Single Status Update
I've been fairly busy with my web server, wordpress, mysql and particularly interested in the apache stats as of late. This caught my eye, which has started screwing up my vistor stats:
There are a lot more than that in the logs, this is just an excerpt. To me it looks like some automated software requesting '/~carry/.login.php' from the host with random user agent strings, but it doesn't exist and results in a 404 error. If you open the link in Firefox or Chrome, it gets reported as a phishing site.
As a result of the above, I've taught myself about iptables and blocked the IP addresses. I would like to figure out, when time permits, how to set something up that will automatically ban the IP of any machine that tries to access that particular URL. Though the last thing I want is for them to twig to my blocking them and change the url.
Edit: Wheeej, sidescrolling ftw
This is a normal thing that you will experience when running any kind of server on the Internet. It could be a person attacking your machine but it's almost certainly an automated worm searching for new hosts to infect. They usually go through sequences of IP addresses in turn, trying each until they find a web server, then trying to exploit common security vulnerabilities on the web server to find a way in. If it doesn't work, they give up and try a new IP.
Here's a short extract from my own server for example:
In general the best advice is: if you don't need a server or aren't using it any more, turn it off. If you are using it, apply security patches to keep it up to date.
It's almost certainly a waste of time to bother constructing automated firewall scripts or banning IP addresses: if it is a worm, it isn't interested in your server any more. If your server isn't vulnerable to the exploit, it hasn't done you any harm. Banning that particular URL achieves nothing and there are new exploits being discovered all the time. Just keep your server protected by making sure that security updates are applied regularly.
Absolutely. While Im not new to webhosting, the last month or two I've been getting fairly deep into the backend services - manipulating the OS, tweaking php/mysql/apache to suit a low memory VM, etc. I find it fascinating.
I haven't had any other suspicious behaviour asides from what I posted above and this server has been running for a year or so.
I did check the patch level of the OS, found I was a little out of date, but majority of patches were not for the internet components. Still, thanks for the reminder.