Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   PMA attacks (http://www.linux-archive.org/centos/674627-pma-attacks.html)

06-19-2012 06:31 PM

PMA attacks
 
It appears to be a low-level attack, not so frequent as to be banned
permanently, just a number of times a day.

I did google on this, and I gather it's looking for phpmyadmin. We've been
getting one from one specific network in Russia for weeks

Here are more information about 91.201.64.24:

[Querying whois.ripe.net]
[whois.ripe.net]
<snip>
% Information related to '91.201.64.0 - 91.201.67.255'

inetnum: 91.201.64.0 - 91.201.67.255
netname: Donekoserv
descr: DonEkoService Ltd
country: RU
<snip>

But now I'm seeing the same from Azerbaijan, and France, and elsewhere.
Two questions: first, are other folks seeing this? and second, I can't
imagine malware this stupid, to keep hitting the same sites over and over
when it's not found, rather than bad password or user, so I'm wondering if
this could be a targetting vector for an upcoming serious attack using
another vector.

Opinions?

mark


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

John Hinton 06-19-2012 06:40 PM

PMA attacks
 
On 6/19/2012 2:31 PM, m.roth@5-cent.us wrote:
> It appears to be a low-level attack, not so frequent as to be banned
> permanently, just a number of times a day.
>
> I did google on this, and I gather it's looking for phpmyadmin. We've been
> getting one from one specific network in Russia for weeks
>
> Here are more information about 91.201.64.24:
>
> [Querying whois.ripe.net]
> [whois.ripe.net]
> <snip>
> % Information related to '91.201.64.0 - 91.201.67.255'
>
> inetnum: 91.201.64.0 - 91.201.67.255
> netname: Donekoserv
> descr: DonEkoService Ltd
> country: RU
> <snip>
>
> But now I'm seeing the same from Azerbaijan, and France, and elsewhere.
> Two questions: first, are other folks seeing this? and second, I can't
> imagine malware this stupid, to keep hitting the same sites over and over
> when it's not found, rather than bad password or user, so I'm wondering if
> this could be a targetting vector for an upcoming serious attack using
> another vector.
>
> Opinions?
>
> mark
>
>
I also see these frequently. As for dumb script? Well there are plenty
of those out there. And, if you care to, you can set up rules in
Fail2Ban to auto block these.

This brings up a question I have. We do virtualhosting and keep separate
http logs for every website. I have not been running any Fail2Ban rules
on those logs as many are very active and spread about. I suppose I
could concentrate only on the error logs which would be much smaller. My
question... is anybody running something like Fail2Ban under a situation
like this and does it use much horsepower?

--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Dennis Jacobfeuerborn 06-19-2012 06:43 PM

PMA attacks
 
On 06/19/2012 08:31 PM, m.roth@5-cent.us wrote:
> It appears to be a low-level attack, not so frequent as to be banned
> permanently, just a number of times a day.
>
> I did google on this, and I gather it's looking for phpmyadmin. We've been
> getting one from one specific network in Russia for weeks
>
> Here are more information about 91.201.64.24:
>
> [Querying whois.ripe.net]
> [whois.ripe.net]
> <snip>
> % Information related to '91.201.64.0 - 91.201.67.255'
>
> inetnum: 91.201.64.0 - 91.201.67.255
> netname: Donekoserv
> descr: DonEkoService Ltd
> country: RU
> <snip>
>
> But now I'm seeing the same from Azerbaijan, and France, and elsewhere.
> Two questions: first, are other folks seeing this? and second, I can't
> imagine malware this stupid, to keep hitting the same sites over and over
> when it's not found, rather than bad password or user, so I'm wondering if
> this could be a targetting vector for an upcoming serious attack using
> another vector.
>
> Opinions?

Why is this stupid? Yes it might not find anything today but you might
install it tomorrow.
Since this is common I always put PMA (and similar tools) either in it's
own management network that is only accessible using a tunnel or at least
behind HTTP authentication. I've seen this exploited once and the attackers
installed a few perl scripts that were launching attacks from the system.

Regards,
Dennis
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Bob Hoffman 06-20-2012 07:08 AM

PMA attacks
 
On 6/19/2012 2:31 PM, m.roth@5-cent.us wrote:
> But now I'm seeing the same from Azerbaijan, and France, and elsewhere.
> Two questions: first, are other folks seeing this? and second, I can't
> imagine malware this stupid, to keep hitting the same sites over and over
> when it's not found, rather than bad password or user, so I'm wondering if
> this could be a targetting vector for an upcoming serious attack using
> another vector.
Automated scripts will attack just about every port or program on your
server, even if you do not use it.
They know sometime in the future you may turn that service, port, or
program on and might not have it set up correctly.
Then bam..they are in.

