On 6/19/2012 2:31 PM, m.roth at 5-cent.us wrote: > It appears to be a low-level attack, not so frequent as to be banned > permanently, just a number of times a day. > > I did google on this, and I gather it's looking for phpmyadmin. We've been > getting one from one specific network in Russia for weeks > > Here are more information about 91.201.64.24: > > [Querying whois.ripe.net] > [whois.ripe.net] > <snip> > % Information related to '91.201.64.0 - 91.201.67.255' > > inetnum: 91.201.64.0 - 91.201.67.255 > netname: Donekoserv > descr: DonEkoService Ltd > country: RU > <snip> > > But now I'm seeing the same from Azerbaijan, and France, and elsewhere. > Two questions: first, are other folks seeing this? and second, I can't > imagine malware this stupid, to keep hitting the same sites over and over > when it's not found, rather than bad password or user, so I'm wondering if > this could be a targetting vector for an upcoming serious attack using > another vector. > > Opinions? > > mark > > I also see these frequently. As for dumb script? Well there are plenty of those out there. And, if you care to, you can set up rules in Fail2Ban to auto block these. This brings up a question I have. We do virtualhosting and keep separate http logs for every website. I have not been running any Fail2Ban rules on those logs as many are very active and spread about. I suppose I could concentrate only on the error logs which would be much smaller. My question... is anybody running something like Fail2Ban under a situation like this and does it use much horsepower? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions