Hawaiʻi's Technology Community


It's instructive to watch the various malicious bots troll through your server looking for vulnerabilities.  Woe betide you if they find one!  Even has been hacked.  Prior to that, at the beginning of this year, a significant number of stand alone Wordpress installations were hacked when their owners did not update to the newest security release.

Here's how you can recognize a malicious bot.  If you are using Cpanel, go to "Error Log".  You'll see a whole list of page fetch errors (this is a good way to see any mistakes or broken links in your code too).  But if you see something like: 

[Tue Apr 05 20:24:48 2011] [error] [client] File does not exist: /home/[your account]/public_html/[domain_name]/websql
[Tue Apr 05 20:24:47 2011] [error] [client] File does not exist: /home/[your account]/public_html/[domain_name]/admin
[Tue Apr 05 20:24:46 2011] [error] [client] File does not exist: /home/[your account]/public_html/[domain_name]/dbadmin
[Tue Apr 05 20:24:44 2011] [error] [client] File does not exist: /home/[your account]/public_html/[domain_name]/lists


then you have a malicious bot trolling your domain.


How did I recognize this as a malicious bot?   Look at the files it is trying to access:  lists, dbadmin, admin, websql - they're nothing I uploaded to the server and they all look suspiciously like paths to either phplist or my database front end.


What to do if you find a malicious bot?

I block the ip (again, from your Cpanel "IP Block"). 


Since I control several servers, I find it interesting to see the same ip wandering across servers to different addon domains, looking for vulnerabilities.  Once I identify one bad ip, I block it on all the servers. 


The nice thing about Cpanel's IP Block is that it edits the .htaccess file of each of your addon domains to Deny from  If you have a lot of addon domains, this is much easier than going into each domain one at a time and editing the .htaccess file.


Happy hunting!

Views: 258


You need to be a member of TechHui to add comments!

Join TechHui

Comment by Brian on May 11, 2011 at 6:12pm
A moderately sophisticated attacker will be using enough IP ranges that this alone will not be effective.
Comment by Marcus Sortijas on May 3, 2011 at 7:55am
Thanks for that tip on "Password Protect Directories."  I think using cPanel for security is a good idea.  With plugins, you don't know how they're changing the code.  On a more mundane level, plugins often stop being actively developed.  Meanwhile, hackers never rest.
Comment by Karen Chun on May 3, 2011 at 7:39am

Thanks for the kind words, Marcus.  Another thing I do when I have a single individual using Wordpress (this does NOT work for Buddypress or any multiuser installation) is to use "Password Protect Directories" from Cpanel to make the entire wp-admin directory off-limits.

It means that the wp-admin user has to enter 2 sets of user-pw (usually I make them the same) but it insures that if another Wordpress vulnerability is found, that installation can't be hacked anyway.

That last vulnerability (at the beginning of the year) wasn't discovered and corrected until after many, many wordpress installations were hacked, so this has become routine for me when I install single-user Wordpress.

Comment by Marcus Sortijas on May 2, 2011 at 2:50pm
Karen, thanks for writing this!  I've been concerned about security, I build WordPress websites.  I'm cautious of using security plugins or editing code, because I don't want to mess anything up.  Your method of using cPanel to find and block suspicious IP addresses looks like a safer route to take.


web design, web development, localization

© 2024   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service