Suspicious requests in Apache web server log file

Question

I found the following requests in my Apache web server. Are these hack attempts? Will they be harmful to the server?

My server is crashing frequently, and I don't have the reasons for it:

GET /muieblackcat HTTP/1.1" 302 214
GET //index.php HTTP/1.1" 302 214
GET //admin/index.php HTTP/1.1" 302 214
GET //admin/pma/index.php HTTP/1.1" 302 214
GET //admin/phpmyadmin/index.php HTTP/1.1" 302 214

/user/soapCaller.bs HTTP/1.1" 302 214

GET /robots.txt HTTP/1.0" 302 214.

We see a lot of requests for non-existent setup.php files:

GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 214
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /myadmin/scripts/setup.php HTTP/1.1" 302 214
GET //typo3/phpmyadmin/index.php HTTP/1.1" 302 214
GET /pma/scripts/setup.php HTTP/1.1" 302 214
GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 302 214

The below request is also accessed on the server. What request is this?

95.211.124.232 - - [16/Aug/2012:18:14:52 +0800] "CONNECT yandex.ru:80 HTTP/1.1" 302 214

How should this server crash issue be understood?

Answer 1

Yes, this is probably attempts to hack your server. The hacker makes calls to URLs with known weaknesses. However, you are safe as long as these files don't exists on your server.

You should be concerned if you actually have a file with a known weakness.

One temporary solution would be to block the IP address that these calls are made from. You should also check if any calls from that particular IP address actually found an existing page.

The only permanent solution is to upgrade all of your software so that you are not vulnerable to known security weaknesses.

These HTTP calls can not explain why your server crashes.

PS: The /robot.txt is not a hacking attempt. This is a file that search engines like Google looks for to get instructions about how to index your site. That is perfectly OK.

Answer 2

I'd like to ask if you are using PHP at all. Most webspaces do support a lot of features. If you don't use PHP, CGI, SSI, etc., you could turn them off.

Also it might be an idea to watch your messages (Linux? - tail -f /var/log/messages). There you can see live actions.

Another idea would be to move well known ports of SSH and other deamons except HTTP, to upper weird ports above 1024 - or if you have an own public IP address from where you access the Internet you could set your firewall to only accept connections on those ports from your own IP address.

Answer 3

A good solution would be, if you are running Apache/WHM, to install Mod_security and CSFirewall. Mod_Sec will watch for malicious activity and kick IP addresses to the firewall if they trigger the same security rule to often.

Another solution, which is pretty extreme, would be to block all IP traffic in the firewall based on country code. For instance, if you notice that most your attacks are coming from Ukraine and 99% of your user-base is out of the USA then block the entire offending country. As I said... it's extreme.

Also note, that running mod_sec and csf can slow down the server since it has to check the firewall database for all incoming traffic.