« previous next »
Pages: [1]

Author Topic: How to stop malicious scans  (Read 142 times)

0 Members and 1 Guest are viewing this topic.

Offline
gailclark80
*
How to stop malicious scans
« on: March 27, 2025, 01:44:07 AM »
When I checked the Apache access logs (/usr/local/apache/logs/access_log), I found that there were a lot of malicious scans, and their IP addresses were changed frequently as if they were not well monitored.

The files it scans are non-existent

How can I block these accesses?

Here's an example
52.247.121.133 - - [26/Mar/2025:06:14:20 +0000] "GET /wp-includes/images/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-includes/images/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-content/plugins/core-plugin/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-content/plugins/core-plugin/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-includes/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:21 +0000] "GET /wp-includes/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/plugins/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/plugins/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /xt/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /xt/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:22 +0000] "GET /wp-content/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/themes/twentyfive/smaxx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/themes/twentyfive/smaxx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/upgrade/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-content/upgrade/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /.well-known/pki-validation/sx.php HTTP/1.0" 404 16
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-admin/user/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:23 +0000] "GET /wp-admin/user/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/ID3/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/ID3/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/blocks/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /wp-includes/blocks/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:24 +0000] "GET /sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-includes/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-includes/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-admin/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-admin/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:25 +0000] "GET /wp-content/plugins/fix/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-content/plugins/fix/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-admin/includes/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-admin/includes/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /cgi-bin/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /cgi-bin/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:26 +0000] "GET /wp-admin/css/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-admin/css/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-admin/network/sx.php HTTP/1.0" 301 -
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-admin/network/sx.php HTTP/1.0" 404 34983
52.247.121.133 - - [26/Mar/2025:06:14:27 +0000] "GET /wp-includes/block-supports/sx.php HTTP/1.0" 301 -
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-includes/IXR/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-admin/js/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /.well-known/pki-validation/about.php HTTP/1.0" 404 16
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-includes/pomo/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:39 +0000] "GET /wp-includes/block-patterns/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-content/updraft/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-content/upgrade-temp-backup/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-content/themes/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:40 +0000] "GET /wp-admin/includes/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /images/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /wp-content/blogs.dir/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /wp-includes/images/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /wp-includes/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:41 +0000] "GET /cgi-bin/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-content/gallery/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-includes/blocks/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-admin/css/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-admin/images/about.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /.well-known/pki-validation/cloud.php HTTP/1.0" 404 16
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /.well-known/acme-challenge/cloud.php HTTP/1.0" 404 16
172.177.146.185 - - [26/Mar/2025:04:53:42 +0000] "GET /wp-admin/network/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /cgi-bin/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /wp-content/updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /css/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:43 +0000] "GET /wp-admin/user/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /img/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /wp-admin/css/colors/coffee/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /wp-admin/images/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /avaa.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:44 +0000] "GET /images/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/js/widgets/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-includes/Requests/Text/admin.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/css/colors/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/includes/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:45 +0000] "GET /wp-admin/css/colors/blue/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /wp-admin/cloud.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /libraries/legacy/updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /libraries/phpmailer/updates.php HTTP/1.0" 404 34983
172.177.146.185 - - [26/Mar/2025:04:53:46 +0000] "GET /libraries/vendor/updates.php HTTP/1.0" 404 34983
« Last Edit: March 27, 2025, 01:46:39 AM by gailclark80 »
Logged
Offline
Netino
***
Re: How to stop malicious scans
« Reply #1 on: March 27, 2025, 02:20:43 AM »
Seems all accesses are being without user access header, isn't?
These are bad bots, wasting you bandwidth and machine resources.

You are using nginx?

I did the following, in file '/etc/nginx/conf.d/vhosts/domain.com.conf', change before "location / {" directive, including the following:
Code: [Select]
if ($http_user_agent = "") { return 444; }

...like in the following:
Code: [Select]
server {
        listen 11.22.33.44:80;       
        server_name domain.com  www.domain.com;
        (...)
        if ($http_user_agent = "") { return 444; }

        location / {
        (...)
}

You need to change the /etc/nginx/conf.d/vhosts/domain.com.ssl.conf files too, if you use ssl.

Regards,
Netino
Logged
Offline
gailclark80
*
Re: How to stop malicious scans
« Reply #2 on: March 27, 2025, 07:08:50 AM »
I don't know what header you talking about, I copied the original code from the access_log and didn't change them.

I use Nginx & Apache.

Does this affect Googlebot and Bingbot crawling pages?

Is there any other way to stop it?
Logged
Offline
overseer
*****
Re: How to stop malicious scans
« Reply #3 on: March 27, 2025, 05:24:16 PM »
Also consider installing Wordfence on the affected WP installs. It will block bad actors like this.
But Netino's solution is a good general purpose block for bots without user agent strings.
Logged
Offline
Netino
***
Re: How to stop malicious scans
« Reply #4 on: March 30, 2025, 12:57:22 AM »
Quote from: gailclark80 on March 27, 2025, 07:08:50 AM
I don't know what header you talking about, I copied the original code from the access_log and didn't change them.

I use Nginx & Apache.
(...)

The useragent header is the HTTP header that identifies the navigator acessing you HTTP server.

Quote from: gailclark80 on March 27, 2025, 07:08:50 AM
Does this affect Googlebot and Bingbot crawling pages?
No.

Quote
Is there any other way to stop it?

Yes.
Googlebot and Bing use honest useragents, so if you want to block them, you can simply block the "Googlebot" and "bingbot" useragents directly:
Code: [Select]
if ($http_user_agent ~* "(Googlebot|bingbot)") {
    return 403;
}

You can choose too any other useragent:
Code: [Select]
if ($http_user_agent ~* "(Googlebot|bingbot|Android|iPhone|iPod|Symbian|BlackBerry|Windows Phone|Mobile|J2ME)") {
    return 403;
}

You can install the "Nginx Ultimate Bad Blocker" to block hundreds other useragents:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
Logged
Offline
overseer
*****
Re: How to stop malicious scans
« Reply #5 on: March 30, 2025, 01:09:57 AM »
Well-behaved bots (such as Googlebot and Bingbot) will respect a robots.txt file at the root of your site.
Code: [Select]
User-agent: Googlebot Disallow: /
Or for efficiency, use this code:
Code: [Select]
User-agent: *
Disallow: /

User-agent: Bingbot
User-agent: Googlebot
Disallow:
Logged
Offline
Starburst
*****
Re: How to stop malicious scans
« Reply #6 on: March 31, 2025, 12:32:12 AM »
I'm going to post a article on how to do this with ModSecurity.

It should block all bad bots and website scrappers.
Logged
Offline
Starburst
*****
Re: How to stop malicious scans
« Reply #7 on: March 31, 2025, 01:25:51 AM »
« Last Edit: March 31, 2025, 01:32:58 AM by Starburst »
Logged
Pages: [1]
« previous next »