Index.php and phpmyadmin/index.php

alon · September 3, 2019, 8:33pm

I was reviewing the logs on our origin server and I can see the following requests made

Image removed due to sensitive information.

Our server is running nodeJS so I assume these request are some sort of probing attempt.

Should I Just ignore these as they really dont do any damage or should I block these? If to block these should I just block the IP address or should I perhaps block all request which haave .php in the URL.

I appreciate your suggestions.

Alon

MarkMeyer · September 3, 2019, 10:18pm

Hard to say. This was a direct access to your IP.

Block any requests to your origin except through Cloudflare.

alon · September 3, 2019, 11:15pm

This Mark. How do you know it was direct and not via CF?

cbrandt · September 3, 2019, 11:23pm

Besides blocking requests not coming from Cloudflare, as @MarkMeyer suggested, you may also consider blocking with a Firewall Rule any request that includes .php in the URI path.

Even though they would only result in 404s, you would save in bandwidth and server time. And though these requests may be only a few now, you never know when they may grow to a large number.

Whatever you decide, you may want to edit and re-upload the image in your OP, to somehow blur or redact the IP address of your server. (This btw is probably why Mark knew was not a connection done via Cloudflare, as CF will only request via domain name)

alon · September 3, 2019, 11:35pm

Thanks @cbrandt and @MarkMeyer. I have removed the image as suggested.

Thats what is confusing me. that is not our IP address. At least its not any Public IP that I can see under our EC2 instance list. I am going to get our Ops folks to look into this further.

@cbrandt As per your advice I have created a rule to block any requests with index.php in the request. I guess I should consider reducing that to just .php

Thanks again and feel free to let me know if you have any other thoughts.

Alon

cbrandt · September 3, 2019, 11:38pm

Assuming your site and any server services such as cron do not request PHP over the internet, I believe this would be a good move. You should test as soon as you implement the rule to see if everything works fine in your site.

system · October 3, 2019, 8:40pm

This topic was automatically closed after 30 days. New replies are no longer allowed.