Should I bother to block these rather lame attempts at hacking my server?

security hacking apache-2.2

I'm running a LAMP stack, with no phpMyAdmin (yes) installed. While poking through my Apache server logs I noticed things like:

66.184.178.58 - - [16/Mar/2010:13:27:59 +0800] "GET / HTTP/1.1" 200 1170 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
200.78.247.148 - - [16/Mar/2010:15:26:05 +0800] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 506 "-" "-"
206.47.160.224 - - [16/Mar/2010:17:27:57 +0800] "GET / HTTP/1.1" 200 1170 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:02 +0800] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 480 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:03 +0800] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 476 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:04 +0800] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:05 +0800] "GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 479 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:05 +0800] "GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 479 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
190.220.14.195 - - [17/Mar/2010:01:28:06 +0800] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 482 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

What exactly is happening? Is it a really lame attempt at hacking in? Should I bother blocking the IP addresses these are from, or just leave it?

Edit: they apparently tried SSH as well. Amusingly they got nowhere near getting my name right. ;p


Solution 1:

I wouldn't expend the effort to try and deal with things like that manually, but I would be tempted to setup something like fail2ban if you haven't already.

Solution 2:

yes, its script kiddies running standard "off-the-shelf" hacking scripts looking for servers that are vulnerable. If you're patched and firewalled and have all the usual things locked down, then I'd not worry too much about it - you'll get hack attempt all the time.

Of course, worry about not being patched, properly firewalled and having exploitable scripts/pages/apps running on your server. Keep an eye out for anything out of the ordinary and make sure you're notified of security updates and install them.

Solution 3:

It is just background noise of the internet. It is not woth your time or energy to deal with it. If you have not setup fail2ban then you should do that but anything else is not needed. I have seen 10,000+ attempts like this in a just a day or two of logs.

Solution 4:

I see very similar stuff in my logs all the time in my logs. My bet is that it's just a scanner that probably trawls much of the Internet looking for known holes to attack.

In other words, don't worry about it. Just make sure your system is up to date on its patches.

Related

Is it possible to SSH access a server with a misconfigured subnet?
I cannot connect to my local SQL Server 2008?
Nginx verifying client certs only on a particular location
Who actually "recurses" in a recursive DNS lookup?
How to add user with SFTP/ FTP access to '/var/www/html/website_abc' folder on Amazon EC2 Centos?
How do I configure PostFix to allow other machines to send out email through it?
SSH: DH_GEX group out of range
Postfix aliases and duplicate e-mails, how to fix?
Why OpenVPN use network 0.0.0.0 netmask 128.0.0.0 as a default route?
Out of resources for mysqldump
kill a screen (but not all screens)
OpenVPN: How to mitigate path MTU issues on a per-client basis?