Another security problem..
Alexander Dalloz
ad+lists at uni-x.org
Thu Oct 20 16:06:53 UTC 2005
Am Do, den 20.10.2005 schrieb James Kosin um 17:57:
> On 19-Oct-05 at about 1:00pm my time, someone from IP 194.150.85.114
> accessed my web-server trying to access a file called
> main.php in the following places:
> 194.150.85.114 - - [19/Oct/2005:13:01:53 -0400] "GET
> /phpmyadmin/main.php HTTP/1.0" 404 304 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:53 -0400] "GET /PMA/main.php
> HTTP/1.0" 404 297 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /mysql/main.php
> HTTP/1.0" 404 299 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /admin/main.php
> HTTP/1.0" 404 299 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /db/main.php
> HTTP/1.0" 404 296 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /dbadmin/main.php
> HTTP/1.0" 404 301 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET
> /web/phpMyAdmin/main.php HTTP/1.0" 404 308 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET
> /admin/pma/main.php HTTP/1.0" 404 303 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET
> /admin/phpmyadmin/main.php HTTP/1.0" 404 310 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET
> /admin/mysql/main.php HTTP/1.0" 404 305 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET
> /mysql-admin/main.php HTTP/1.0" 404 305 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET
> /phpmyadmin2/main.php HTTP/1.0" 404 305 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET
> /mysqladmin/main.php HTTP/1.0" 404 304 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET
> /mysql-admin/main.php HTTP/1.0" 404 305 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET /main.php
> HTTP/1.0" 404 293 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET
> /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 310 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET
> /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 310 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET
> /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 310 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:57 -0400] "GET
> /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 310 "-" "pmafind"
> 194.150.85.114 - - [19/Oct/2005:13:01:57 -0400] "GET
> /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 310 "-" "pmafind"
>
> Of course, this attack fell on deaf ears on my server.... but, I'd
> like everyone to know since this is a security risk if they do have a
> PHP document configuring some of these administrative tasks open on
> the internet.
>
> Thanks,
> James Kosin
This looks like a specific search for a vulnerable phpMyAdmin
installation, taking into account that the target directory on the
webserver may be different than the default (i.e. PMA is simply the
short form for phpMyAdmin). And I bet that there are plenty of old
phpMyAdmin installs running all over the planet with well known security
issues. People are lazy, don't read security notes, nor the main page of
the phpMyAdmin project where security alerts are too published and of
course they do not update.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 18:03:25 up 1 day, 23:37, load average: 0.38, 0.41, 0.34
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20051020/20454092/attachment.sig>
More information about the fedora-legacy-list
mailing list