From Newsgroup: alt.bbs.synchronet

4/3 06:28:31p 1996 Request: GET /sql/phpmyadmin4/index.php?lang=en HTTP/1.1
4/3 06:28:31p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:31p 1996 Session thread terminated (2 clients, 6 threads remain, 511 served)
4/3 06:28:31p 1996 HTTP connection accepted from: 188.166.240.83 port 49102
4/3 06:28:31p 1996 Request: GET /db/phpMyAdmin-5/index.php?lang=en HTTP/1.1
4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain, 512 served)
4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49260
4/3 06:28:32p 1996 Request: GET /dbadmin/index.php?lang=en HTTP/1.1
4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain, 513 served)
4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49424
4/3 06:28:32p 1996 Request: GET /phpmyadmin2015/index.php?lang=en HTTP/1.1
4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:33p 1996 Session thread terminated (2 clients, 6 threads remain, 514 served)
4/3 06:28:33p 1996 HTTP connection accepted from: 188.166.240.83 port 49542
4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1

How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

That is the big takeaway.

---
ï¿­ Synchronet ï¿­ Inland Utopia - iutopia.duckdns.org:2023
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Utopian Galt
Re: web server
By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm

How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

That is the big takeaway.

get off the internet.
---
þ Synchronet þ ::: BBSES.info - free BBS services :::
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Utopian Galt
Re: web server
By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm

4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1

How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

That is the big takeaway.

Just ignore them. <shrug>
--
digital man (rob)

Sling Blade quote #10:
Morris: I stand on the hill, not for thrill, but for the breath of a fresh kill Norco, CA WX: 57.1øF, 82.0% humidity, 3 mph SSE wind, 0.00 inches rain/24hrs --- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Utopian Galt
Re: web server
By: Utopian Galt to All on Sun Apr 03 2022 18:31:39

How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

That is the big takeaway.

The more important question is whether these requests are causing a real, measurable problem for you.

This sort of traffic comes in waves. You'll see huge surges that last for a matter of hours and then die off for weeks or months. Your logs show your web server isn't exactly being taxed; it's handling a couple of requests per second and responding with 404. No big deal.

You can play whack-a-mole with these bots and add complexity to your setup if you really want to, but you can also just do nothing and it'll be fine.

---
echicken
electronic chicken bbs - bbs.electronicchicken.com
---
þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Utopian Galt
El 3/4/22 a las 22:31, Utopian Galt escribió:

4/3 06:28:31p 1996 Request: GET /sql/phpmyadmin4/index.php?lang=en HTTP/1.1
4/3 06:28:31p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:31p 1996 Session thread terminated (2 clients, 6 threads remain,
511 served)
4/3 06:28:31p 1996 HTTP connection accepted from: 188.166.240.83 port 49102
4/3 06:28:31p 1996 Request: GET /db/phpMyAdmin-5/index.php?lang=en HTTP/1.1
4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain,
512 served)
4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49260
4/3 06:28:32p 1996 Request: GET /dbadmin/index.php?lang=en HTTP/1.1
4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:32p 1996 Session thread terminated (2 clients, 6 threads remain,
513 served)
4/3 06:28:32p 1996 HTTP connection accepted from: 188.166.240.83 port 49424
4/3 06:28:32p 1996 Request: GET /phpmyadmin2015/index.php?lang=en HTTP/1.1
4/3 06:28:32p 1996 !ERROR: 404 Not Found (line 3721)
4/3 06:28:33p 1996 Session thread terminated (2 clients, 6 threads remain,
514 served)
4/3 06:28:33p 1996 HTTP connection accepted from: 188.166.240.83 port 49542
4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1

How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

That is the big takeaway.

---
ï¿­ Synchronet ï¿­ Inland Utopia - iutopia.duckdns.org:2023

use fail2ban and block these connections

---
ï¿­ Synchronet ï¿­ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Digital Man
El 4/4/22 a las 02:17, Digital Man escribió:

Re: web server
By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm

> 4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1
>
> How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?
>
> That is the big takeaway.

Just ignore them. <shrug>

can you add the client ip to the 404 error log? it will make easy to
made a fail2ban filter

---
ï¿­ Synchronet ï¿­ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Utopian Galt
On 4/3/22 18:31, Utopian Galt wrote:

... Request: GET /sql/phpmyadmin4/index.php?lang=en HTTP/1.1
... !ERROR: 404 Not Found (line 3721)
...

