On 6/19/2012 2:31 PM, m.roth@5-cent.us wrote:

It appears to be a low-level attack, not so frequent as to be banned permanently, just a number of times a day.

I did google on this, and I gather it's looking for phpmyadmin. We've been getting one from one specific network in Russia for weeks

Here are more information about 91.201.64.24:

[Querying whois.ripe.net] [whois.ripe.net]

<snip> % Information related to '91.201.64.0 - 91.201.67.255'

inetnum: 91.201.64.0 - 91.201.67.255 netname: Donekoserv descr: DonEkoService Ltd country: RU

<snip>

But now I'm seeing the same from Azerbaijan, and France, and elsewhere. Two questions: first, are other folks seeing this? and second, I can't imagine malware this stupid, to keep hitting the same sites over and over when it's not found, rather than bad password or user, so I'm wondering if this could be a targetting vector for an upcoming serious attack using another vector.

Opinions?

   mark

I also see these frequently. As for dumb script? Well there are plenty of those out there. And, if you care to, you can set up rules in Fail2Ban to auto block these.

This brings up a question I have. We do virtualhosting and keep separate http logs for every website. I have not been running any Fail2Ban rules on those logs as many are very active and spread about. I suppose I could concentrate only on the error logs which would be much smaller. My question... is anybody running something like Fail2Ban under a situation like this and does it use much horsepower?

On 6/19/2012 2:31 PM, m.roth@5-cent.us wrote:

But now I'm seeing the same from Azerbaijan, and France, and elsewhere. Two questions: first, are other folks seeing this? and second, I can't imagine malware this stupid, to keep hitting the same sites over and over when it's not found, rather than bad password or user, so I'm wondering if this could be a targetting vector for an upcoming serious attack using another vector.

Automated scripts will attack just about every port or program on your server, even if you do not use it. They know sometime in the future you may turn that service, port, or program on and might not have it set up correctly. Then bam..they are in.

When I put in a new server with a new ipaddress I have never used before there is a massive amount of attacks that first week or two. Attacks on everything you could think of. It is like they know a server is suddenly open at that ip and go nuts trying to get in.

Here is my logwatch on just one server, just one day, a server that is not being used and has a blank html page with no other services on..Stay vigilant.

