Just got 26 requests from some bot or script looking for unprotected installations of phpMyAdmin. The requests, one per second, were made to the following URIs:
- /phpmyadmin/main.php
- /PMA/main.php
- /mysql/main.php
- /admin/main.php
- /db/main.php
- /dbadmin/main.php
- /web/phpMyAdmin/main.php
- /admin/pma/main.php
- /admin/phpmyadmin/main.php
- /admin/mysql/main.php
- /phpmyadmin2/main.php
- /mysqladmin/main.php
- /mysql-admin/main.php
- /main.php
- /phpMyAdmin-2.5.6/main.php
- /phpMyAdmin-2.5.4/main.php
- /phpMyAdmin-2.5.1/main.php
- /phpMyAdmin-2.2.3/main.php
- /phpMyAdmin-2.2.6/main.php
- /myadmin/main.php
- /phpMyAdmin-2.6.0/main.php
- /phpMyAdmin-2.6.0-pl1/main.php
- /phpMyAdmin-2.6.3-pl1/main.php
- /phpMyAdmin-2.6.3/main.php
- /phpMyAdmin-2.6.3-rc1/main.php
- /phpMyAdmin-2.6.2-rc1/main.php
The requests all originated from 66.235.201.231 (ds201-231.ipowerweb.com, which doesn’t forward resolve). A portscan shows ports 21 (ftp: ‘Microsoft FTP Service’), 25 (smtp: ‘Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830’), 54 (ftp: ‘Serv-U FTP Server v5.2 for WinSock’), 80 (http: ‘Microsoft-IIS/6.0’), 135, 139, 445, and 1433 open. Some ports just above 1024 are sporadically open. The host is probably a zombie.
I’ve mailed {abuse,hostmaster}@ipowerweb.com at 01:17 CET.
If you’re running any management software without proper protection (IP-based where possible, HTTP Authentication with a strong password at least), this is your last warning call.
Even for protected directories, you should change the default directory name, e.g. by appending a random string to make ‘phpMyAdmin_Irogah2A’ (pwgen
is great for this), just to make it harder to find and thus (somewhat) protect from brute force attacks. (Yes, this is obscurity at work. Security by obscurity is only bad if it’s the only line of defense, but it’s great as an additional safety measure.)
PS: If you’re running phpMyAdmin <= 2.6.4, upgrade to the latest version.
Update 2005-05-12 22:09
Response (Angel P.) 12/05/2005 01:06 PM
Thank you for contacting the iPowerWeb Abuse Department.
We apologize for any inconvenience this may have caused you. We have taken action regarding the network scan originating from our network.
Thank you for your time and patience.
Those were my scans, PHPmyadmin is very exploitable, wrote my own shellcode. Kthx for the informaiton 🙂