Admin Hack attempts


#1

I’m not sure if there’s much to do, but our Papertrail is showing a spike in attempts to get into our app. Has anyone else seen a spike in requests like these (log output below):

/admin/jsi18n/ 200 2492 0.002
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:19] INFO app.request /sql/phpmy-admin/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:19] INFO app.request /sql/sql/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:20] INFO app.request /sql/myadmin/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:20] INFO app.request /sql/webadmin/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:20] INFO app.request /sql/sqlweb/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:20] INFO app.request /sql/websql/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:20] INFO app.request /sql/webdb/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:21] INFO app.request /sql/sqladmin/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:21] INFO app.request /sql/sql-admin/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:21] INFO app.request /sql/phpmyadmin2/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:21] INFO app.request /sql/phpMyAdmin2/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:21] INFO app.request /sql/phpMyAdmin/ 400 26 0.000
Aug 01 10:41:25 ad68de8a8bf5 nhc-prod-web: [01/Aug/2017 10:41:22] INFO app.request /db/myadmin/ 400 26 0.000


#2

This is very common for web apps. We have a support article here that explains a bit more: https://www.aptible.com/documentation/enclave/troubleshooting/unexpected-requests.html

Usually this is unauthenticated traffic and is just looking around for routes that don’t exist. If you think you’re being specifically targeted, let me know and we can discuss options, like IP whitelisting or a WAF.