Forum Topic: New Domain and blacklisting
Just bought a new domain a couple of days ago and yesterday pointed the dns to the server and created a simple html placeholder page.
This morning I was reviewing error logs and several look like this (the same ips did the exact same search in the exact order under):
"GET /wordpress/wp-login.php HTTP/1.1" 404 "GET /section/wp-login.php HTTP/1.1" 404 "GET /admin/wp-login.php HTTP/1.1" 404 "GET /site/wp-login.php HTTP/1.1" 404 "GET /blog/wp-login.php HTTP/1.1" 404 "GET /wp/wp-login.php HTTP/1.1" 404 "GET /wp-login.php HTTP/1.1" 404 "GET /wp-login/ HTTP/1.1" 404 "GET /administrator/index.php HTTP/1.1" 404
Others tried this:
/cgi-bin/test-cgi /cgi-bin/php /cgi-bin/php5 /cgi-bin/php-cgi /cgi-bin/php.cgi /cgi-bin/php4 /cgi-bin/sys.cgi
Or tested directories like this:
/pmpm /phpMyAdmin /pma /myadmin /components /gogo /ypyp /fck
Now the question here is that, if it is a new domain, I have never used wordpress, nor does this domain have a database, nor dinamic pages, why such requests?
I havent bought a new domain for about a decade, but is this normal behaviour nowadays? How do they find out so fast about a new domain if it hasnt been listed on Search Engines nor have a direct link?
Should I block the following IPs in htacess or let it be (I guess blocking specific IPs would make a list incredibly long after time)?
The Ips most involved in this kind of activity are these:
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
Made a search on Several of them and some appear on a project called honeypot (new to me).
PS: Hope Im not driving you crazy with so many newbie questions.
1 Reply to “New Domain and blacklisting”
So here is what is happening, in my experience. Basically you have people running automated scripts against known/existing domains. This is referred to as "scanning" (or similar) and yes it is normal these days (has been for some time). The degree to which people will scan your sites depends on several factors, including whether or not the domain is brand new, or if someone has owned it before. In general, the older a domain the more it will get hit with scanning/probing/sniffing.. basically just bad guys looking for an easy way to cause harm, do evil deeds, whatever.
As for blocking/securing, there are many solutions available, including project honeypot and many others. Personally I roll my own solutions, which culminates in the nG series blacklist and so forth. In general, I think blocking by IPs is ultimately a waste of time, unless you are targeting a specific person(s) who is heckling your site, in which case it is easy and effective to simply block their IP. For automated scans, however, a more robust solution is required.