Question:
I noticed that my access log has requests for things like wp-admin, phpmyadmin, phpbb, etc. – scripts that I do not have installed. The requests seem to come from all over the world and sometimes one right after another. What is going on? Do I need to be worried about this?
Answer:
This is, unfortunately, normal. The entries may resemble:
"GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 877 "-" "-"
These entries are attackers scanning to find servers they can exploit. You’ll see them scanning for most common web apps and scripts. As long as you don’t have a copy of the script they are looking for installed you are fine. Even if you do, you are good as long as your install is current.
Hackers know that popular scripts like WordPress, phpMyAdmin, phpBB, etc. have millions of installed instances. They also know that many users may install one of these scripts to test and then never use it again and worse, never update it. Once a security vulnerability is found in a particular version of a script, hackers use lists of randomly compiled domain names and start checking if each domain has the hackable version of the script installed.
You do not need to worry about these types of “scans” as long as you do not have old versions of scripts installed. We highly recommend that you remove or disable scripts that you no longer use and keep all scripts you do use up-to-date.
