Suspicious info from logfile?

Hi all,
I was looking through my logfiles recently and noticed a rise in errordoc being accessed. I keep a close check on my links so searching further, the pages requested are for files and folders not on my site.



Does this look like someone trying to get in?

That one is probably a search spider looking to see if you’ve got a mobile site or front page.

Another thing you might notice, although it hasn’t shown up in your sample, is hits on completely spurious pages with names made up of a random string of letters and numbers. This will often be search spiders checking out what happens if they try to access a page that they are pretty sure won’t be there - will they get a proper ‘404’ response, or will they get a ‘200 A-OK’ response? This helps them when keeping their index of your site up to date, because if they get a ‘404’ then they know that the server is configured correctly.

looks like a spider searching for pages with known vulnerabilities
i had a lot of those too until i moved my site to other web hosting
i guess it’s also targeting web hosting servers

Thanks Stevie D
Yeah there are some of those also. I appreciate the info.

There’s no need to worry about /apple-touch-icon.png
That basically works like a favicon for iPhones/iPods/etc
You may also occasionally see a request for /apple-touch-icon-precomposed.png

As for the other requests, they look like automated vulnerability tests looking for installed software with security holes in it. If you don’t have any of the files referenced in the logs on your server you can safely ignore these requests. Otherwise, make sure your software is up to date.

Hey Mittineague
Does running Joomla makes such things happen,I mean accessing errordoc like.
I am worried because I am running joomla on one of my website.
Can you please brief ,how it affects?
also,how can we avoid such suspicious activities?


Heh, I’ve been seeing a lot of strange 404’s on a client’s page (I’m not the hoster but I have access to the stats)… even though the site runs on either Apache or something very similar, lots of strange urls come up like


which someone told me are IIS vulnerability tests… the bots (and crackers) don’t necessarily bother checking if the system is actually running what they are trying to crack. So, what it seems like with these Joomla urls.

Are you, or have you, been running Joomla on your site? It sure looks like someone wanted to get to the administrator/index.php file awful badly.

No, never have run Joomla and yeah that’s what I was thinking. I can take care of this but just wondered if this is a common hacking tactic.


Too common I’m afraid. Bots scan websites hoping to hit a vulnerable one. I’m guessing you weren’t targeted specifically, just that they got around to you.

I don’t imagine their success rate is very high but it must be high enough that they keep doing it. !! script-kiddies

Exactly. I work in the hosting business as a system admin, basically what they are doing is scanning every site on an IP for common file paths to exploitable scripts. Joomla falls into this category; it’s like a box of chocolates for script kiddies.