Rich Wales wrote:
> I did find some generally suspicious things in my web server logs --
> including lots of clients looking for the following item:
>
> /nette.micro?callback=shell_exec&cmd=ifconfig
>
> but there isn't any /nette.micro anywhere on my server, and all these
> GET requests failed with 404 or 302 SMTP response codes.
If the web server logs said it was 404 then that is an HTTP 404 return
code and not an SMTP 404 return code since it is in the web server
logs not the smtp server logs.
https://en.wikipedia.org/wiki/HTTP_404
That's the normal response to a probe. There are a lot of probes of
web servers on the net.
rwp@havoc:/var/log$ awk '$9=="404"' /var/log/nginx/access.log | wc -l
1124
That's one day of log file on one of my systems. The probes are
endless. Script kiddies. It's why we can't have nice things.
Examples of the types of probes. None of these are a problem on my
system but malicious attackers probe to see if there are any
vulnerabilities. These are probes.
GET /data/admin/allowurl.txt
GET /html/public/index.php
GET /phpinfo.php
GET /wp-config.php
GET /wp-content/plugins/wp-file-manager/readme.txt
GET /wp-login.php
POST /wp-admins.php
The best thing you can do for these is to configure 'fail2ban' to
watch those log files and to drop the malicious probes at the firewall
level. I think most of us would not do without fail2ban!
The HTTP 302 responses need more investigation before an analyses
could be made however. Because for example they might be simply a
normal http redirection from http to https. Or similar. So they all
might turn out to be perfectly normal. You would have to look and
see.
Bob
