Forum Topic: New Domain and blacklisting

Forum: .htaccess Forum : Security • Posted by Leon Fernandez • Updated:

Just bought a new domain a couple of days ago and yesterday pointed the dns to the server and created a simple html placeholder page.

This morning I was reviewing error logs and several look like this (the same ips did the exact same search in the exact order under):

"GET /wordpress/wp-login.php HTTP/1.1" 404
"GET /section/wp-login.php HTTP/1.1" 404
"GET /admin/wp-login.php HTTP/1.1" 404
"GET /site/wp-login.php HTTP/1.1" 404
"GET /blog/wp-login.php HTTP/1.1" 404
"GET /wp/wp-login.php HTTP/1.1" 404
"GET /wp-login.php HTTP/1.1" 404
"GET /wp-login/ HTTP/1.1" 404
"GET /administrator/index.php HTTP/1.1" 404

Others tried this:

/cgi-bin/test-cgi
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
/cgi-bin/sys.cgi

Or tested directories like this:

/pmpm
/phpMyAdmin
/pma
/myadmin
/components
/gogo
/ypyp
/fck

Now the question here is that, if it is a new domain, I have never used wordpress, nor does this domain have a database, nor dinamic pages, why such requests?

I havent bought a new domain for about a decade, but is this normal behaviour nowadays? How do they find out so fast about a new domain if it hasnt been listed on Search Engines nor have a direct link?

Should I block the following IPs in htacess or let it be (I guess blocking specific IPs would make a list incredibly long after time)?

The Ips most involved in this kind of activity are these:

2.134.153.6
2.238.115.47
91.200.12.75
103.252.85.234
178.54.30.159
177.85.51.84
188.138.1.25
192.99.6.106
198.27.110.7
198.20.69.98
198.211.30.100
202.144.144.163
203.172.137.186
217.199.160.244

Made a search on Several of them and some appear on a project called honeypot (new to me).

PS: Hope Im not driving you crazy with so many newbie questions.

1 Reply to “New Domain and blacklisting”

Jeff Starr
Posted by Jeff Starr

So here is what is happening, in my experience. Basically you have people running automated scripts against known/existing domains. This is referred to as "scanning" (or similar) and yes it is normal these days (has been for some time). The degree to which people will scan your sites depends on several factors, including whether or not the domain is brand new, or if someone has owned it before. In general, the older a domain the more it will get hit with scanning/probing/sniffing.. basically just bad guys looking for an easy way to cause harm, do evil deeds, whatever.

As for blocking/securing, there are many solutions available, including project honeypot and many others. Personally I roll my own solutions, which culminates in the nG series blacklist and so forth. In general, I think blocking by IPs is ultimately a waste of time, unless you are targeting a specific person(s) who is heckling your site, in which case it is easy and effective to simply block their IP. For automated scans, however, a more robust solution is required.