I'm noticing scans in /var/log/apache of search engine bots GETing specific filenames from my server. Most of them are for cracks. I'm not hosting those files, and I don't see them anywhere on my disks. Any idea what would cause this?
Asked
Active
Viewed 65 times
3
-
Where are you hosted? On AWS I've seen traffic to old owners of elastic IPs on a lot of instance. Not unusual. – ceejayoz Jun 16 '16 at 23:30
1 Answers
4
They scan to know if you are at risk, thus to hack you later on if they can get their hand on those files.
It's often php config's file (with database password in it), wordpress's config file, etc..
Like on my server I see RDP's attempt too, welcome to the internet...
ps. Many use fail2ban to block those ip after in an automatic's manner.
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits
yagmoth555
- 16,758
- 4
- 29
- 50
-
Sorry, maybe I didn't explain well. I'm getting scanned by search engine bots (Baidu/Yandex) for specific files like Warcraft3-crack. – Aaron Jun 16 '16 at 20:42
-
@Aaron Search your IP in search engine, seem to me someone in the past hosted bad content under your IP or link to your IP, and make sure it's real legit engine bots, changing the user-agent string is soo easy. – yagmoth555 Jun 16 '16 at 20:44
-
Doesn't seem to be anything bad when I use a search engine. Some of them seem like real bots, others fake. I still don't see why someone would fake a search engine bot to scan for random cracks of video games? Beyond using up bandwidth, is this exposing me to any security risks? – Aaron Jun 16 '16 at 20:54
-
Unlikely to expose you to a risk. Bandwidth for a request and simple response code is unlikely to be significant unless the request volume is huge. – Tim Jun 16 '16 at 21:32