Control Web Panel

WebPanel => Apache => Topic started by: gailclark80 on March 27, 2025, 01:44:07 AM

Title: How to stop malicious scans
Post by: gailclark80 on March 27, 2025, 01:44:07 AM: When I checked the Apache access logs (/usr/local/apache/logs/access_log), I found that there were a lot of malicious scans, and their IP addresses were changed frequently as if they were not well monitored.

The files it scans are non-existent

How can I block these accesses?

Here's an example
52.247.121.133 - - [26/Mar/2025:06:14:20 +0000] "GET /wp-includes/images/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-includes/images/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-content/plugins/core-plugin/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-content/plugins/core-plugin/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-includes/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-includes/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/plugins/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/plugins/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /xt/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /xt/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/themes/twentyfive/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/themes/twentyfive/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/upgrade/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/upgrade/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /.well-known/pki-validation/sx.php HTTP/1.0" 404 16
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-admin/user/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-admin/user/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/ID3/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/ID3/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/blocks/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/blocks/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-includes/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-includes/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-admin/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-admin/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-content/plugins/fix/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-content/plugins/fix/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-admin/includes/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-admin/includes/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /cgi-bin/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /cgi-bin/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-admin/css/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-admin/css/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-admin/network/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-admin/network/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-includes/block-supports/sx.php HTTP/1.0" 301 -
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-includes/IXR/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-admin/js/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /.well-known/pki-validation/about.php HTTP/1.0" 404 16
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-includes/pomo/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-includes/block-patterns/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-content/updraft/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-content/upgrade-temp-backup/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-content/themes/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-admin/includes/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /images/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /wp-content/blogs.dir/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /wp-includes/images/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /wp-includes/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /cgi-bin/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-content/gallery/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-includes/blocks/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-admin/css/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-admin/images/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /.well-known/pki-validation/cloud.php HTTP/1.0" 404 16
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /.well-known/acme-challenge/cloud.php HTTP/1.0" 404 16
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-admin/network/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /cgi-bin/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /wp-content/updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /css/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /wp-admin/user/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /img/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /wp-admin/css/colors/coffee/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /wp-admin/images/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /avaa.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /images/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/js/widgets/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-includes/Requests/Text/admin.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/css/colors/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/includes/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/css/colors/blue/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /wp-admin/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /libraries/legacy/updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /libraries/phpmailer/updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /libraries/vendor/updates.php HTTP/1.0" 404 34983
Title: Re: How to stop malicious scans
Post by: Netino on March 27, 2025, 02:20:43 AM: Seems all accesses are being without user access header, isn't?
These are bad bots, wasting you bandwidth and machine resources.

You are using nginx?

I did the following, in file '/etc/nginx/conf.d/vhosts/domain.com.conf', change before "location / {" directive, including the following:
Code: [Select]
if ($http_user_agent = "") { return 444; }
...like in the following:
Code: [Select]
server { listen 11.22.33.44:80; server_name domain.com www.domain.com; (...) if ($http_user_agent = "") { return 444; } location / { (...) }
You need to change the /etc/nginx/conf.d/vhosts/domain.com.ssl.conf files too, if you use ssl.

Regards,
Netino
Title: Re: How to stop malicious scans
Post by: gailclark80 on March 27, 2025, 07:08:50 AM: I don't know what header you talking about, I copied the original code from the access_log and didn't change them.

I use Nginx & Apache.

Does this affect Googlebot and Bingbot crawling pages?

Is there any other way to stop it?
Title: Re: How to stop malicious scans
Post by: overseer on March 27, 2025, 05:24:16 PM: Also consider installing Wordfence on the affected WP installs. It will block bad actors like this.
But Netino's solution is a good general purpose block for bots without user agent strings.
Title: Re: How to stop malicious scans
Post by: Netino on March 30, 2025, 12:57:22 AM: Quote from: gailclark80 on March 27, 2025, 07:08:50 AM
I don't know what header you talking about, I copied the original code from the access_log and didn't change them.

I use Nginx & Apache.
(...)

The useragent header is the HTTP header that identifies the navigator acessing you HTTP server.

Quote from: gailclark80 on March 27, 2025, 07:08:50 AM
Does this affect Googlebot and Bingbot crawling pages?
No.

Quote
Is there any other way to stop it?

Yes.
Googlebot and Bing use honest useragents, so if you want to block them, you can simply block the "Googlebot" and "bingbot" useragents directly:
Code: [Select]
if ($http_user_agent ~* "(Googlebot|bingbot)") { return 403; }
You can choose too any other useragent:
Code: [Select]
if ($http_user_agent ~* "(Googlebot|bingbot|Android|iPhone|iPod|Symbian|BlackBerry|Windows Phone|Mobile|J2ME)") { return 403; }
You can install the "Nginx Ultimate Bad Blocker" to block hundreds other useragents:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker (https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker)
Title: Re: How to stop malicious scans
Post by: overseer on March 30, 2025, 01:09:57 AM: Well-behaved bots (such as Googlebot and Bingbot) will respect a robots.txt file at the root of your site.
Code: [Select]
User-agent: Googlebot Disallow: /
Or for efficiency, use this code:
Code: [Select]
User-agent: * Disallow: / User-agent: Bingbot User-agent: Googlebot Disallow:
Title: Re: How to stop malicious scans
Post by: Starburst on March 31, 2025, 12:32:12 AM: I'm going to post a article on how to do this with ModSecurity.

It should block all bad bots and website scrappers.
Title: Re: How to stop malicious scans
Post by: Starburst on March 31, 2025, 01:25:51 AM: OK, it's done.
Let me know if anyone find any bugs, it is kinda late.

https://starburst.help/security/modsecuirty/custom-modules-modsecurity/bad-bots-module-for-modsecurity/ (https://starburst.help/security/modsecuirty/custom-modules-modsecurity/bad-bots-module-for-modsecurity/)