Drive-by SQL scrapers

[Teapot]

Just a heads-up – we're currently getting brute-forced by some script kiddies who are trying to get access to our forum any way they can. We're reasonably safe, but I wanted to flag this for anyone else: they're trying to scrape SQL files in our root directory.

[Wed Feb 17 13:27:38.442985 2016] [authz_core:error] [pid 29389] [client 5.167.237.144:57051] AH01630: client denied by server configuration: /home/www/public_html/mysql.sql
[Wed Feb 17 13:27:38.231858 2016] [authz_core:error] [pid 24983] [client 5.167.237.144:57037] AH01630: client denied by server configuration: /home/www/public_html/pokecharms.sql
[Wed Feb 17 13:27:38.028384 2016] [authz_core:error] [pid 26746] [client 5.167.237.144:57030] AH01630: client denied by server configuration: /home/www/public_html/pokecharms.com.sql
[Wed Feb 17 13:27:37.882496 2016] [authz_core:error] [pid 28630] [client 5.167.237.144:57024] AH01630: client denied by server configuration: /home/www/public_html/backup.sql
[Wed Feb 17 13:27:37.882489 2016] [authz_core:error] [pid 29605] [client 5.167.237.144:57020] AH01630: client denied by server configuration: /home/www/public_html/base.sql
[Wed Feb 17 13:27:37.317718 2016] [authz_core:error] [pid 29605] [client 5.167.237.144:57010] AH01630: client denied by server configuration: /home/www/public_html/sql.sql
[Wed Feb 17 13:27:37.236933 2016] [authz_core:error] [pid 29260] [client 5.167.237.144:57008] AH01630: client denied by server configuration: /home/www/public_html/dump.sql

So, if you're unwise enough to leave a backup SQL anywhere publicly-accessible, get rid of it immediately. Seriously.

 

[REP13]

Just a heads-up – we're currently getting brute-forced by some script kiddies who are trying to get access to our forum any way they can. We're reasonably safe, but I wanted to flag this for anyone else: they're trying to scrape SQL files in our root directory.

[Wed Feb 17 13:27:38.442985 2016] [authz_core:error] [pid 29389] [client 5.167.237.144:57051] AH01630: client denied by server configuration: /home/www/public_html/mysql.sql
[Wed Feb 17 13:27:38.231858 2016] [authz_core:error] [pid 24983] [client 5.167.237.144:57037] AH01630: client denied by server configuration: /home/www/public_html/pokecharms.sql
[Wed Feb 17 13:27:38.028384 2016] [authz_core:error] [pid 26746] [client 5.167.237.144:57030] AH01630: client denied by server configuration: /home/www/public_html/pokecharms.com.sql
[Wed Feb 17 13:27:37.882496 2016] [authz_core:error] [pid 28630] [client 5.167.237.144:57024] AH01630: client denied by server configuration: /home/www/public_html/backup.sql
[Wed Feb 17 13:27:37.882489 2016] [authz_core:error] [pid 29605] [client 5.167.237.144:57020] AH01630: client denied by server configuration: /home/www/public_html/base.sql
[Wed Feb 17 13:27:37.317718 2016] [authz_core:error] [pid 29605] [client 5.167.237.144:57010] AH01630: client denied by server configuration: /home/www/public_html/sql.sql
[Wed Feb 17 13:27:37.236933 2016] [authz_core:error] [pid 29260] [client 5.167.237.144:57008] AH01630: client denied by server configuration: /home/www/public_html/dump.sql

So, if you're unwise enough to leave a backup SQL anywhere publicly-accessible, get rid of it immediately. Seriously.

HI there , i need to know what can i do about this problem because I'm on the same situation but with many Ip adress .

 

[M@rc]

HI there , i need to know what can i do about this problem because I'm on the same situation but with many Ip adress .

Don't leave any backups accessible to the public.

 

[Lucandi]

Hi, how do you see that if someone tries to get into the forum?

 

[Lucandi]

Don't leave any backups accessible to the public.

Why would he do that?

 

[Chromaniac]

I noticed this after installing the fantastic Custom 404 Page by Siropu addon. I just redirect these links to a 10GB speedtest download file link.

Why would he do that?

I actually used to keep a copy of backup on public folder back when I was a novice. And it used to be usually in a format these scripts target. It was just faster to download these using a download manager than using a FTP client. I can totally see that this is more common than one might expect which explains why these scripts exist in the first place. I have seen so many combinations of file names that are targeted. It's crazy. They also go after potential wordpress installations and a few other software which I couldn't recognize.

 

[dknife]

I just redirect these links to a 10GB speedtest download file link.

haha that's awesome. Great idea.