New Node server install, almost immediate hacking attempts

Wanted to know if the standard image here for Ubuntu 16.04LTS has any sort of internal security check involved which self-checks a number of security points?

1. Installed a new server today

2. Fired up the node instance

3. Added an iptables entry to redirect tcp/80 to the node app's port

4. Watching the log, I'm seeing this within moments of the site coming up:

HEAD http://instance-ip:80/mysql/admin/ 404 1ms
HEAD http://instance-ip:80/mysql/dbadmin/ 404 1ms
HEAD http://instance-ip:80/mysql/sqlmanager/ 404 0ms
HEAD http://instance-ip:80/mysql/mysqlmanager/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin/ 404 0ms
HEAD http://instance-ip:80/phpMyadmin/ 404 5ms
HEAD http://instance-ip:80/phpMyAdmin/ 404 0ms
HEAD http://instance-ip:80/phpmyAdmin/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin3/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin4/ 404 4ms
HEAD http://instance-ip:80/2phpmyadmin/ 404 1ms
HEAD http://instance-ip:80/phpmy/ 404 0ms
HEAD http://instance-ip:80/phppma/ 404 1ms
HEAD http://instance-ip:80/myadmin/ 404 1ms
HEAD http://instance-ip:80/shopdb/ 404 1ms
HEAD http://instance-ip:80/MyAdmin/ 404 0ms
HEAD http://instance-ip:80/program/ 404 0ms
HEAD http://instance-ip:80/PMA/ 404 0ms
HEAD http://instance-ip:80/dbadmin/ 404 1ms
HEAD http://instance-ip:80/pma/ 404 0ms
HEAD http://instance-ip:80/db/ 404 1ms
HEAD http://instance-ip:80/admin/ 404 0ms
HEAD http://instance-ip:80/mysql/ 404 1ms
HEAD http://instance-ip:80/database/ 404 1ms
HEAD http://instance-ip:80/db/phpmyadmin/ 404 1ms
HEAD http://instance-ip:80/db/phpMyAdmin/ 404 2ms
HEAD http://instance-ip:80/sqlmanager/ 404 1ms
HEAD http://instance-ip:80/mysqlmanager/ 404 0ms
HEAD http://instance-ip:80/php-myadmin/ 404 0ms
HEAD http://instance-ip:80/phpmy-admin/ 404 1ms
HEAD http://instance-ip:80/mysqladmin/ 404 0ms
HEAD http://instance-ip:80/mysql-admin/ 404 1ms
HEAD http://instance-ip:80/admin/phpmyadmin/ 404 3ms
HEAD http://instance-ip:80/admin/phpMyAdmin/ 404 0ms
HEAD http://instance-ip:80/admin/sysadmin/ 404 1ms
HEAD http://instance-ip:80/admin/sqladmin/ 404 0ms
HEAD http://instance-ip:80/admin/db/ 404 1ms
HEAD http://instance-ip:80/admin/web/ 404 0ms
HEAD http://instance-ip:80/admin/pMA/ 404 1ms
HEAD http://instance-ip:80/mysql/pma/ 404 1ms
HEAD http://instance-ip:80/mysql/db/ 404 0ms
HEAD http://instance-ip:80/mysql/web/ 404 1ms
HEAD http://instance-ip:80/mysql/pMA/ 404 1ms
HEAD http://instance-ip:80/sql/phpmanager/ 404 0ms
HEAD http://instance-ip:80/sql/php-myadmin/ 404 1ms
HEAD http://instance-ip:80/sql/phpmy-admin/ 404 0ms
HEAD http://instance-ip:80/sql/sql/ 404 1ms
HEAD http://instance-ip:80/sql/myadmin/ 404 0ms
HEAD http://instance-ip:80/sql/webadmin/ 404 1ms
HEAD http://instance-ip:80/sql/sqlweb/ 404 0ms
HEAD http://instance-ip:80/sql/websql/ 404 1ms
HEAD http://instance-ip:80/sql/webdb/ 404 0ms
HEAD http://instance-ip:80/sql/sqladmin/ 404 1ms
HEAD http://instance-ip:80/sql/sql-admin/ 404 0ms
HEAD http://instance-ip:80/sql/phpmyadmin2/ 404 1ms
HEAD http://instance-ip:80/sql/phpMyAdmin2/ 404 0ms
HEAD http://instance-ip:80/sql/phpMyAdmin/ 404 1ms
HEAD http://instance-ip:80/db/myadmin/ 404 0ms
HEAD http://instance-ip:80/db/webadmin/ 404 0ms
HEAD http://instance-ip:80/db/dbweb/ 404 2ms
HEAD http://instance-ip:80/db/websql/ 404 0ms
HEAD http://instance-ip:80/db/webdb/ 404 0ms
HEAD http://instance-ip:80/db/dbadmin/ 404 1ms
HEAD http://instance-ip:80/db/db-admin/ 404 1ms
HEAD http://instance-ip:80/db/phpmyadmin3/ 404 1ms
HEAD http://instance-ip:80/db/phpMyAdmin3/ 404 1ms
HEAD http://instance-ip:80/db/phpMyAdmin-3/ 404 1ms
HEAD http://instance-ip:80/administrator/phpmyadmin/ 404 1ms
HEAD http://instance-ip:80/administrator/phpMyAdmin/ 404 1ms
HEAD http://instance-ip:80/administrator/db/ 404 0ms
HEAD http://instance-ip:80/administrator/web/ 404 1ms
HEAD http://instance-ip:80/administrator/pma/ 404 0ms
HEAD http://instance-ip:80/administrator/PMA/ 404 1ms
HEAD http://instance-ip:80/administrator/admin/ 404 1ms
HEAD http://instance-ip:80/phpMyAdmin2/ 404 0ms
HEAD http://instance-ip:80/phpMyAdmin3/ 404 1ms
HEAD http://instance-ip:80/phpMyAdmin4/ 404 0ms
HEAD http://instance-ip:80/phpMyAdmin-3/ 404 1ms
HEAD http://instance-ip:80/php-my-admin/ 404 4ms
HEAD http://instance-ip:80/PMA2011/ 404 0ms
HEAD http://instance-ip:80/PMA2012/ 404 1ms
HEAD http://instance-ip:80/PMA2013/ 404 0ms
HEAD http://instance-ip:80/PMA2014/ 404 0ms
HEAD http://instance-ip:80/PMA2015/ 404 1ms
HEAD http://instance-ip:80/PMA2016/ 404 1ms
HEAD http://instance-ip:80/PMA2017/ 404 0ms
HEAD http://instance-ip:80/PMA2018/ 404 1ms
HEAD http://instance-ip:80/pma2011/ 404 1ms
HEAD http://instance-ip:80/pma2012/ 404 1ms
HEAD http://instance-ip:80/pma2013/ 404 1ms
HEAD http://instance-ip:80/pma2014/ 404 0ms
HEAD http://instance-ip:80/pma2015/ 404 1ms
HEAD http://instance-ip:80/pma2016/ 404 0ms
HEAD http://instance-ip:80/pma2017/ 404 1ms
HEAD http://instance-ip:80/pma2018/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2011/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2012/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2013/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2014/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2015/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2016/ 404 0ms
HEAD http://instance-ip:80/phpmyadmin2017/ 404 1ms
HEAD http://instance-ip:80/phpmyadmin2018/ 404 1ms
HEAD http://instance-ip:80/phpmanager/ 404 0ms