How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

That is the big takeaway.

These are bots trying to see if you have various (potentially
compromisable) web applications on default ports... as long as you're
seeing 400 responses, you are fine... the 404 is basically a bugger off.

I wouldn't worry too much about them... You could create an
/error/404.ssjs to handle these with a custom response (I'm doing this
for a custom default.html and/or redirect), but it's probably not worth
the effort imo.

Alternatively, you could use a different webserver as a frontline
reverse proxy and configure those routes not to go to your BBS host...
this will make integration of TLS on your other services potentially
much more difficult though.
--
Michael J. Ryan - tracker1@roughneckbbs.com
---
ï¿­ Synchronet ï¿­ Roughneck BBS - roughneckbbs.com
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Ragnarok
Re: Re: web server
By: Ragnarok to Digital Man on Mon Apr 04 2022 10:15 am

El 4/4/22 a las 02:17, Digital Man escribi¢:

Re: web server
By: Utopian Galt to All on Sun Apr 03 2022 06:31 pm

> 4/3 06:28:33p 1996 Request: GET /sql/myadmin/index.php?lang=en HTTP/1.1
>
> How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?
>
> That is the big takeaway.

Just ignore them. <shrug>

can you add the client ip to the 404 error log? it will make easy to
made a fail2ban filter

Okay, I just added that. But I wouldn't recommend blocking any/ever client that makes a bad HTTP request. You could have a bad link on your own web pages and be blocking a lot of honest to goodness users.
--
digital man (rob)

Synchronet/BBS Terminology Definition #37:
FTSC = FidoNet Technical Standards Committee
Norco, CA WX: 62.6øF, 71.0% humidity, 2 mph SE wind, 0.00 inches rain/24hrs
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Digital Man
El 4/4/22 a las 23:55, Digital Man escribió:

Okay, I just added that. But I wouldn't recommend blocking any/ever client that makes a bad HTTP request. You could have a bad link on your own web pages and be blocking a lot of honest to goodness users.

I agree, I would only block if the same error occurs many times from the
same host

An idea would be to be able to add aliases with return code
example:

[ctrl/web_alias.ini]

/phpmyadmin* = return 403
/wp-admin* = return 403


etc...

I don't have wordpress or phpmyadmin so I can assume these are attacks
and identify and block them

---
ï¿­ Synchronet ï¿­ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: echicken
El 4/4/22 a las 07:07, echicken escribió:

Re: web server
By: Utopian Galt to All on Sun Apr 03 2022 18:31:39

UG> How do I get people to GTFO out of /sql, /phpmyadmin, /db etc?

UG> That is the big takeaway.

The more important question is whether these requests are causing a real, measurable problem for you.

This sort of traffic comes in waves. You'll see huge surges that last for a matter of hours and then die off for weeks or months. Your logs show your web server isn't exactly being taxed; it's handling a couple of requests per second and responding with 404. No big deal.

You can play whack-a-mole with these bots and add complexity to your setup if you really want to, but you can also just do nothing and it'll be fine.

It doesn't bother me that the disk fills up with 404 logs because
logrotate exists
the worst problem is cpu usage.
those requests increase the sbbs process from 5% to 50% sometimes

---
ï¿­ Synchronet ï¿­ Dock Sud BBS TLD 24 HS - bbs.docksud.com.ar
--- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113

From Newsgroup: alt.bbs.synchronet

To: Ragnarok
Re: Re: web server
By: Ragnarok to Digital Man on Tue Apr 05 2022 09:23 am

El 4/4/22 a las 23:55, Digital Man escribi¢:

Okay, I just added that. But I wouldn't recommend blocking any/ever client that makes a bad HTTP request. You could have a bad link on your own web pages and be blocking a lot of honest to goodness users.

I agree, I would only block if the same error occurs many times from the same host

An idea would be to be able to add aliases with return code
example:

[ctrl/web_alias.ini]

/phpmyadmin* = return 403
/wp-admin* = return 403

I'm not sure. Ask Deuce in #synchronet.
--
digital man (rob)

Breaking Bad quote #37:
only the very best... with just a right amount of dirty. - Saul
Norco, CA WX: 73.9øF, 56.0% humidity, 4 mph ESE wind, 0.00 inches rain/24hrs --- Synchronet 3.19c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California - telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113