possible security problem?

#1
[eluser]theshiftexchange[/eluser]
Hi all,

While reviewing my CI PHP error logs for yesterday, I noticed the following errors:

Code:
ERROR - 2010-10-31 06:34:33 --> 404 Page Not Found --> phpmyadmin
ERROR - 2010-10-31 06:34:34 --> 404 Page Not Found --> phpMyAdmin
ERROR - 2010-10-31 13:03:15 --> 404 Page Not Found --> phpmyadmin
ERROR - 2010-10-31 13:03:16 --> 404 Page Not Found --> phpMyAdmin

To me it looks like someone has tried to go to www.mydomain.com/phpmyadmin

My question is, is this a regular thing? Given that it occured twice in 1 sec, I'm wondering if it is a generic bot type problem?

Or should I be worried an employee is trying to 'explore' and see whats out there? It is a 'private' website in that it is only used for employees from the one company, no one else can do anything on the site without first signing in....

Your thoughts are appreciated.

#2
[eluser]n0xie[/eluser]
It is most likely an automated script that checks for the presence of phpmyadmin on several domains and ips in order to maybe exploit it (if it's an older, unsecure version). If you monitor your requests you will most likely see some requests like this also targeted at specific CMS'es (Joomla is a popular target). Wether your site is specifically targeted I cannot say, but seeing as there are only these entries in your logs I would guess this is more of a 'generic' type of attack.

Still wouldn't hurt to be careful, and maybe start logging some more and/or paying close attention to the specific server.

#3
[eluser]Davcon[/eluser]
I agree.

The fact that both time gaps are a second apart suggests an automated script.

There is some very ruthless hacking software out there right now. For example, two weeks ago I discovered a very nasty piece of software call Havij. Very nasty indeed! Not only does it do SQL injection attacks but it even decrypts MD5 passwords. I don't think that was the software that had a go at your site, however, I'm just mentioning it as a concrete example of some very ruthless hacking software.

These are dangerous times. We must be cautious.

#4
[eluser]tonanbarbarian[/eluser]
if you are managing your own linux server and can install software i would recommend installing BFD and APF
There are not usually in repositories but they are good protection

APF is a firewall that you can call on the command line to block ip address
BFD is a brute force detection app that scans log files and blocks ip addresses using APF if they do certain things
you could install both of these and then write a rule to find any of these attempts to access certain pages and block the ip addresses that are doing it

of course if you do not have phpmyadmin installed then there is no real harm from these scripts as long as they are not taking up huge amounts of resources by constantly hitting your server looking for vulnerabilities

#5
[eluser]theshiftexchange[/eluser]
Thanks everyone.

I use MediaTemple hosted GS solution - so there's no phpmyadmin available on the front end - its all handle in the account management section.

I'll keep an eye on it.

#6
[eluser]theshiftexchange[/eluser]
It got worse last night - nothing I can do I guess?

