Error messages again

[DigNap15]

Hello, I have asked on here about error messages

Here is one I get a lot.
I have a Xenforo forum and a hand coded website attached to it.
Does the wp-admin refer to Word Press? If so its annoying as I do nto have Word Press at all
What I would really like to know is do you think the person is a search engine, or a person looking or a site to scam or spam?

2020-05-20 13:40:50 UTC [apache][core:info] [pid 14664] [client 107.180.91.27:56290] AH00128: File does not exist: /home/u1-tp4zr2haryf8/www/nzissues.com/public_html/site/wp-admin/setup-config.php

I get lots of these every day, and it is very annoying as I cannot study any serious error messages.

 

[zappaDPJ]

At this point in time I would be concerned. You say you don't have WordPress installed and yet the files or at least some of the files for it clearly exist.

The file in question is the used to setup WordPress. If that file exists and WordPress is not setup, I believe your server is vulnerable to attack. I'm not an expert and I'm open to being proved wrong but I would strongly recommend examining your server files with an FTP client or via cPanel or something similar.

I'm not trying to alarm you but at the very least you have an error message which suggests something is amiss.

 

[DigNap15]

At this point in time I would be concerned. You say you don't have WordPress installed and yet the files or at least some of the files for it clearly exist.

The file in question is the used to setup WordPress. If that file exists and WordPress is not setup, I believe your server is vulnerable to attack. I'm not an expert and I'm open to being proved wrong but I would strongly recommend examining your server files with an FTP client or via cPanel or something similar.

I'm not trying to alarm you but at the very least you have an error message which suggests something is amiss.

Yes I get hundreds of error messages which appear to reference Word Press.
As I said, I don't have it, and I don't want it.

Like many web hosts, my host Siteground does seem to specailise in Word Press. So maybe they insatlled parts of it without me knowing.
I'll see if I can have a look via FTP (but I have no idea what to look for, and I will ask them.)

 

[PoetJC]

I'm not an expert and I'm open to being proved wrong but I would strongly recommend examining your server files with an FTP client or via cPanel or something similar.

I'm not trying to alarm you but at the very least you have an error message which suggests something is amiss.

Co-signed. And secondly = I'm no back-end server admin...
But if they have not installed WP to their server as far as they can recollect ==> There's no way they should receive such an error message.
Examine your directory structure!!! And secure your server with new username/passwords if possible. This sounds suspect. Examine your databases.
DigNap15 You mentioned "hand coded website attached" ... Are you sure that that's not a WordPress install? Perhaps one of your XF modifications is one meant to be used with WP, thus the error? IDK.... But this would be quite concerning to me - especially if I had never installed WP to my server...

J.

 

[PoetJC]

mysiteguy may be familiar with such an issue and possible fix...
HTH,

J.

 

[we_are_borg]

Some one is trying to gain access to a Wordpress file as long as you do not have Wordpress installed you are save. If you have Wordpress installed on your site you will need to protect the wp-admin directory with an .htaccess login and password.

Lets read the error line so you know what is happening:
2020-05-20 13:40:50 UTC [apache][core:info] [pid 14664] [client 107.180.91.27:56290] AH00128: File does not exist: /home/u1-tp4zr2haryf8/www/nzissues.com/public_html/site/wp-admin/setup-config.php

First part is date, time and timezone. Then its reported by apache (because its being served by apache like most files) then its ”information“. The pid is the apache running information (equivalent is windows task manager where you see all running applications). The client is the person requesting the file if its the same IP block that IP in your firewall. The file does not exist is the error it self someone is trying to access the following URL http://yourdomain.com/site/wp-admin/setup-config.php The server thinks that should be located at /home/u1-tp4zr2haryf8/www/nzissues.com/public_html/site/wp-admin/setup-config.php

bottomline is that someone is probing your site for a Wordpress install, as long as you do not use Wordpress you are save if you use Wordpress on the site do what i said above protecting it.

 

[DigNap15]

Some one is trying to gain access to a Wordpress file as long as you do not have Wordpress installed you are save. If you have Wordpress installed on your site you will need to protect the wp-admin directory with an .htaccess login and password.

Lets read the error line so you know what is happening:
2020-05-20 13:40:50 UTC [apache][core:info] [pid 14664] [client 107.180.91.27:56290] AH00128: File does not exist: /home/u1-tp4zr2haryf8/www/nzissues.com/public_html/site/wp-admin/setup-config.php

First part is date, time and timezone. Then its reported by apache (because its being served by apache like most files) then its ”information“. The pid is the apache running information (equivalent is windows task manager where you see all running applications). The client is the person requesting the file if its the same IP block that IP in your firewall. The file does not exist is the error it self someone is trying to access the following URL http://yourdomain.com/site/wp-admin/setup-config.php The server thinks that should be located at /home/u1-tp4zr2haryf8/www/nzissues.com/public_html/site/wp-admin/setup-config.php

bottomline is that someone is probing your site for a Wordpress install, as long as you do not use Wordpress you are save if you use Wordpress on the site do what i said above protecting it.

Great
Thanks Borg
That is one of the best replies I have ever had in my life.
You explained everything clearly and in detail!
I have only one query

 

[DigNap15]

HI We_are_Borg
Here is my querry (well 2 actually)
I dont use WordPress (I did five years ago with another webhost), and can't see myself ever using it.
So, as you say, I am safe.
But my poblem is that I want to check my error log for any real errors, and it is full of entries like the one above.
I assume they are bots that have found me via a search engine.
Also they will be using up some of my bandwidth
Some of them look for about 5 or 6 files then go away.
You advise me to block them in my firewall.
I assume you mean in my Siteground webhost where they have a block IP field.
If I do this I will have to do it for about 5 or 10 IP addresses a day.
Do you think it will work in the end, or will there be hundreds or thousands of them coming at me.

