I recently noticed that my httpd logs contain a slew of failed accesses to "setup.php". They always seem to arrive in quick succession looking for that file in three or four different locations. As of this posting, I've seen nearly 900 failed accesses coming from 202 unique IP addresses.

(Some of these accesses seem to be coming from Amazon AWS systems. Nice, huh?)

I will likely harvest the IP addresses and add them to the blacklist I use when starting up the firewall and block them for a while.

Anyone else seen this sort of activity lately? It's only been occurring for the past day or so.

--
Rick

All the time. They are always probing.

I guess it's just my turn, then. I don't closely examine the access logs really closely unless I'm debugging web site access or something like that. I've seen weird "misses" before -- usually looking for something in a DOS-like directory (i.e. "\" delimiter instead of "/") -- and I just chuckle at those. ("Yeah... good luck with that on my systems, guy.") These attempted accesses were something I don't recall having seen before.

I'm a little miffed by the probes from systems implemented on Amazon's services. Wonder if it's worth the time fire off an email to report them to Amazon? It's likely to be a violation of their ToS/AUP/whatever.

Anyway, if it keeps up and the number of unique IP addresses stays roughly the same, I'll consider blacklisted them.

Thanks...

--
Rick

No, it's not worth it.