Top 7 Attacks to My Website
Published on
Updated on
2 minute reading time
Running a public server on the Internet means that it’s bound to get attacked by automated scripts. Since I run analytics on my website, I’m able to see 404s. In other words, this list constitutes the top requests to my website that fail.
/wp-login.php
This is the login page of a Wordpress website. Since this blog engine powers 43% of the Internet, it’s not surprising that this is a common target. Sadly for the bots, I don’t run this website using Wordpress.
xmlrpc.php
This one I haven’t heard of before until looking it up. I know XML is a data format, and RPC means remote procedure call, but what is the attacker trying to exploit? Again it’s Wordpress. It seems that this is some API gateway that Wordpress provides to connect with mobile devices, provide pingbacks, and others.
/api/v1/instance
Through the power of search this seems to be a API call to Mastodon! This specifically grabs generic information about the instance such as the number of users, number of statuses, restrictions, etc. I’ve considered at some point running a Mastodon instance, but maybe it’s better to leave it to the pros :)
/.env
It seems that the Javascript community likes using a .env
file to keep environmental variables that hold the secrets of your application. Yikes! Make sure that you’re blocking this if you have it!
/inbox
Given #3, I feel like this is ActivityPub related. Though looking at how the actors are usually structured it’s generally /username/inbox
. Maybe it’s related to email servers instead? I’m unsure.
/status.php
I’m not sure what this is. Doesn’t seem to be Wordpress related. Maybe the attacker is hoping to get the output of phpinfo()
in those “getting started with PHP” tutorials?
James Oswald suggests that perhaps it’s the firewall status page in pfsense.
/.git/config
I can see a situation where someone has a git repository of their website on the server itself and they push to it. Personally, I rsync the generated HTML files. Generally the config will contain the URLs of remote repositories and other settings. Not entirely sure what’s sensitive, but maybe someone can let me know.
There you have it! The top automated attacks made to my website. If you have any additional information on any of these URL patterns please get in touch. I am curious what these bots are trying to do with the response of each of these queries.