On 06/19/2012 08:31 PM, m.roth at 5-cent.us wrote: > It appears to be a low-level attack, not so frequent as to be banned > permanently, just a number of times a day. > > I did google on this, and I gather it's looking for phpmyadmin. We've been > getting one from one specific network in Russia for weeks > > Here are more information about 91.201.64.24: > > [Querying whois.ripe.net] > [whois.ripe.net] > <snip> > % Information related to '91.201.64.0 - 91.201.67.255' > > inetnum: 91.201.64.0 - 91.201.67.255 > netname: Donekoserv > descr: DonEkoService Ltd > country: RU > <snip> > > But now I'm seeing the same from Azerbaijan, and France, and elsewhere. > Two questions: first, are other folks seeing this? and second, I can't > imagine malware this stupid, to keep hitting the same sites over and over > when it's not found, rather than bad password or user, so I'm wondering if > this could be a targetting vector for an upcoming serious attack using > another vector. > > Opinions? Why is this stupid? Yes it might not find anything today but you might install it tomorrow. Since this is common I always put PMA (and similar tools) either in it's own management network that is only accessible using a tunnel or at least behind HTTP authentication. I've seen this exploited once and the attackers installed a few perl scripts that were launching attacks from the system. Regards, Dennis