I just found this in my server logs:

176.106.204.88 - - [19/Sep/2013:12:22:58 -0400] "GET / HTTP/1.1" 200 3888 "http://www.fierydragonlord.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
93.125.15.138 - - [19/Sep/2013:12:23:11 -0400] "GET /wordpress HTTP/1.1" 404 1221 "http://www.fierydragonlord.com/wordpress" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
178.124.116.201 - - [19/Sep/2013:12:23:32 -0400] "GET /wp HTTP/1.1" 404 1207 "http://www.fierydragonlord.com/wp" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
178.90.106.165 - - [19/Sep/2013:12:24:48 -0400] "GET /joomla HTTP/1.1" 404 1215 "http://www.fierydragonlord.com/joomla" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
195.69.87.222 - - [19/Sep/2013:12:25:05 -0400] "GET /drupal HTTP/1.1" 404 1215 "http://www.fierydragonlord.com/drupal" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
95.133.189.245 - - [19/Sep/2013:12:25:49 -0400] "GET /blog HTTP/1.1" 404 1211 "http://www.fierydragonlord.com/blog" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"
2.135.194.103 - - [19/Sep/2013:12:26:06 -0400] "GET /blog HTTP/1.1" 404 1211 "http://www.fierydragonlord.com/blog" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0"

The IP address is different for each access, traceroute returns results consistent with Tor (they often end with "* * *"), and the accesses appear to be manually initiated. I don't have any CMS installed on the server. Is this a vulnerability scan or attack on the server? What should I do?

--DragonLord

Edit: Research on the traceroutes that did go through indicates the accesses likely originate from a spam botnet. This does not appear to be an attempt to gain control over the server, but an attempt to post spam whatever CMS or blog is installed on the system (and no such software is installed).

_________________
House of DragonLord, powered by openSUSE

They're probing your domain to see what type of install it is. If they can determine the platform they add it to their lists and try the platform specific vulnerabilities.

It may be manually initiated, or the bot that's trying is running down a list of domains for each attempt rather than a list of attempts for each domain (thus the longer than normal times between rapid fire attempts).

There's not much you can do about it. We just ignore these types of things (though I used to redirect the attempts to a domain on a $5 GD hosting account that used a lot of PHP sleep() statements).

What does "* * *" have to do with Tor? Lots of people configure their firewalls to block traceroute packets.

_________________
Matt Nordhoff (aka Peng on IRC)

I must have misunderstood the traceroute output.

How else can I interpret this output?

Example:

dragonlord@li650-40:~> /usr/sbin/traceroute 95.133.189.245
traceroute to 95.133.189.245 (95.133.189.245), 30 hops max, 40 byte packets using UDP
 1  router2-nac.linode.com (207.99.1.14)  0.877 ms   0.518 ms   0.654 ms
 2  207.99.53.45 (207.99.53.45)  0.917 ms   1.302 ms   0.780 ms
 3  vlan803.tbr1.mmu.nac.net (209.123.10.29)  0.425 ms   0.291 ms   0.969 ms
 4  0.e1-1.tbr1.tl9.nac.net (209.123.10.102)  1.322 ms   1.330 ms 0.e1-3.tbr2.mmu.nac.net (209.123.10.26)  9.077 ms
 5  0.e1-1.tbr2.tl9.nac.net (209.123.10.78)  1.412 ms 0.e1-3.tbr2.tl9.nac.net (209.123.10.74)  1.375 ms 0.e1-1.tbr2.tl9.nac.net (209.123.10.78)  1.473 ms
 6  xe-11-1-3.edge8.NewYork1.Level3.net (4.31.30.37)  1.658 ms   1.716 ms   1.667 ms
 7  vlan60.csw1.NewYork1.Level3.net (4.69.155.62)  105.134 ms   104.985 ms vlan90.csw4.NewYork1.Level3.net (4.69.155.254)  104.644 ms
 8  ae-61-61.ebr1.NewYork1.Level3.net (4.69.134.65)  108.840 ms ae-91-91.ebr1.NewYork1.Level3.net (4.69.134.77)  111.870 ms ae-71-71.ebr1.NewYork1.Level3.net (4.69.134.69)  106.655 ms
 9  ae-42-42.ebr2.London1.Level3.net (4.69.137.69)  105.719 ms ae-44-44.ebr2.London1.Level3.net (4.69.137.77)  104.516 ms   107.314 ms
10  ae-24-24.ebr2.Frankfurt1.Level3.net (4.69.148.198)  106.136 ms ae-23-23.ebr2.Frankfurt1.Level3.net (4.69.148.194)  104.827 ms ae-22-22.ebr2.Frankfurt1.Level3.net (4.69.148.190)  103.694 ms
11  ae-82-82.csw3.Frankfurt1.Level3.net (4.69.140.26)  104.666 ms ae-72-72.csw2.Frankfurt1.Level3.net (4.69.140.22)  113.773 ms   112.361 ms
12  ae-93-93.ebr3.Frankfurt1.Level3.net (4.69.163.13)  111.045 ms ae-83-83.ebr3.Frankfurt1.Level3.net (4.69.163.9)  109.847 ms ae-93-93.ebr3.Frankfurt1.Level3.net (4.69.163.13)  108.642 ms
13  ae-1-12.bar1.Budapest1.Level3.net (4.69.141.249)  115.808 ms *   104.096 ms
14  ae-0-11.bar2.Budapest1.Level3.net (4.69.141.242)  104.793 ms   104.527 ms   103.912 ms
15  dialup-212.162.26.158.frankfurt1.mik.net (212.162.26.158)  120.481 ms dialup-212.162.26.150.frankfurt1.mik.net (212.162.26.150)  123.432 ms   121.789 ms
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

--DragonLord

_________________
House of DragonLord, powered by openSUSE

I always thought it meant blocked by a firewall, or I assumed that. What we need is X-Ray traceroute!

I have no immediate plans to install a CMS on this server, but how should I respond to these probes/attacks? Are they something to worry about? (openSUSE 12.3, with all packages up to date.)

--DragonLord

_________________
House of DragonLord, powered by openSUSE

It's normal internet noise, ignore it.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Make sure you have good security. Bad guys are going to probe for attacks, but just make sure they can't get one. The probing is going to happen.

_________________
Homepage www.sturmkrieg.com
Social network Gamernet
Development website Sashaweb Development
Imageboard img.sturmkrieg.com
WikiHub free wiki host Community Wiki