Site under attack?


#1

In the last half hour I have been receiving hundreds of very strange notifications, e.g.

A user tried to go to http://www.soccerwidow.com/dbadmin//scripts/setup.php and received a 404 (page not found) error.

A user tried to go to http://www.soccerwidow.com/mysqladmin//scripts/setup.php and received a 404 (page not found) error.

A user tried to go to http://www.soccerwidow.com/mysql//scripts/setup.php and received a 404 (page not found) error.

A user tried to go to http://www.soccerwidow.com/phpMyAdmin-2.7.0//scripts/setup.php and received a 404 (page not found) error.

It goes on and on and on… as if somebody is automatically trying to figure out where to find scripts/setup.php and then ??? What for?

I’m using WordPress and probably an option would be to ban the IP where these attacks are coming from. Unfortunately, I’m not a programming guru and I don’t even know where to find the log to find the IP and then how to ban the IP.

Please could somebody help?


#2

your logs can be found in

~/logs/www.soccerwidow.com/http

The current day’s log is named access.log, prior days are named access.log.YYYY-MM-DD and may be compressed with gzip

Change into the logs directory and from the command prompt type:

grep ‘//scripts/setup.php’ access.log | awk ‘{print $1}’ | sort

This will give you a list of the IP addresses generating that error.


#3

Yeah, basically, it’s as script looking for database-related weaknesses. I see those in my logs at least once per month which is one reason why I asked DH to disable phpMyAdmin access to my databases.