My access_log is filled with requests for scripts I don’t have. What’s going on?

Question:

I noticed that my access log has requests for things like wp-admin, phpmyadmin, phpbb, etc. – scripts that I do not have installed. The requests seem to come from all over the world and sometimes one right after another. What is going on? Do I need to be worried about this?

Answer:

This is, unfortunately, normal. The entries may resemble:

"GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 877 "-" "-"

These entries are attackers scanning to find servers they can exploit. You’ll see them scanning for most common web apps and scripts. As long as you don’t have a copy of the script they are looking for installed you are fine. Even if you do, you are good as long as your install is current.

Hackers know that popular scripts like WordPress, phpMyAdmin, phpBB, etc. have millions of installed instances. They also know that many users may install one of these scripts to test and then never use it again and worse, never update it. Once a security vulnerability is found in a particular version of a script, hackers use lists of randomly compiled domain names and start checking if each domain has the hackable version of the script installed.

You do not need to worry about these types of “scans” as long as you do not have old versions of scripts installed. We highly recommend that you remove or disable scripts that you no longer use and keep all scripts you do use up-to-date.

Using TLS with POP3 (SSL)

When using POP3 on our servers, it is advised you use the encrypted connection option. There are several standard methods for encrypting POP3 so your mail program will have several options. Use the option “SSL/TLS” – the wording will vary with each mail program.

In general you should use:

SSL/TLS (not STARTTLS)
port 995

You will likely receive a warning about the SSL certificate the server is using. Usually the message will say that the certificate does not match the name of your mail server. This is because the SSL certificate is assigned to the actual name of your server (servername.phpwebhosting.com) and not your particular domain name (your-domain.com). The connection is still 100% secure and encrypted. Your mail program is only altering you to the fact that the name of the certificate is not the same as your domain name.

Tell your mail program to accept the certificate and the warning should not appear again. The only way to totally avoid these errors is to upgrade to a dedicated server and purchase your own SSL certificate. Contact support if you are interested in this upgrade.

Note: If the SSL errors persist you can also avoid SSL errors by using:

your-server.phpwebhosting.com

instead of

mail.your-domain.com

for the incoming (POP3) and outgoing (SMTP) servers. However this is not recommended. It will work but could cause problems in the future if your internal phpwebhosting.com mail server changes in the future. Using mail.your-domain.com ensures that any internal changes is transparent and never requires you update your mail settings. Your should only use your-server.phpwebhosting.com as a last resort if you are using a mail program which refuses to permit that name-mismatched SSL certificate.

Weird error message: “Suddenly the Dungeon collapses!! – You die”

Question:

I was ssh’d into the server when I saw the message:

Suddenly the Dungeon collapses!! – You die…

What happened? Did someone hack my account?

Answer:

No. This is the message that the screen program gives if you kill your own instance of screen (or if it otherwise crashes).

All is well and the server is fine.

How can I turn off mod_security for my site?

Question:

One of my applications is triggering the mod_security rules. How can I turn off mod_security for my site?

Answer:

Add this line to your .htaccess file:

SecFilterInheritance Off

If there is only a certain portion of your site with errors due to mod_security, we recommend you put the disable command only in an .htaccess file in the directory for the part of your site with the errors. This will allow you to still have mod_security protection on the rest of your site.

All mod_security errors will appear as error status 500. Not all 500 errors are due to mod_security but if you have odd ones that you can not find the source of they may be from mod_security.

mod_security watches all incoming requests for certain known attack signatures and stops them. It is very effective against stopping common hacking attempts on your site.

See mod_security.org for more information.