New Node server install, almost immediate hacking attempts
1. Installed a new server today
2. Fired up the node instance
3. Added an iptables entry to redirect tcp/80 to the node app's port
4. Watching the log, I'm seeing this within moments of the site coming up:
HEAD http://instance-ip:80/mysql/admin/ 404 1ms
HEAD http://instance-ip:80/mysql/dbadmin/ 404 1ms
HEAD http://instance-ip:80/mysql/sqlmanager/ 404 0ms
HEAD http://instance-ip:80/mysql/mysqlmanager/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin/ 404 0ms
HEAD http://instance-ip:80/phpMyadmin/ 404 5ms
HEAD http://instance-ip:80/phpMyAdmin/ 404 0ms
HEAD http://instance-ip:80/phpmyAdmin/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin3/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin4/ 404 4ms
HEAD http://instance-ip:80/2phpmyadmin/ 404 1ms
HEAD http://instance-ip:80/phpmy/ 404 0ms
HEAD http://instance-ip:80/phppma/ 404 1ms
HEAD http://instance-ip:80/myadmin/ 404 1ms
HEAD http://instance-ip:80/shopdb/ 404 1ms
HEAD http://instance-ip:80/MyAdmin/ 404 0ms
HEAD http://instance-ip:80/program/ 404 0ms
HEAD http://instance-ip:80/PMA/ 404 0ms
HEAD http://instance-ip:80/dbadmin/ 404 1ms
HEAD http://instance-ip:80/pma/ 404 0ms
HEAD http://instance-ip:80/db/ 404 1ms
HEAD http://instance-ip:80/admin/ 404 0ms
HEAD http://instance-ip:80/mysql/ 404 1ms
HEAD http://instance-ip:80/database/ 404 1ms
HEAD http://instance-ip:80/db/phpmyadmin/ 404 1ms
HEAD http://instance-ip:80/db/phpMyAdmin/ 404 2ms
HEAD http://instance-ip:80/sqlmanager/ 404 1ms
HEAD http://instance-ip:80/mysqlmanager/ 404 0ms
HEAD http://instance-ip:80/php-myadmin/ 404 0ms
HEAD http://instance-ip:80/phpmy-admin/ 404 1ms
HEAD http://instance-ip:80/mysqladmin/ 404 0ms
HEAD http://instance-ip:80/mysql-admin/ 404 1ms
HEAD http://instance-ip:80/admin/phpmyadmin/ 404 3ms
HEAD http://instance-ip:80/admin/phpMyAdmin/ 404 0ms
HEAD http://instance-ip:80/admin/sysadmin/ 404 1ms
HEAD http://instance-ip:80/admin/sqladmin/ 404 0ms
HEAD http://instance-ip:80/admin/db/ 404 1ms
HEAD http://instance-ip:80/admin/web/ 404 0ms
HEAD http://instance-ip:80/admin/pMA/ 404 1ms
HEAD http://instance-ip:80/mysql/pma/ 404 1ms
HEAD http://instance-ip:80/mysql/db/ 404 0ms
HEAD http://instance-ip:80/mysql/web/ 404 1ms
HEAD http://instance-ip:80/mysql/pMA/ 404 1ms
HEAD http://instance-ip:80/sql/phpmanager/ 404 0ms
HEAD http://instance-ip:80/sql/php-myadmin/ 404 1ms
HEAD http://instance-ip:80/sql/phpmy-admin/ 404 0ms
HEAD http://instance-ip:80/sql/sql/ 404 1ms
HEAD http://instance-ip:80/sql/myadmin/ 404 0ms
HEAD http://instance-ip:80/sql/webadmin/ 404 1ms
HEAD http://instance-ip:80/sql/sqlweb/ 404 0ms
HEAD http://instance-ip:80/sql/websql/ 404 1ms
HEAD http://instance-ip:80/sql/webdb/ 404 0ms
HEAD http://instance-ip:80/sql/sqladmin/ 404 1ms
HEAD http://instance-ip:80/sql/sql-admin/ 404 0ms
HEAD http://instance-ip:80/sql/phpmyadmin2/ 404 1ms
HEAD http://instance-ip:80/sql/phpMyAdmin2/ 404 0ms
HEAD http://instance-ip:80/sql/phpMyAdmin/ 404 1ms
HEAD http://instance-ip:80/db/myadmin/ 404 0ms
HEAD http://instance-ip:80/db/webadmin/ 404 0ms
HEAD http://instance-ip:80/db/dbweb/ 404 2ms
HEAD http://instance-ip:80/db/websql/ 404 0ms
HEAD http://instance-ip:80/db/webdb/ 404 0ms
HEAD http://instance-ip:80/db/dbadmin/ 404 1ms
HEAD http://instance-ip:80/db/db-admin/ 404 1ms
HEAD http://instance-ip:80/db/phpmyadmin3/ 404 1ms
HEAD http://instance-ip:80/db/phpMyAdmin3/ 404 1ms
HEAD http://instance-ip:80/db/phpMyAdmin-3/ 404 1ms
HEAD http://instance-ip:80/administrator/phpmyadmin/ 404 1ms
HEAD http://instance-ip:80/administrator/phpMyAdmin/ 404 1ms
HEAD http://instance-ip:80/administrator/db/ 404 0ms
HEAD http://instance-ip:80/administrator/web/ 404 1ms
HEAD http://instance-ip:80/administrator/pma/ 404 0ms
HEAD http://instance-ip:80/administrator/PMA/ 404 1ms
HEAD http://instance-ip:80/administrator/admin/ 404 1ms
HEAD http://instance-ip:80/phpMyAdmin2/ 404 0ms
HEAD http://instance-ip:80/phpMyAdmin3/ 404 1ms
HEAD http://instance-ip:80/phpMyAdmin4/ 404 0ms
HEAD http://instance-ip:80/phpMyAdmin-3/ 404 1ms
