What are they looking for?

Forum Moderators: phranque

Message Too Old, No Replies

What are they looking for?

server log shows odd activity

cameraman

1:53 am on Jan 21, 2007 (gmt 0)

I look at my server log almost every day, and I keep seeing activity of someone/thing trying to find, for example, xmlrpc in all kinds of locations - the root, and in subdirectories that I don't have. It seems like the people trying to find this usually live in Amsterdam or an asian country.
Is there a legitimate cause for this, or am I right that if 'they' were to find it, they'd use it to cause trouble?

I also see people trying to get into phpMyAdmin, phpAuction, executing 'cmd' this or that, and other such suspicious activity.

I set up some criteria for deciding when to start turning them away and add the IP to my deny table. However, a friend commented that if they don't find what they're looking for they likely won't ever be back. Is that reasonable - am I just making my deny unnecessarily long?

FalseDawn

11:10 pm on Jan 21, 2007 (gmt 0)

You will go crazy if you try to analyze your logs on a frequent basis. I came to the conclusion a long time ago that it is a complete waste of time. Block one IP, and two more will appear.
It is invariably script kiddies looking for vulnerable software to exploit.

Just make sure that any software you are using is fully up to date and keep abreast of security announcements.