In recent days, I've noticed that my web server is falling in the morning hours. I am handling as an Apache Tomcat application launcher, and when I check the logs that are made to the page, I find the following strange flood of requests (viewed in localhost_acces_log.2017-10-xx.txt in /opt/tomcat/logs):
104.210.32.159 - - [20/Oct/2017:00:56:43 -0400] "GET /phpMyAdmin/scripts.setup.php HTTP/1.1" 404 1050
104.210.32.159 - - [20/Oct/2017:00:56:47 -0400] "GET /mysql/scripts/setup.php HTTP/1.1" 404 1040
104.210.32.159 - - [20/Oct/2017:00:56:47 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 1036
104.210.32.159 - - [20/Oct/2017:00:56:50 -0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 1044
104.210.32.159 - - [20/Oct/2017:00:56:51 -0400] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1062
104.210.32.159 - - [20/Oct/2017:00:56:51 -0400] "GET /scripts/setup.php HTTP/1.1" 404 1028
104.210.32.159 - - [20/Oct/2017:00:56:51 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 1050
222.103.136.110 - - [20/Oct/2017:01:17:52 -0400] "GET /phpMyAdmin/scripts.setup.php HTTP/1.1" 404 1050
222.103.136.110 - - [20/Oct/2017:01:17:52 -0400] "GET /mysql/scripts/setup.php HTTP/1.1" 404 1040
222.103.136.110 - - [20/Oct/2017:01:17:52 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 1036
222.103.136.110 - - [20/Oct/2017:01:17:53 -0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 1044
222.103.136.110 - - [20/Oct/2017:01:17:53 -0400] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1062
222.103.136.110 - - [20/Oct/2017:01:17:54 -0400] "GET /scripts/setup.php HTTP/1.1" 404 1028
These information lines are a little part from a huge flood of requests information lines like these ones
Ip addresses are from servers located in china, poland, france, etc. , which it makes me think someone's using a vpn to make the requests.
I clarify that I have only configured on my web server Apache application manager tomcat
I think this information is associated with the issue with my web server
My question is:
Is someone trying to discover vulnerabilities in my server for future attacks? Is someone making a DDoS attack to my web server? or What's going on with this issue?
After googling a bit I found that these type of requests on a web-server exposed to internet are common. Many bots try to make use of vulnerability in router configuration. The request did not fetch anything so returned 404 error. This looks like a ZmEu (vulnerability scanner) ran on your tomcat server. It is a computer vulnerability scanner which searches for web servers that are open to attack through the phpMyAdmin program. That's why it is trying to search for phpMyAdmin, mysql, pma, MyAdmin, xampp all these applications' setup file. You can check if all the requests have returned 404 error (in your case it will be since you dont have any other application installed on your web server) and no 200 success message is there. In order to prevent such attacks, you can do following: 1. Block all the suspicious IPs using IPTable. 2. Every attack of this kind creates a performance leak, as a 404 error page must be generated and served. You can create an antibot.phpfile with these lines:
<?
header("HTTP/1.1 403 Forbidden");
?>
Then add these lines to your .htaccess file in the web root directory. If you don’t have one, just create it. Remember you must have mod_rewrite installed and loaded.
RewriteEngine on
RewriteCond %{REQUEST_URI} !^antibot.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/antibot.php [R=301,L]
This will reply with a 403 error to all the requests that contain the string ZmEu in the user agent. So if you only use this method, your server will be blocking only ZmEu attacks. If you also want to block other user agents just add another RewriteCond %{HTTP_USER_AGENT} botname_regexp line. When adding another condition, don’t forget to add [OR] at the end of the previous RewriteCond.
You can refer the following links: https://security.stackexchange.com/questions/40291/strange-requests-to-web-server , https://ensourced.wordpress.com/2011/02/25/zmeu-attacks-some-basic-forensic/