Questions:

  • Is this Linode doing a security check?

  • Will this repeat frequently and if so, will I be charged for the activity against my Linode?

  • Or is this scripted IP-walked hacking that's going on in realtime? (I don't love that I'm being charged for this.)

7 Replies

I have found this happens every time I spin up a server. The fist thing on the agenda is setting up the security protocols. Linode has an excellent guide at:

https://www.linode.com/docs/security

It has a section for each flavor of linux that you happen to use.

Good luck, Jeff

Plus, if you gather all the attacks on a server for a week and then separate them and categorize them, you'll find several interesting facts about the attacks, here is my experience:

1) almost all of them are harmless, if you run updated software. You must be running some real junk to get hacked, like vulnerable wordpress plugins/templates.

2) most of them originate from a specific set of countries, thus it is fairly easy to mass-block them, like China, Argentina, Russia, Ukraine, etc. For example, you may decide that your websites are geared towards English speaking North Americans or Europeans, then you could easily block most of the rest of the world. Sure, if you block too many countries then even English speaking tourists won't be able to view your websites while away on those countries, but ultimately you decide how far you want to go.

Almost all admins that I know, block China and Russia by default.

Everytime someone blocks China or Russia, baby Jesus cries.

But it makes admins happy 8)

here is a post I wrote a while ago, about how to block countries with firewalld:

[TOP TIP] firewalld and ipset (country blacklist)

Its called the internet, so welcome to reality.

There are tons of people running scripts, which scan the entire internet net block range for various things (vulnerabilities, statistics, data mining, etc). Nothing you can do about it, just ignore them. Essentially, they are harmless, unless you run some exploitable software on your server.

It is all part of the game when running a PUBLIC server, you get public affection ;)

You don't get charged for such low traffic, the bandwidth use is insignificant.

@fos:

I have found this happens every time I spin up a server. The fist thing on the agenda is setting up the security protocols. Linode has an excellent guide at:

https://www.linode.com/docs/security

It has a section for each flavor of linux that you happen to use.

Good luck, Jeff

Jeff, yes I totally fixed things up with respect to security and the firewall. These are port 80–related, of course.

@IfThenElse:

But it makes admins happy 8)

here is a post I wrote a while ago, about how to block countries with firewalld:

[TOP TIP] firewalld and ipset (country blacklist)

I must admit that in the past I had a one-strike policy on a per-country basis. If I received one spam or hacking attempt from a country, I'd block the entire country's IP range. It tends to slow down the nonsense.

That said, it's good to know that this isn't a Linode-spawned test of some kind. I've reviewed the logs, updated the log content and have now taken counter-measures.

Also, in the past when I owned my own datacenter, I had a fondness of redirecting n'er-do-wells to the CHARGEN port tcp:19. It tends to fill up the log partition of your scripted hacker and they fall off the end of the Internet until they can fix that. I'm not condoning that behavior. :D

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct