Below is my apache error.log entry.
Seams someone was scaning my domain looking for specific programs installed. The search for modules makes me think he/she was looking for a XOOPS installation.
Is there a server script which looks for errors like this and then bans the IP server wide on all domains?

Thanks

[Wed Feb 08 01:13:25 2006] [error] [client 80.171.105.97] File does not exist: /var/www/awstats
[Wed Feb 08 01:13:29 2006] [error] [client 80.171.105.97] script not found or unable to stat: /usr/lib$
[Wed Feb 08 01:13:31 2006] [error] [client 80.171.105.97] script not found or unable to stat: /usr/lib$
[Wed Feb 08 01:13:33 2006] [error] [client 80.171.105.97] script '/var/www/xmlrpc.php' not found or un$
[Wed Feb 08 01:13:35 2006] [error] [client 80.171.105.97] File does not exist: /var/www/modules
[Wed Feb 08 01:13:37 2006] [error] [client 80.171.105.97] File does not exist: /var/www/blog
[Wed Feb 08 01:13:38 2006] [error] [client 80.171.105.97] File does not exist: /var/www/blogs
[Wed Feb 08 01:13:40 2006] [error] [client 80.171.105.97] File does not exist: /var/www/drupal
[Wed Feb 08 01:13:42 2006] [error] [client 80.171.105.97] File does not exist: /var/www/phpgroupware
[Wed Feb 08 01:13:43 2006] [error] [client 80.171.105.97] File does not exist: /var/www/wordpress
[Wed Feb 08 01:13:44 2006] [error] [client 80.171.105.97] script '/var/www/xmlrpc.php' not found or un$
[Wed Feb 08 01:13:46 2006] [error] [client 80.171.105.97] File does not exist: /var/www/xmlrpc
[Wed Feb 08 01:13:48 2006] [error] [client 80.171.105.97] File does not exist: /var/www/xmlsrv

I see it's looking for drupal, wordpress, etc, and the xmlrpc files. These are not 'modules' as in XOOPS modules, but specific scripts, *like* XOOPS. And the xmlrpc in XOOPS is safe (as is Wordpress, for all I know). So I don't see where it is looking for anything XOOPS related or specific.

As for a script that bans all IPs that request a file that doesn't exists serverwide, that would be too much of a good thing, IMHO.

Herko

I tought that it might be looking for XOOPS because it is looking for a modules directory.
See 5th line:
File does not exist: /var/www/modules

As for server wide IP ban.
How hard can that be?
All it needs is a script that detacts an atack by checking the logfile and then adds the line:

Deny 80.171.105.97

to the apache2.conf file

There is got to be something that does that. If not it is about time someone would look in to this basic but efective solution.

I found this but I am not a member at experts-exchange.
I didn't pay because it seam to be a manual enter/edit solution which I already know how to do. Just guessing.
http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21137152.html

but what classifies as an attack? All 404 codes? You could add it to a custom 404 page, if you *really* wanted. But these aren't attacks, these are requests to files that aren't there, that's all.

Herko

Yes but there is many of them and they are only one or two second apart.

It doesn't seam to stop here is another one:

[Wed Feb 08 10:37:40 2006] [error] [client 67.19.117.138] script '/var/www/thisdoesnotexistahaha.php' $
[Wed Feb 08 10:37:40 2006] [error] [client 67.19.117.138] File does not exist: /var/www/mambo
[Wed Feb 08 10:37:40 2006] [error] [client 67.19.117.138] File does not exist: /var/www/mambo
[Wed Feb 08 10:37:40 2006] [error] [client 67.19.117.138] script '/var/www/index2.php' not found or un$
[Wed Feb 08 10:37:40 2006] [error] [client 67.19.117.138] script '/var/www/index.php' not found or una$
[Wed Feb 08 10:37:40 2006] [error] [client 67.19.117.138] File does not exist: /var/www/cvs
[Wed Feb 08 10:37:41 2006] [error] [client 67.19.117.138] File does not exist: /var/www/cvs
[Wed Feb 08 10:37:41 2006] [error] [client 67.19.117.138] File does not exist: /var/www/modules
[Wed Feb 08 10:37:41 2006] [error] [client 67.19.117.138] script not found or unable to stat: /usr/lib$
[Wed Feb 08 10:37:41 2006] [error] [client 67.19.117.138] File does not exist: /var/www/scgi-bin
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] File does not exist: /var/www/awstats
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] script not found or unable to stat: /usr/lib$
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] File does not exist: /var/www/scgi-bin
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] File does not exist: /var/www/cgi
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] File does not exist: /var/www/scgi
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] File does not exist: /var/www/modules
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] script not found or unable to stat: /usr/lib$
[Wed Feb 08 10:37:42 2006] [error] [client 67.19.117.138] File does not exist: /var/www/scgi-bin
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] script not found or unable to stat: /usr/lib$
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] File does not exist: /var/www/scgi-bin
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] File does not exist: /var/www/stats
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] File does not exist: /var/www/blog
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] File does not exist: /var/www/blog
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] File does not exist: /var/www/blogs
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] File does not exist: /var/www/drupal
[Wed Feb 08 10:37:43 2006] [error] [client 67.19.117.138] File does not exist: /var/www/phpgroupware

My XOOPS is installed in a subfolder. I wonder if that helps.