♥mdtaylorlrim Posted January 6, 2010 Posted January 6, 2010 I watch my log files daily. In fact, I have them sent to me via email every day. Two logs, the httpd error log and the secure log. The httpd error log reveals users attempting to access such directories as /phpmyadmin/; /phpMyAdmin/; /pma/; /p/m/a/; and a host of other attempts to phpMyAdmin, mySQL, MSOFFICE, vti_bin, admin and many others. How many of you do something similar and what is it? Is there anything specific that you do when you see things like this in your logs? I have the luxury of having my own server and have a bit more flexibility in mitigating actions. I have written a script that automatically bans the ip address, albeit temporarily, so that they only get one shot at hunting for doorways to hack my server. Share your experiences. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
♥mdtaylorlrim Posted January 7, 2010 Author Posted January 7, 2010 Here is a question for anyone... In my logs I see requests for pages. They all use the legitimate GET method. When a normal user requests a file whether it results in a 200 code or 404 code the method is GET /path/to/page. But when someone attempts to access a resource in an attempt to hack the system, such as requesting the directory phpMyAdmin, or PMA, or php-my-admin or something, the request is ALWAYS a GET //path/to/non-existent/directory. Always with the // after the get instead of the single /. Protocol is still http/1.0 but I am at a loss as to why they always have double slashes instead of single slashes. Any ideas anyone? Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.