mirror of
https://github.com/Brandon-Rozek/website.git
synced 2024-11-29 16:57:06 -05:00
44 lines
2.7 KiB
Markdown
44 lines
2.7 KiB
Markdown
---
|
|
title: "Top 7 Attacks to My Website"
|
|
date: 2023-05-17T23:19:22-04:00
|
|
draft: false
|
|
tags: []
|
|
math: false
|
|
medium_enabled: false
|
|
---
|
|
|
|
Running a public server on the Internet means that it's bound to get attacked by automated scripts. Since I [run analytics on my website](https://brandonrozek.com/blog/goaccess/), I'm able to see 404s. In other words, this list constitutes the top requests to my website that fail.
|
|
|
|
1. `/wp-login.php`
|
|
|
|
This is the login page of a Wordpress website. Since this blog engine powers 43% of the Internet, it's not surprising that this is a common target. Sadly for the bots, I don't run this website using Wordpress.
|
|
|
|
2. `xmlrpc.php`
|
|
|
|
This one I haven't heard of before until looking it up. I know XML is a data format, and RPC means remote procedure call, but what is the attacker trying to exploit? [Again it's Wordpress](https://codex.wordpress.org/XML-RPC_Support). It seems that this is some API gateway that Wordpress provides to connect with mobile devices, provide pingbacks, and others.
|
|
|
|
3. `/api/v1/instance`
|
|
|
|
Through the power of search this seems to be a [API call to Mastodon](https://docs.joinmastodon.org/methods/instance/#v1)! This specifically grabs generic information about the instance such as the number of users, number of statuses, restrictions, etc. I've considered at some point running a Mastodon instance, but maybe it's better to leave it to the pros :)
|
|
|
|
4. `/.env`
|
|
|
|
It seems that the Javascript community likes using a `.env` file to keep environmental variables that hold the secrets of your application. Yikes! Make sure that you're blocking this if you have it!
|
|
|
|
5. `/inbox`
|
|
|
|
Given #3, I feel like this is ActivityPub related. Though looking at how the [actors are usually structured](https://www.w3.org/TR/activitypub/) it's generally `/username/inbox`. Maybe it's related to email servers instead? I'm unsure.
|
|
|
|
6. `/status.php`
|
|
|
|
I'm not sure what this is. Doesn't seem to be Wordpress related. Maybe the attacker is hoping to get the output of `phpinfo()` in those "getting started with PHP" tutorials?
|
|
|
|
James Oswald suggests that perhaps it's the [firewall status page in pfsense](https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/status.php).
|
|
|
|
7. `/.git/config`
|
|
|
|
I can see a situation where someone has a git repository of their website on the server itself and they push to it. Personally, I rsync the generated HTML files. Generally the config will contain the URLs of remote repositories and other settings. Not entirely sure what's sensitive, but maybe someone can let me know.
|
|
|
|
---
|
|
|
|
There you have it! The top automated attacks made to my website. If you have any additional information on any of these URL patterns please get in touch. I am curious what these bots are trying to do with the response of each of these queries.
|