404 Not Found //3rdparty/phpMyAdmin/scripts/setup.php: 3 Time(s) //MyAdmin/scripts/setup.php: 3 Time(s) //MySQLAdmin/scripts/setup.php: 3 Time(s) //PHPMYADMIN/scripts/setup.php: 2 Time(s) //PMA/: 1 Time(s) //PMA/scripts/setup.php: 3 Time(s) //PMA2005/: 1 Time(s) //PMA2005/scripts/setup.php: 3 Time(s) //SQL/scripts/setup.php: 3 Time(s) //SSLMySQLAdmin/scripts/setup.php: 3 Time(s) //_admin/scripts/setup.php: 3 Time(s) //_phpMyAdmin/scripts/setup.php: 3 Time(s) //_phpmyadmin/scripts/setup.php: 3 Time(s) //admin/: 1 Time(s) //admin/mysql/scripts/setup.php: 3 Time(s) //admin/phpmyadmin/scripts/setup.php: 3 Time(s) //admin/pma/scripts/setup.php: 3 Time(s) //admin/scripts/setup.php: 3 Time(s) //admm/scripts/setup.php: 3 Time(s) //admn/scripts/setup.php: 3 Time(s) //backup/phpMyAdmin/scripts/setup.php: 3 Time(s) //backup/phpmyadmin/scripts/setup.php: 3 Time(s) //bbs/data/scripts/setup.php: 3 Time(s) //bkup/phpMyAdmin/scripts/setup.php: 3 Time(s) //bkup/phpmyadmin/scripts/setup.php: 3 Time(s) //cpadmin/scripts/setup.php: 3 Time(s) //cpadmindb/scripts/setup.php: 3 Time(s) //cpanelmysql/scripts/setup.php: 3 Time(s) //cpanelphpmyadmin/scripts/setup.php: 3 Time(s) //cpanelsql/scripts/setup.php: 3 Time(s) //cpdbadmin/scripts/setup.php: 3 Time(s) //cpphpmyadmin/scripts/setup.php: 3 Time(s) //databaseadmin/scripts/setup.php: 3 Time(s) //db/scripts/setup.php: 3 Time(s) //dbadmin/: 1 Time(s) //dbadmin/scripts/setup.php: 3 Time(s) //myadmin/: 1 Time(s) //myadmin/scripts/setup.php: 3 Time(s) //mysql-admin/: 1 Time(s) //mysql-admin/scripts/setup.php: 3 Time(s) //mysql/: 1 Time(s) //mysql/scripts/setup.php: 3 Time(s) //mysqladmin/: 1 Time(s) //mysqladmin/scripts/setup.php: 3 Time(s) //mysqladminconfig/scripts/setup.php: 3 Time(s) //mysqlmanager/: 1 Time(s) //mysqlmanager/scripts/setup.php: 3 Time(s) //p/m/a/: 1 Time(s) //p/m/a/scripts/setup.php: 3 Time(s) //pHpMy/scripts/setup.php: 3 Time(s) //pHpMyAdMiN/scripts/setup.php: 3 Time(s) //pMA/scripts/setup.php: 3 Time(s) //php-my-admin/: 1 Time(s) //php-my-admin/scripts/setup.php: 3 Time(s) //php-myadmin/: 1 Time(s) //php-myadmin/scripts/setup.php: 3 Time(s) //php/scripts/setup.php: 3 Time(s) //phpMyA/scripts/setup.php: 3 Time(s) //phpMyAdmi/scripts/setup.php: 3 Time(s) //phpMyAdmin-2/: 1 Time(s) //phpMyAdmin/: 1 Time(s) //phpMyAdmin/scripts/setup.php: 3 Time(s) //phpMyAdmin1/scripts/setup.php: 3 Time(s) //phpMyAdmin2/: 1 Time(s) //phpMyAds/scripts/setup.php: 3 Time(s) //phpadmin/scripts/setup.php: 3 Time(s) //phpm/scripts/setup.php: 3 Time(s) //phpmanager/: 1 Time(s) //phpmanager/scripts/setup.php: 3 Time(s) //phpmy-admin/: 1 Time(s) //phpmy-admin/scripts/setup.php: 3 Time(s) //phpmy/scripts/setup.php: 3 Time(s) //phpmya/scripts/setup.php: 3 Time(s) //phpmyad-sys/scripts/setup.php: 3 Time(s) //phpmyad/scripts/setup.php: 3 Time(s) //phpmyadmin/: 1 Time(s) //phpmyadmin/scripts/setup.php: 3 Time(s) //phpmyadmin1/scripts/setup.php: 3 Time(s) //phpmyadmin2/: 1 Time(s) //pma/scripts/setup.php: 3 Time(s) //pma2005/: 1 Time(s) //pma2005/scripts/setup.php: 3 Time(s) //roundcube/scripts/setup.php: 3 Time(s) //scripts/setup.php: 3 Time(s) //sl2/data/scripts/setup.php: 3 Time(s) //sql/: 1 Time(s) //sql/scripts/setup.php: 3 Time(s) //sqladmin/scripts/setup.php: 3 Time(s) //sqlmanager/: 1 Time(s) //sqlmanager/scripts/setup.php: 3 Time(s) //sqlweb/: 1 Time(s) //sqlweb/scripts/setup.php: 3 Time(s) //typo3/phpmyadmin/scripts/setup.php: 3 Time(s) //vhcs2/tools/pma/scripts/setup.php: 3 Time(s) //web/phpMyAdmin/scripts/setup.php: 3 Time(s) //web/phpmyadmin/scripts/setup.php: 3 Time(s) //web/scripts/setup.php: 3 Time(s) //webadmin/: 1 Time(s) //webadmin/scripts/setup.php: 3 Time(s) //webdb/: 1 Time(s) //webdb/scripts/setup.php: 3 Time(s) //websql/: 1 Time(s) //websql/scripts/setup.php: 3 Time(s) //wp-content/plugins/wp-phpmyadmin/wp-phpm ... ripts/setup.php: 3 Time(s) //wp-phpmyadmin/phpmyadmin/scripts/setup.php: 3 Time(s) //wp-phpmyadmin/scripts/setup.php: 3 Time(s) //xampp/phpmyadmin/scripts/setup.php: 3 Time(s) //~/PMA/scripts/setup.php: 3 Time(s) /3561StudioDrive/calendar.php: 1 Time(s) /admin/config.php: 1 Time(s) /admin/scripts/setup.php: 3 Time(s) /cal/calendar.php: 1 Time(s) /calendar.php: 1 Time(s) /calendar/calendar.php: 1 Time(s) /calwest/calendar.php: 1 Time(s) /ext/calendar.php: 1 Time(s) /extcal/calendar.php: 1 Time(s) /finger_lakes_dates/calendar.php: 1 Time(s) /index.php?-dsafe_mode%3dOff+-ddisable_fun ... .83%2Finfo3.txt: 3 Time(s) /itinerary/calendar.php: 1 Time(s) /muieblackcat: 3 Time(s) /news/read/url(data:image/png;base64,iVBOR ... SUVORK5CYII%3d): 2 Time(s) /pdfdocuments/142188_mantel-chairincident.wmv:3071b: 1 Time(s) /phpBB2/: 2 Time(s) /phpBB2/board/index.php: 1 Time(s) /phpBB2/forum/index.php: 1 Time(s) /phpBB2/forums/index.php: 1 Time(s) /phpBB2/phpbb/index.php: 1 Time(s) /phpBB2/phpbb2/index.php: 1 Time(s) /phpBB2/phpbb2/profile.php: 1 Time(s) /phpBB2/profile.php: 5 Time(s) /tests.php: 1 Time(s) /vancouvermuslims/calendar/calendar.php: 1 Time(s)