HEAD http://instance-ip:80/php-my-admin/ 404 4ms
HEAD http://instance-ip:80/PMA2011/ 404 0ms
HEAD http://instance-ip:80/PMA2012/ 404 1ms
HEAD http://instance-ip:80/PMA2013/ 404 0ms
HEAD http://instance-ip:80/PMA2014/ 404 0ms
HEAD http://instance-ip:80/PMA2015/ 404 1ms
HEAD http://instance-ip:80/PMA2016/ 404 1ms
HEAD http://instance-ip:80/PMA2017/ 404 0ms
HEAD http://instance-ip:80/PMA2018/ 404 1ms
HEAD http://instance-ip:80/pma2011/ 404 1ms
HEAD http://instance-ip:80/pma2012/ 404 1ms
HEAD http://instance-ip:80/pma2013/ 404 1ms
HEAD http://instance-ip:80/pma2014/ 404 0ms
HEAD http://instance-ip:80/pma2015/ 404 1ms
HEAD http://instance-ip:80/pma2016/ 404 0ms
HEAD http://instance-ip:80/pma2017/ 404 1ms
HEAD http://instance-ip:80/pma2018/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2011/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2012/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2013/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2014/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2015/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2016/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2017/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2018/ 404 1ms
HEAD http://instance-ip:80/phpmanager/ 404 0ms
Questions:
Is this Linode doing a security check?
Will this repeat frequently and if so, will I be charged for the activity against my Linode?
Or is this scripted IP-walked hacking that's going on in realtime? (I don't love that I'm being charged for this.)
7 Replies
There are tons of people running scripts, which scan the entire internet net block range for various things (vulnerabilities, statistics, data mining, etc). Nothing you can do about it, just ignore them. Essentially, they are harmless, unless you run some exploitable software on your server.
It is all part of the game when running a PUBLIC server, you get public affection
You don't get charged for such low traffic, the bandwidth use is insignificant.
It has a section for each flavor of linux that you happen to use.
Good luck, Jeff
1) almost all of them are harmless, if you run updated software. You must be running some real junk to get hacked, like vulnerable wordpress plugins/templates.
2) most of them originate from a specific set of countries, thus it is fairly easy to mass-block them, like China, Argentina, Russia, Ukraine, etc. For example, you may decide that your websites are geared towards English speaking North Americans or Europeans, then you could easily block most of the rest of the world. Sure, if you block too many countries then even English speaking tourists won't be able to view your websites while away on those countries, but ultimately you decide how far you want to go.
Almost all admins that I know, block China and Russia by default.
here is a post I wrote a while ago, about how to block countries with firewalld:
@IfThenElse:
But it makes admins happy
8) here is a post I wrote a while ago, about how to block countries with firewalld:
I must admit that in the past I had a one-strike policy on a per-country basis. If I received one spam or hacking attempt from a country, I'd block the entire country's IP range. It tends to slow down the nonsense.
That said, it's good to know that this isn't a Linode-spawned test of some kind. I've reviewed the logs, updated the log content and have now taken counter-measures.
Also, in the past when I owned my own datacenter, I had a fondness of redirecting n'er-do-wells to the CHARGEN port tcp:19. It tends to fill up the log partition of your scripted hacker and they fall off the end of the Internet until they can fix that. I'm not condoning that behavior.
@fos:
I have found this happens every time I spin up a server. The fist thing on the agenda is setting up the security protocols. Linode has an excellent guide at:
https://www.linode.com/docs/security It has a section for each flavor of linux that you happen to use.
Good luck, Jeff
Jeff, yes I totally fixed things up with respect to security and the firewall. These are port 80–related, of course.