 

[Doug Heffernan]

At this point in time I would be concerned. You say you don't have WordPress installed and yet the files or at least some of the files for it clearly exist.

The file in question is the used to setup WordPress. If that file exists and WordPress is not setup, I believe your server is vulnerable to attack. I'm not an expert and I'm open to being proved wrong but I would strongly recommend examining your server files with an FTP client or via cPanel or something similar.

I'm not trying to alarm you but at the very least you have an error message which suggests something is amiss.

You are not wrong at all. Seeing the Op 's error messages, it looks like wp must have been installed at some point. And leaving especially older versions of wp files/folders in ones server space, defenitely poses a big security risk.

DigNap15, what did your host have to say about it?

 

[we_are_borg]

Safe is relative you can always have a security issue but you are on top of your log that is your first defense line. The error log is a different kind of log because everything in it is an error by definition. Only things that are generating errors go in there, that said what you want to get out of that log is real errors that matter for your site. Just like the other topic you made about the images that are issues you want to solve because that matters for your visitors.

Look at the IP address it has a port number after it thats because there most likely using a tool to scan your site. There not only scanning your site but maybe hundreds or even thousands of sites a hour. Your software controle panels should be login and password protected look in FAQ of Siteground how to do this.

A firewall is meant to be used it can handle hundreds of IP addresses in the table without a sweat. What is happening now someone tries to access the file above server needs to look and report a 404 for all of the IP addresses that takes time and resource. If you block in firewall the firewall sees IP address and blocks access so the rest of the request he/she made goes to /dev/null (garbage bin) and nothing else gets done. Also don’t forget by adding them you save resources. Because only x amount of IP addresses bombard you with invalid requests your log will clean up in the weeks after.

 

[Dermot]

2020-05-20 13:40:50 UTC [apache][core:info] [pid 14664] [client 107.180.91.27:56290] AH00128: File does not exist: /home/u1-tp4zr2haryf8/www/nzissues.com/public_html/site/wp-admin/setup-config.php

2020-05-20 13:40:50 UTC - Date, Time, Timezone
[apache] - Processor name
[core:info] - AuthzCore log level
[pid 14664] - Processor ID
[client 107.180.91.27:56290] - Your Server IP and Port (Go-Daddy)
AH00128 - Apache File not Found Error Code
/home/u1-tp4zr2haryf8/www/nzissues.com/public_html/ - Your Server root location (Not known by attacker)
site/wp-admin/setup-config.php - location attacker or bot attempted to access or scan.

You will get a lot of these and depends on your log level, there are many different levels (below) and formats your host may allow you to change them or they may not.

Level	Description
emerg	System is unusable
alert	Action must be taken immediately
crit	Critical conditions
error	Error conditions
warn	Warning conditions
notice	Normal, but significant conditions
info	Informational messages
debug	Debugging messages
trace1 – trace8	Trace messages with gradually increasing levels of detail

 

[mysiteguy]

Stop worrying about this. Word Press security probes happen on every web server, whether or not the server has, or ever has had WordPress.

Its so common that usually, within a few hours (sometimes minutes) of any web server being deployed there are scanners trying to fetch files from it.

In the example you provided, it's from a server hosted by Godaddy. There are many vulnerability scanners people setup to check tens of millions of web sites every day looking for something to hack.

Just keep the software you do have installed up to date, and stop worrying about scanners looking for files you don't have. If you don't have them, then there's nothing to be concerned about.

The time to worry is if you don't keep the software you have up to date, a vulnerability exists, and scanners are hitting your site looking for vulnerable software you do have installed. Also, make sure you have daily backups.

Or, you can use a WAF service like Sucuri or Cloudflare, and let them filter these out (even then some will get through). If you do that, you'll also need to block all incoming http connections except for the WAF.

 

[User37935]

Stop worrying about this. Word Press security probes happen on every web server, whether or not the server has, or ever has had WordPress.

I agree. My site gets hammered by this all the time, I did try blocking IP addresses but found it was too much like whack-a-mole. I would spend the time ensuring you follow best practices as mysiteguy says and to make things secure, which, if you don't actually have WP installed is easy in this case

 

[zappaDPJ]

I'm happy to be proved somewhat off base and hope I didn't cause too much alarm. Although the exploit as I described is valid this appears to be a nothing more than a bot probing and failing to find said exploit.

On the positive side I've learnt how to better interpret error messages thanks particularly to we_are_borg for providing a clear explanation of what actual happened here

 

[we_are_borg]

No problem logs are easy if you can read them and like mysiteguy said do not worry about it. The errors that are important are images that are missing because in 99% of all errors there embedded and called for automatically. There is software on the market that can analyze logs of Apache, nginx etc and show you what’s important to monitor.

 

[DigNap15]

Thanks for all these replies.
There is so much to learn
And so much to try.
No wonder people give up running forums
Do you check your error logs, and if so how often, and how many errors do you get?

 

[we_are_borg]

I check them once in a month or so and even then to see if users would have issues. Think errors in style or missing assets but not looking for errors like you have i don’t have time for that. My server runs fail2ban so anyone trying to access the server control panel or try telnet or SSH with 3 failed attempts the firewall bans the IP address for at least 6 months. The control panels of software require an extra login and pass on .htaccess level as well as 2 factor authentication and the normal login and pass of the software.