[code]
ERROR - 2010-11-03 13:28:55 --> 404 Page Not Found --> w00tw00t_at_blackhats_romanian_anti-sec:)
ERROR - 2010-11-03 13:28:58 --> 404 Page Not Found --> scripts
ERROR - 2010-11-03 13:29:02 --> 404 Page Not Found --> admin
ERROR - 2010-11-03 13:29:06 --> 404 Page Not Found --> admin
ERROR - 2010-11-03 13:29:11 --> 404 Page Not Found --> admin
ERROR - 2010-11-03 13:29:16 --> 404 Page Not Found --> db
ERROR - 2010-11-03 13:29:24 --> 404 Page Not Found --> dbadmin
ERROR - 2010-11-03 13:29:30 --> 404 Page Not Found --> myadmin
ERROR - 2010-11-03 13:29:36 --> 404 Page Not Found --> mysql
ERROR - 2010-11-03 13:30:01 --> 404 Page Not Found --> phpmyadmin
ERROR - 2010-11-03 13:30:03 --> 404 Page Not Found --> phpmyadmin1
ERROR - 2010-11-03 13:30:06 --> 404 Page Not Found --> phpmyadmin2
ERROR - 2010-11-03 13:30:08 --> 404 Page Not Found --> pma
ERROR - 2010-11-03 13:30:11 --> 404 Page Not Found --> web
ERROR - 2010-11-03 13:30:14 --> 404 Page Not Found --> xampp
ERROR - 2010-11-03 13:30:15 --> 404 Page Not Found --> mysqladmin
ERROR - 2010-11-03 13:30:17 --> 404 Page Not Found --> web
ERROR - 2010-11-03 13:30:21 --> 404 Page Not Found --> php-my-admin
ERROR - 2010-11-03 13:30:25 --> 404 Page Not Found --> websql
ERROR - 2010-11-03 13:30:29 --> 404 Page Not Found --> phpmyadmin
ERROR - 2010-11-03 13:30:34 --> 404 Page Not Found --> phpMyAdmin-2
ERROR - 2010-11-03 13:30:35 --> 404 Page Not Found --> typo3
ERROR - 2010-11-03 13:30:39 --> 404 Page Not Found --> php-my-admin
ERROR - 2010-11-03 13:30:40 --> 404 Page Not Found --> phpadmin
ERROR - 2010-11-03 13:30:45 --> 404 Page Not Found --> phpMyAdmin-2_2_3
ERROR - 2010-11-03 13:30:51 --> 404 Page Not Found --> phpMyAdmin-2_2_6
ERROR - 2010-11-03 13:31:03 --> 404 Page Not Found --> phpMyAdmin-2_5_1
ERROR - 2010-11-03 13:31:24 --> 404 Page Not Found --> phpMyAdmin-2_5_5-pl1
ERROR - 2010-11-03 13:31:26 --> 404 Page Not Found --> phpMyAdmin-2_5_6-rc1
ERROR - 2010-11-03 13:31:28 --> 404 Page Not Found --> phpMyAdmin-2_5_6-rc2
ERROR - 2010-11-03 13:31:30 --> 404 Page Not Found --> phpMyAdmin-2_5_6
ERROR - 2010-11-03 13:31:32 --> 404 Page Not Found --> phpMyAdmin-2_5_7
ERROR - 2010-11-03 13:31:35 --> 404 Page Not Found --> phpMyAdmin-2_5_7-pl1
ERROR - 2010-11-03 13:31:38 --> 404 Page Not Found --> phpMyAdmin-2_6_0-alpha
ERROR - 2010-11-03 13:31:39 --> 404 Page Not Found --> phpMyAdmin-2_5_4
ERROR - 2010-11-03 13:31:40 --> 404 Page Not Found --> phpMyAdmin-2_6_0-alpha2
ERROR - 2010-11-03 13:31:43 --> 404 Page Not Found --> phpMyAdmin-2_6_0-beta1
ERROR - 2010-11-03 13:31:46 --> 404 Page Not Found --> phpMyAdmin-2_6_0-beta2
ERROR - 2010-11-03 13:31:49 --> 404 Page Not Found --> phpMyAdmin-2_6_0-rc1
ERROR - 2010-11-03 13:31:54 --> 404 Page Not Found --> phpMyAdmin-2_6_0-rc2
ERROR - 2010-11-03 13:31:58 --> 404 Page Not Found --> phpMyAdmin-2_6_0-rc3
ERROR - 2010-11-03 13:32:02 --> 404 Page Not Found --> phpMyAdmin-2_6_0
ERROR - 2010-11-03 13:32:06 --> 404 Page Not Found --> phpMyAdmin-2_6_0-pl1
ERROR - 2010-11-03 13:32:12 --> 404 Page Not Found --> phpMyAdmin-2_6_0-pl2
ERROR - 2010-11-03 13:32:13 --> 404 Page Not Found --> phpMyAdmin-2_5_5-rc1
ERROR - 2010-11-03 13:32:17 --> 404 Page Not Found --> phpMyAdmin-2_6_0-pl3
ERROR - 2010-11-03 13:32:24 --> 404 Page Not Found --> phpMyAdmin-2_6_1-rc1
ERROR - 2010-11-03 13:32:27 --> 404 Page Not Found --> phpMyAdmin-2_6_1-rc2
