[CentOS] PMA attacks

Tue Jun 19 18:43:29 UTC 2012
Dennis Jacobfeuerborn <dennisml at conversis.de>

On 06/19/2012 08:31 PM, m.roth at 5-cent.us wrote:
> It appears to be a low-level attack, not so frequent as to be banned
> permanently, just a number of times a day.
> 
> I did google on this, and I gather it's looking for phpmyadmin. We've been
> getting one from one specific network in Russia for weeks
> 
> Here are more information about 91.201.64.24:
> 
> [Querying whois.ripe.net]
> [whois.ripe.net]
> <snip>
> % Information related to '91.201.64.0 - 91.201.67.255'
> 
> inetnum:         91.201.64.0 - 91.201.67.255
> netname:         Donekoserv
> descr:           DonEkoService Ltd
> country:         RU
> <snip>
> 
> But now I'm seeing the same from Azerbaijan, and France, and elsewhere.
> Two questions: first, are other folks seeing this? and second, I can't
> imagine malware this stupid, to keep hitting the same sites over and over
> when it's not found, rather than bad password or user, so I'm wondering if
> this could be a targetting vector for an upcoming serious attack using
> another vector.
> 
> Opinions?

Why is this stupid? Yes it might not find anything today but you might
install it tomorrow.
Since this is common I always put PMA (and similar tools) either in it's
own management network that is only accessible using a tunnel or at least
behind HTTP authentication. I've seen this exploited once and the attackers
installed a few perl scripts that were launching attacks from the system.

Regards,
  Dennis