When I put in a new server with a new ipaddress I have never used before
there is a massive amount of attacks that first week or two.
Attacks on everything you could think of. It is like they know a server
is suddenly open at that ip and go nuts trying to get in.

Here is my logwatch on just one server, just one day, a server that is
not being used and has a blank html page with no other services on..Stay
vigilant.

404 Not Found
//3rdparty/phpMyAdmin/scripts/setup.php: 3 Time(s)
//MyAdmin/scripts/setup.php: 3 Time(s)
//MySQLAdmin/scripts/setup.php: 3 Time(s)
//PHPMYADMIN/scripts/setup.php: 2 Time(s)
//PMA/: 1 Time(s)
//PMA/scripts/setup.php: 3 Time(s)
//PMA2005/: 1 Time(s)
//PMA2005/scripts/setup.php: 3 Time(s)
//SQL/scripts/setup.php: 3 Time(s)
//SSLMySQLAdmin/scripts/setup.php: 3 Time(s)
//_admin/scripts/setup.php: 3 Time(s)
//_phpMyAdmin/scripts/setup.php: 3 Time(s)
//_phpmyadmin/scripts/setup.php: 3 Time(s)
//admin/: 1 Time(s)
//admin/mysql/scripts/setup.php: 3 Time(s)
//admin/phpmyadmin/scripts/setup.php: 3 Time(s)
//admin/pma/scripts/setup.php: 3 Time(s)
//admin/scripts/setup.php: 3 Time(s)
//admm/scripts/setup.php: 3 Time(s)
//admn/scripts/setup.php: 3 Time(s)
//backup/phpMyAdmin/scripts/setup.php: 3 Time(s)
//backup/phpmyadmin/scripts/setup.php: 3 Time(s)
//bbs/data/scripts/setup.php: 3 Time(s)
//bkup/phpMyAdmin/scripts/setup.php: 3 Time(s)
//bkup/phpmyadmin/scripts/setup.php: 3 Time(s)
//cpadmin/scripts/setup.php: 3 Time(s)
//cpadmindb/scripts/setup.php: 3 Time(s)
//cpanelmysql/scripts/setup.php: 3 Time(s)
//cpanelphpmyadmin/scripts/setup.php: 3 Time(s)
//cpanelsql/scripts/setup.php: 3 Time(s)
//cpdbadmin/scripts/setup.php: 3 Time(s)
//cpphpmyadmin/scripts/setup.php: 3 Time(s)
//databaseadmin/scripts/setup.php: 3 Time(s)
//db/scripts/setup.php: 3 Time(s)
//dbadmin/: 1 Time(s)
//dbadmin/scripts/setup.php: 3 Time(s)
//myadmin/: 1 Time(s)
//myadmin/scripts/setup.php: 3 Time(s)
//mysql-admin/: 1 Time(s)
//mysql-admin/scripts/setup.php: 3 Time(s)
//mysql/: 1 Time(s)
//mysql/scripts/setup.php: 3 Time(s)
//mysqladmin/: 1 Time(s)
//mysqladmin/scripts/setup.php: 3 Time(s)
//mysqladminconfig/scripts/setup.php: 3 Time(s)
//mysqlmanager/: 1 Time(s)
//mysqlmanager/scripts/setup.php: 3 Time(s)
//p/m/a/: 1 Time(s)
//p/m/a/scripts/setup.php: 3 Time(s)
//pHpMy/scripts/setup.php: 3 Time(s)
//pHpMyAdMiN/scripts/setup.php: 3 Time(s)
//pMA/scripts/setup.php: 3 Time(s)
//php-my-admin/: 1 Time(s)
//php-my-admin/scripts/setup.php: 3 Time(s)
//php-myadmin/: 1 Time(s)
//php-myadmin/scripts/setup.php: 3 Time(s)
//php/scripts/setup.php: 3 Time(s)
//phpMyA/scripts/setup.php: 3 Time(s)
//phpMyAdmi/scripts/setup.php: 3 Time(s)
//phpMyAdmin-2/: 1 Time(s)
//phpMyAdmin/: 1 Time(s)
//phpMyAdmin/scripts/setup.php: 3 Time(s)
//phpMyAdmin1/scripts/setup.php: 3 Time(s)
//phpMyAdmin2/: 1 Time(s)
//phpMyAds/scripts/setup.php: 3 Time(s)
//phpadmin/scripts/setup.php: 3 Time(s)
//phpm/scripts/setup.php: 3 Time(s)
//phpmanager/: 1 Time(s)
//phpmanager/scripts/setup.php: 3 Time(s)
//phpmy-admin/: 1 Time(s)
//phpmy-admin/scripts/setup.php: 3 Time(s)
//phpmy/scripts/setup.php: 3 Time(s)
//phpmya/scripts/setup.php: 3 Time(s)
//phpmyad-sys/scripts/setup.php: 3 Time(s)
//phpmyad/scripts/setup.php: 3 Time(s)
//phpmyadmin/: 1 Time(s)
//phpmyadmin/scripts/setup.php: 3 Time(s)
//phpmyadmin1/scripts/setup.php: 3 Time(s)
//phpmyadmin2/: 1 Time(s)
//pma/scripts/setup.php: 3 Time(s)
//pma2005/: 1 Time(s)
//pma2005/scripts/setup.php: 3 Time(s)
//roundcube/scripts/setup.php: 3 Time(s)
//scripts/setup.php: 3 Time(s)
//sl2/data/scripts/setup.php: 3 Time(s)
//sql/: 1 Time(s)
//sql/scripts/setup.php: 3 Time(s)
//sqladmin/scripts/setup.php: 3 Time(s)
//sqlmanager/: 1 Time(s)
//sqlmanager/scripts/setup.php: 3 Time(s)
//sqlweb/: 1 Time(s)
//sqlweb/scripts/setup.php: 3 Time(s)
//typo3/phpmyadmin/scripts/setup.php: 3 Time(s)
//vhcs2/tools/pma/scripts/setup.php: 3 Time(s)
//web/phpMyAdmin/scripts/setup.php: 3 Time(s)
//web/phpmyadmin/scripts/setup.php: 3 Time(s)
//web/scripts/setup.php: 3 Time(s)
//webadmin/: 1 Time(s)
//webadmin/scripts/setup.php: 3 Time(s)
//webdb/: 1 Time(s)
//webdb/scripts/setup.php: 3 Time(s)
//websql/: 1 Time(s)
//websql/scripts/setup.php: 3 Time(s)
//wp-content/plugins/wp-phpmyadmin/wp-phpm ... ripts/setup.php: 3 Time(s)
//wp-phpmyadmin/phpmyadmin/scripts/setup.php: 3 Time(s)
//wp-phpmyadmin/scripts/setup.php: 3 Time(s)
//xampp/phpmyadmin/scripts/setup.php: 3 Time(s)
//~/PMA/scripts/setup.php: 3 Time(s)
/3561StudioDrive/calendar.php: 1 Time(s)
/admin/config.php: 1 Time(s)
/admin/scripts/setup.php: 3 Time(s)
/cal/calendar.php: 1 Time(s)
/calendar.php: 1 Time(s)
/calendar/calendar.php: 1 Time(s)
/calwest/calendar.php: 1 Time(s)
/ext/calendar.php: 1 Time(s)
/extcal/calendar.php: 1 Time(s)
/finger_lakes_dates/calendar.php: 1 Time(s)
/index.php?-dsafe_mode%3dOff+-ddisable_fun ... .83%2Finfo3.txt: 3 Time(s)
/itinerary/calendar.php: 1 Time(s)
/muieblackcat: 3 Time(s)
/news/read/url(data:image/png;base64,iVBOR ... SUVORK5CYII%3d): 2 Time(s)
/pdfdocuments/142188_mantel-chairincident.wmv:3071b: 1 Time(s)
/phpBB2/: 2 Time(s)
/phpBB2/board/index.php: 1 Time(s)
/phpBB2/forum/index.php: 1 Time(s)
/phpBB2/forums/index.php: 1 Time(s)
/phpBB2/phpbb/index.php: 1 Time(s)
/phpBB2/phpbb2/index.php: 1 Time(s)
/phpBB2/phpbb2/profile.php: 1 Time(s)
/phpBB2/profile.php: 5 Time(s)
/tests.php: 1 Time(s)
/vancouvermuslims/calendar/calendar.php: 1 Time(s)










_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 08:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.