[CentOS] PMA attacks

Tue Jun 19 18:40:01 UTC 2012
John Hinton <webmaster at ew3d.com>

On 6/19/2012 2:31 PM, m.roth at 5-cent.us wrote:
> It appears to be a low-level attack, not so frequent as to be banned
> permanently, just a number of times a day.
>
> I did google on this, and I gather it's looking for phpmyadmin. We've been
> getting one from one specific network in Russia for weeks
>
> Here are more information about 91.201.64.24:
>
> [Querying whois.ripe.net]
> [whois.ripe.net]
> <snip>
> % Information related to '91.201.64.0 - 91.201.67.255'
>
> inetnum:         91.201.64.0 - 91.201.67.255
> netname:         Donekoserv
> descr:           DonEkoService Ltd
> country:         RU
> <snip>
>
> But now I'm seeing the same from Azerbaijan, and France, and elsewhere.
> Two questions: first, are other folks seeing this? and second, I can't
> imagine malware this stupid, to keep hitting the same sites over and over
> when it's not found, rather than bad password or user, so I'm wondering if
> this could be a targetting vector for an upcoming serious attack using
> another vector.
>
> Opinions?
>
>        mark
>
>
I also see these frequently. As for dumb script? Well there are plenty 
of those out there. And, if you care to, you can set up rules in 
Fail2Ban to auto block these.

This brings up a question I have. We do virtualhosting and keep separate 
http logs for every website. I have not been running any Fail2Ban rules 
on those logs as many are very active and spread about. I suppose I 
could concentrate only on the error logs which would be much smaller. My 
question... is anybody running something like Fail2Ban under a situation 
like this and does it use much horsepower?

-- 
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions