Should I bother to block these rather lame attempts at hacking my server?

I'm running a LAMP stack, with no phpMyAdmin (yes) installed. While poking through my Apache server logs I noticed things like:

66.184.178.58 - - [16/Mar/2010:13:27:59 +0800] "GET / HTTP/1.1" 200 1170 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
200.78.247.148 - - [16/Mar/2010:15:26:05 +0800] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-"
206.47.160.224 - - [16/Mar/2010:17:27:57 +0800] "GET / HTTP/1.1" 200 1170 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:02 +0800] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 480 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:03 +0800] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 476 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:04 +0800] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:05 +0800] "GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 479 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:05 +0800] "GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 479 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:06 +0800] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 482 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

What exactly is happening? Is it a really lame attempt at hacking in? Should I bother blocking the IP addresses these are from, or just leave it?

Edit: they apparently tried SSH as well. Amusingly they got nowhere near getting my name right. ;p


Solution 1:

I wouldn't expend the effort to try and deal with things like that manually, but I would be tempted to setup something like fail2ban if you haven't already.

Solution 2:

yes, its script kiddies running standard "off-the-shelf" hacking scripts looking for servers that are vulnerable. If you're patched and firewalled and have all the usual things locked down, then I'd not worry too much about it - you'll get hack attempt all the time.

Of course, worry about not being patched, properly firewalled and having exploitable scripts/pages/apps running on your server. Keep an eye out for anything out of the ordinary and make sure you're notified of security updates and install them.

Solution 3:

It is just background noise of the internet. It is not woth your time or energy to deal with it. If you have not setup fail2ban then you should do that but anything else is not needed. I have seen 10,000+ attempts like this in a just a day or two of logs.

Solution 4:

I see very similar stuff in my logs all the time in my logs. My bet is that it's just a scanner that probably trawls much of the Internet looking for known holes to attack.

In other words, don't worry about it. Just make sure your system is up to date on its patches.