Total Posts: 11
The .htaccess file (directory level Apache configuration file) for Magento redirects all requests for non-existent pages to Magento. This is how Magento then gets the chance to look at the request and see if it is for a url it knows about (like a cms page, product, etc). If not, Magento displays its 404 error page, which is what should be happening in your case.
The prior poster is correct, there are many malevolent people out there continually scanning systems for vulnerabilities. Ignorance is bliss, but reading your logs will show you just how frequently they are knocking against your web server, ssh server, email—basically anything that might be listening for connections.
Here’s some things I do to enable sleeping well at night:
1) ANY internet services that I don’t need to provide at all are turned off and not run (in my case, FTP for example).
2) Services which should have limited access (ssh, for example) are placed behind a firewall which is only open for the IP addresses I will connect from.
3) The firewall is backed up by similar restrictions in the configurations of the services themselves
4) I have blacklisted in the firewall networks from which attacks originate which are outside my geographies of interest
5) Strong passwords on all sensitive accounts in the operating system and applications.
6) Careful setting of file and directory permissions and ownership.
7) A little security through obscurity. Weak, but helpful—the logs above show someone looking for admin applications. They are just guessing using common names. Using uncommon names makes them much harder to find, and unless you are a particularly juicy target, they will move on.
8) Reviewing log files to check for unexpected activity.
9) Regular patching of system files.
10) Monitoring forums such as this to see if vulnerabilities have been discovered.
If you are on a shared server you have to rely on your provider to be doing some of this. With a good provider, they may be better at some of it than you. But they have to keep most of the system open since they have clients all over the place who want to serve all kinds of services. In a shared environment file and directory permissions are critical to protect yourself from other users of the shared server (or the thugs that are able to hack their accounts). So when the risk is high enough to justify the cost, go to a dedicated server.