16 09:28:22 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/SQLite
[Fri May 16 09:28:24 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/SQLiteManager-1.2.4
[Fri May 16 09:28:26 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/sqlitemanager
[Fri May 16 09:28:29 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/SQlite
[Fri May 16 09:28:31 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/SQLiteManager
[Fri May 16 09:28:35 2014] [error] [client 37.59.41.169] File does not exist: /var/www/vhosts/default/htdocs/webdav

You can see the directories he scanned have one common feature: they are all web entries of administration tools potentially. Although, most of his attempts were "404 Not Found", there might be "401 Unauthorized", or worse, "200 OK", security holes found by this visitor.

Another sample log comes from [Report] Test de failles sur mon serveur

A normal user never looks for something like jmx-console, SQLiteManager, or phpMyAdmin which are not their interests. So, what kinds of visitors would like to know whether jmx-console exists or not? The malicious visitor was definitely looking for vulnerabilities of the website.

The only information we got about this visitor was the source IP address, so let's check the status of the IP address in Spamhaus. And we got the answer:

IP Address 37.59.41.169 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2014-05-23 10:00 GMT (+/- 30 minutes), approximately 11 days, 20 hours ago.
This IP is infected with, or is NATting for a machine infected with s_patcher

Now we know this machine is infected with something. Maybe it can't control itself. It's time to put the IP address in our blacklist in order to block it outside.

Please note that, the information we got from Spamhaus is very dynamic, it may not be current at the time you read this post, which means, the suspicious IP address may be removed from their list anytime in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *