On 06/19/2012 08:31 PM, m.roth@5-cent.us wrote:
It appears to be a low-level attack, not so frequent as to be banned permanently, just a number of times a day.
I did google on this, and I gather it's looking for phpmyadmin. We've been getting one from one specific network in Russia for weeks
Here are more information about 91.201.64.24:
[Querying whois.ripe.net] [whois.ripe.net]
<snip> % Information related to '91.201.64.0 - 91.201.67.255'
inetnum: 91.201.64.0 - 91.201.67.255 netname: Donekoserv descr: DonEkoService Ltd country: RU
<snip>
But now I'm seeing the same from Azerbaijan, and France, and elsewhere. Two questions: first, are other folks seeing this? and second, I can't imagine malware this stupid, to keep hitting the same sites over and over when it's not found, rather than bad password or user, so I'm wondering if this could be a targetting vector for an upcoming serious attack using another vector.
Opinions?
Why is this stupid? Yes it might not find anything today but you might install it tomorrow. Since this is common I always put PMA (and similar tools) either in it's own management network that is only accessible using a tunnel or at least behind HTTP authentication. I've seen this exploited once and the attackers installed a few perl scripts that were launching attacks from the system.
Regards, Dennis