What are these 404 Errors? Hacking attempts?

What is a 404 Error?

When a "visitor" comes to your site, he or she requests a web page that is specified to belong to your host. If the named page doesn't exist on your site, then your server typically responds with a 404 Page.

On sites such as ImpulseAdventure.com, 404 Errors are tracked and monitored as they reveal information about the type of security hacks / attempts that are being made to the site in addition to genuine linking errors.

Correcting Bad Links

One of the most useful purposes of tracking 404 errors is to identify any mistakes that you've made in your internal web links. It is also possible to identify external web pages that have posted an incorrect link to your site. In these cases, the ideal solution would be to suggest to the original poster that the link needs correcting, but as an alternative, you could consider creating a 301 Redirect page to retain the traffic.

About Security Vulnerabilities

With a wealth of open-source scripts available on the net comes the unfortunate fact that many of these suffer from security vulnerabilities at one point during their development. Hackers are constantly searching for ways that these scripts can be used in an unsafe manner, causing remote code execution, along with many other serious problems.

To help users of these scripts keep up-to-date, security bulletins are constantly being published that identify vulnerable scripts and their flaws. These are intended to encourage webmasters to update their scripts to safer versions. Unfortunately, not every webmaster keeps abreast of these updates, and so they are left with an insecure installation.

To make matters worse, hackers are also always on the lookout for new security bulletins, from which they can use to produce attacks against un-patched sites!

The 404 Errors shown below reveal the types of exploits that have been observed on ImpulseAdventure. None of these exploits worked on this site, but the listing should serve as a warning to other site developers as to the type of activity that they will be subjected to.

Spam Fighting

Interested in trying to protect against comment spam?

How to Create a simple Tracking 404 Page

The following short piece of PHP code will log access attempts into a MySQL database (table named "error404"), that you can later analyze. Many authors either ignore the errors completely, while others have the server email them whenever a 404 occurs. Unfortunately, with the huge number of security vulnerability probes performed daily, the email method is not at all practical.

The following script uses a database which allows it to filter out duplicates. Only entries that have a unique combination of landing page (the attempted page name) and referrer page (where they "apparently" came from) are logged.

Create the MySQL Database

The following CREATE statement is used in a MySQL utility such as PHPMyAdmin to generate the initial table you need to track 404 errors.

CREATE TABLE  `server_tbls`.`error404` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `page` varchar(200) NOT NULL default '',
  `ref` varchar(200) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;		
		

Create the 404.php Page

The following is a stripped-down example of how you can create the tracking page for the 404 error. This 404.php file would be placed in the root of your web directory.

Note that the following has no error checking in place, so a full implementation would need to handle database errors, etc. Obviously, this site uses a far more complete version, but the basic idea is similar.

<?php

$page = $_SERVER['REQUEST_URI'];
$ref  = $_SERVER['HTTP_REFERER'];


// Sanitize the server variables
$page_esc = mysql_escape_string($page);
$ref_esc  = mysql_escape_string($ref);

// Connect to the database
$connect = @mysql_connect(HOST,USER,PASSWORD);
$result  = @mysql_select_db(NAME);

// First see if the page already exists in the 404 list
$query  = "SELECT id FROM `error404` WHERE page='$page_esc' ";
$query .= "AND ref='$ref_esc' LIMIT 1";
$result = @mysql_query($query);

if (@mysql_num_rows($result)==0) {
  // Doesn't already exist -- add it
  $query  = "INSERT INTO `error404` (page,ref) ";
  $query .= "VALUES ('$page_esc','$ref_esc')";
  $result = @mysql_query($query);
}

echo "<p>Sorry, this page is not available</p>";

?>
		

404 Errors - Hacking Attempts

Out of the following short list, it should be evident that countless attacks are attempted daily on any given website. These hacks (as evidenced by the 404 Page Not Found error) are almost always blind attacks on standard web applications located in their default directories. A huge proportion of these attempts can be diverted simply by renaming or relocating your web applications.

In other words, if your website has an application located in one of the directories shown below, beware! If you can't relocate / rename your web applications, then you must keep up-to-date with the latest security patches and updates.

In each case, the spammer's / hacker's URL or IP address has been replaced by <URL> and <IP Address>.

PHPMyAdmin

Perhaps the most destructive of all potential vulnerabilities is in the backend database system used by many websites. PHPMyAdmin is a MySQL client interface that allows you to access and modify all database on the back-end of a website. As many people make the mistake of installing the application in one of several well-known sub-directories, a hacker can simply search for these locations. From there, typical password attacks would gain the hacker access to your entire website.

Mambo / Joomla

Security Bulletin: OSVDB.org
Security Bulletin: zone-h.org

Extended URL

It seems that some sites suffer from a security vulnerability whereby a URL positioned immediately after the end of a valid URL gets interpreted by the site. This may be due to use of Apache mod_rewrite to generate dynamic URLs.

Remote File Inclusion: General

Forum post: rohitab.com

SimpleBoard

Security Bulletin: securitytracker.com

Coppermine Gallery

As Coppermine is one of the most popular open-source galleries, it is often a target. While most installations are quite secure, it appears that a particular theme contains a remote file inclusion vulnerability.

Security Bulletin: securitytracker.com

Probes into Statistics

The following are attempts to access a popular web statistics package. By revealing the access stats, an intruder may be able to deduce particular back-end or administration files, popular referrers, and other details.

Probes into Mail Client

Attempts to access your mail server application could be disastrous for privacy and and a host of other reasons. Many ISPs will install a webmail application in a domain that is not directly accessible from the web without connecting through a separate authenticated port or domain.

Probes into Forum

Forums are the most heavily attacked web application given the ease through which spam comments can be inserted and gain the hacker Google PageRank. Once the URL to your forum has been located, standard password cracking tactics can be pursued. Of course the URL to your site's forum is easily found by manually walking through the site, but many of the automated hacking scripts simply try for the most obvious locations.

PHPMyChat

PHP Game Adventure

Security Bulletin: osvdb.org
Security Bulletin: xforce.iss.net

Simple Shop

POWL

Security Bulletin: secwatch.org

iPhotoAlbum

Security Bulletin: securitytracker.com

Apache mod_rewrite

Forum posting: webmasterworld.com

phpAdsNew

Security Bulletin: isc.sans.org
Article: netcraft.com

404 Errors - Non-Exploits

The following 404 errors are not from attempts to hack your site. Instead, they are simply natural requests caused by various applications.

MS Internet Explorer + Microsoft Office

For users who have installed Microsoft Office and are browsing your site via Internet Explorer with the Discuss toolbar enabled, the browser will query your server for the following files to see if the Office Server Extensions are enabled. Unless you have installed them on a Windows server, these files will simply return a harmless 404.

Realplayer

Squid FAQ