If you monitor 404 errors on your website, you will likely find a lot of strange requests. Many of these will come from bots that are probing potential vulnerabilities. They can also come from bots attempting to detect your stack (set of technologies).
Categories
Hackers and automated bots often generate 404 errors while scanning websites for vulnerabilities. These scans typically fall into a few categories:
- Product identification: Bots frequently request URLs that are known to be associated with specific platforms or software. For example, the presence of
/wp-admin/strongly suggests that a site is running WordPress. Once a bot confirms the product exists, it can begin targeting known vulnerabilities specific to that product. - Accidental exposure of development files: Bots also search for sensitive files that may have been unintentionally published. These can include configuration files, environment settings, or backup archives.
- Suspicious PHP files: Some security tools rename potentially malicious PHP files by appending a
.suspectedextension (e.g.,login.phpbecomeslogin.php.suspected). This change prevents the file from being executed by the server. However, depending on server configuration, the renamed file might still be accessible as plain text. If so, a hacker could retrieve the file’s contents and analyze the code for vulnerabilities. - Security scans: Be aware that your security plugin or monitoring service may request suspicious URLs as part of its vulnerability check. Look at the user agent or source IP address to determine which requests are expected. You may be able to filter out those entries when reviewing the log.
List of vulnerable paths
🆗 The OK emoji means the request is nothing to worry about. You may wish to learn more about the file being requested, in case it would be useful for you to support. In the meantime, it is OK to continue returning 404.
⚠️ The warning emoji means the request is suspicious. If you see a pattern of such requests from the same IP address, and you are sure the requests are not coming from your security tools, then consider blocking them. You could continue returning 404 unless stated otherwise.
| Path | Concern | Associated Use |
|---|---|---|
| /.well-known/traffic-advice | 🆗 | Proposed endpoint to provide traffic management advice to clients. Most likely a search engine. See Private prefetch proxy in Chrome (developer.chrome.com). |
| /_all_dbs | ⚠️ | CouchDB endpoint that returns all databases on the server. |
| /@vite/env? | ⚠️ | Vite development-time endpoint to expose environment variables. Not meant to be exposed in production. |
| /actuator/env | ⚠️ | Spring Boot endpoint that exposes environment properties |
| /ALFA_DATA/alfacgiapi/perl.alfa | ⚠️ | Alfa Hosting or similar environments that support CGI scripts |
| /alfacgiapi/perl.alfa | ⚠️ | Alfa Hosting or similar environments that support CGI scripts. |
| /app_dev.php/_profiler/phpinfo | ⚠️ | Symfony development environment, specifically the Profiler’s PHP Info page. |
| /apple-app-site-association | 🆗 | This file is part of Apple’s Universal Links and App Clips infrastructure. It’s not a page meant to be visited by users, but rather a machine-readable JSON file that iOS apps use to verify that your domain is associated with a specific app. You can ignore if you don’t support an iOS app. If you want to support an iOS app, review the docs. |
| /Autodiscover/autodiscover.xml | 🆗 | Autodiscover service used by Microsoft Exchange and Microsoft 365 to automatically configure email settings. |
| /config.json | ⚠️ | Often used by JavaScript apps to store runtime configuration information. |
| /debug/default/view?panel=config | ⚠️ | Typically part of a debugging or configuration panel in certain Java frameworks |
| /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | ⚠️ | Exchange Control Panel. This endpoint is used to download the eDiscovery PST Export Tool, which allows administrators to export mailbox content from eDiscovery searches in Exchange. |
| /env.production | ⚠️ | Likely a file containing environmental variables, used in web development |
| /llms.txt | 🆗 | llms.txt is a proposed standard designed to help large language models (LLMs) understand the most important content on your site. |
| /login.action | ⚠️ | Atlassian products login page |
| /modules/mod_footer/tmpl/ | ⚠️ | Joomla module directory, specifically the template folder of the mod_footer module. Someone is attempting to access the raw template files to view or exploit contents. |
| /plugins/content/apismtp/apismtp.php.suspected?test=hello | ⚠️ | Unknown. Note the .suspected suffix. The user agent is checking whether apismtp.php was flagged, and if so, whether it can be downloaded. |
| /sendgrid.env | ⚠️ | Environment configuration file for SendGrid-integrated apps. As a best practice, block *.env files in your web server to avoid accidental disclosure of environmental variables. |
| /server | ⚠️ | Generic check for a page that may contain server information |
| /server-status | ⚠️ | Apache HTTP Server mod_status module, which provides real-time view of server performance. If you use Apache and want to enable mod_status, make sure to restrict access to trusted IPs. Use authentication or firewall rules. |
| /telescope/requests | ⚠️ | Laravel Telescope endpoint to get a list of incoming HTTP requests |
| /twilio.env | ⚠️ | Environment configuration file for Twilio-integrated apps. As a best practice, block *.env files in your web server to avoid accidental disclosure of environmental variables. |
| /v2/_catalog | ⚠️ | Docker Registry API to return all repositories in a registry |
| /wp-admin/ | ⚠️ | WordPress administration panel |
| /wp-includes/wlwmanifest.xml | ⚠️ | Manifest file for blogs that support remote publishing with the MetaWeblog API. This is an old protocol. |
Leave a Reply