ERROR - 2010-11-03 13:32:34 --> 404 Page Not Found --> phpMyAdmin-2_6_1
ERROR - 2010-11-03 13:32:36 --> 404 Page Not Found --> phpMyAdmin-2_5_5-rc2
ERROR - 2010-11-03 13:32:38 --> 404 Page Not Found --> phpMyAdmin-2_6_1-pl1
ERROR - 2010-11-03 13:32:41 --> 404 Page Not Found --> phpMyAdmin-2_5_5
ERROR - 2010-11-03 13:32:46 --> 404 Page Not Found --> phpMyAdmin-2_6_1-pl2
ERROR - 2010-11-03 13:33:15 --> 404 Page Not Found --> phpMyAdmin-2_6_1-pl3
ERROR - 2010-11-03 13:33:20 --> 404 Page Not Found --> phpMyAdmin-2_6_3
ERROR - 2010-11-03 13:33:25 --> 404 Page Not Found --> phpMyAdmin-2_6_3
ERROR - 2010-11-03 13:33:27 --> 404 Page Not Found --> phpMyAdmin-2_6_3-pl1
ERROR - 2010-11-03 13:33:30 --> 404 Page Not Found --> phpMyAdmin-2_6_4-rc1
ERROR - 2010-11-03 13:33:32 --> 404 Page Not Found --> phpMyAdmin-2_6_4-pl1
ERROR - 2010-11-03 13:33:35 --> 404 Page Not Found --> phpMyAdmin-2_6_4-pl2
ERROR - 2010-11-03 13:33:38 --> 404 Page Not Found --> phpMyAdmin-2_6_4-pl3
ERROR - 2010-11-03 13:33:41 --> 404 Page Not Found --> phpMyAdmin-2_6_4-pl4
ERROR - 2010-11-03 13:33:44 --> 404 Page Not Found --> phpMyAdmin-2_6_4
ERROR - 2010-11-03 13:33:45 --> 404 Page Not Found --> phpMyAdmin-2_6_2-rc1
ERROR - 2010-11-03 13:33:47 --> 404 Page Not Found --> phpMyAdmin-2_7_0-beta1
ERROR - 2010-11-03 13:33:50 --> 404 Page Not Found --> phpMyAdmin-2_7_0-rc1
ERROR - 2010-11-03 13:33:52 --> 404 Page Not Found --> phpMyAdmin-2_6_2-beta1
ERROR - 2010-11-03 13:33:54 --> 404 Page Not Found --> phpMyAdmin-2_7_0-pl1
ERROR - 2010-11-03 13:33:57 --> 404 Page Not Found --> phpMyAdmin-2_7_0-pl2
ERROR - 2010-11-03 13:34:01 --> 404 Page Not Found --> phpMyAdmin-2_7_0
ERROR - 2010-11-03 13:34:04 --> 404 Page Not Found --> phpMyAdmin-2_8_0-beta1
ERROR - 2010-11-03 13:34:07 --> 404 Page Not Found --> phpMyAdmin-2_8_0-rc1
ERROR - 2010-11-03 13:34:12 --> 404 Page Not Found --> phpMyAdmin-2_8_0-rc2
ERROR - 2010-11-03 13:34:14 --> 404 Page Not Found --> phpMyAdmin-2_6_2-rc1
ERROR - 2010-11-03 13:34:16 --> 404 Page Not Found --> phpMyAdmin-2_8_0
ERROR - 2010-11-03 13:34:21 --> 404 Page Not Found --> phpMyAdmin-2_8_0_1
ERROR - 2010-11-03 13:34:25 --> 404 Page Not Found --> phpMyAdmin-2_8_0_2
ERROR - 2010-11-03 13:34:29 --> 404 Page Not Found --> phpMyAdmin-2_8_0_3
ERROR - 2010-11-03 13:34:33 --> 404 Page Not Found --> phpMyAdmin-2_8_0_4
ERROR - 2010-11-03 13:34:34 --> 404 Page Not Found --> phpMyAdmin-2_6_2
ERROR - 2010-11-03 13:34:37 --> 404 Page Not Found --> phpMyAdmin-2_8_1-rc1
ERROR - 2010-11-03 13:34

#7
[eluser]bl00dshooter[/eluser]
I wouldn't really worry, that happens.
If you're running the latest version of phpmyadmin (which you should), it's probably not vulnerable, so there is nothing one could do, except maybe brute-forcing your password, what wouldn't work if it's secure enough.

#8
[eluser]WanWizard[/eluser]
I get these daily.

But my servers have no admin tools exposed. Something you should try to avoid. I run OpenVPN on all my servers, and have Apache listen to the servers tunnel IP. I run all management (webmin, phpmyadmin, etc) only on this IP.
Same for SSH and FTP connections, I only allow them through the tunnel. Internet facing only 80, 443 and sometimes 25 are open. I also block all outgoing connections unless they are established, so in case an app gets hacked, they can't get out (unless they manage to get root rights).


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.