Weve found a number of attempts to access nonexistent pages

We\'ve found a number of attempts to access non-existent pages in our IIS logs, specifically a lot of variations on phpMyAdmin URLs.

My kneejerk reaction would be to block these IPs, but I have a feeling this is not really a \"solution\" since the likelihood of multiple attacks from the same IP address are pretty low.

So, is there a best practice here? Should we just ignore them? Should we use some third party tool (I\'ve seen Snort and OSSEC mentioned on this site) to prevent these attempts?

Solution

I ignore them. There will always be compromised systems continually scanning the entire Internet for arbitrary vulnerabilities. Trying to block them is no more effective than spitting into the wind. You\'ll get far more value out of focusing on the security of your servers and applications, and keeping an eye out for attackers who seem to specifically target you. Chasing the bots and automated scanners will only waste your time.