Apache Server configuration support - Question about Log Access File

This is Interesting: Free IT Magazines  
Home > Archive > Apache Server configuration support > November 2006 > Question about Log Access File





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Question about Log Access File
nomorespameventhoughthejapanesespamgivesmeachu

2006-11-29, 7:24 pm

I recently switched to an Apache server for my website and was looking
through my access logs and found this today. Can I assume that someone
is trying to gain access to sensitive information about the server and
may be attempting to hack into it?

89.12.65.208 - - [29/Nov/2006:06:32:00 -0600] "GET /phpmyadmin/main.php
HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:01 -0600] "GET /phpmyadmin/main.php
HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:01 -0600] "GET /phpMyAdmin/main.php
HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:01 -0600] "GET /PHPMYADMIN/main.php
HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:02 -0600] "GET /pma/main.php
HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:02 -0600] "GET /PMA/main.php
HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:03 -0600] "GET /PMA/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:03 -0600] "GET /phpmyadmin/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:03 -0600] "GET /mysql/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:04 -0600] "GET /admin/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:04 -0600] "GET /db/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:04 -0600] "GET /dbadmin/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:05 -0600] "GET
/web/phpMyAdmin/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:05 -0600] "GET /admin/pma/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:06 -0600] "GET
/admin/phpmyadmin/main.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:06 -0600] "GET
/admin/mysql/main.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:06 -0600] "GET
/mysql-admin/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:07 -0600] "GET
/phpmyadmin2/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:07 -0600] "GET /mysqladmin/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:07 -0600] "GET
/mysql-admin/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:08 -0600] "GET /main.php main.php
HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:08 -0600] "GET
/phpMyAdmin-2.5.6/main.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:09 -0600] "GET
/phpMyAdmin-2.5.4/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:09 -0600] "GET
/phpMyAdmin-2.5.1/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:09 -0600] "GET
/phpMyAdmin-2.2.3/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:10 -0600] "GET
/phpMyAdmin-2.2.6/main.php main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:10 -0600] "GET /myadmin/main.php
main.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:10 -0600] "GET
/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:11 -0600] "GET
/PMA/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:11 -0600] "GET
/mysql/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:11 -0600] "GET
/xampp/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:12 -0600] "GET
/typo3/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:12 -0600] "GET
/mysqladmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:12 -0600] "GET
/admin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:13 -0600] "GET
/db/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:13 -0600] "GET
/dbadmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:14 -0600] "GET
/web/phpMyAdmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:14 -0600] "GET
/admin/pma/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:14 -0600] "GET
/admin/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:15 -0600] "GET
/phpmyadmin2/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:15 -0600] "GET
/phpmyadmin1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:16 -0600] "GET
/phpadmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:16 -0600] "GET
/myadmin/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:16 -0600] "GET
/phpMyAdmin-2.2.3/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:17 -0600] "GET
/phpMyAdmin-2.2.7-pl1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:17 -0600] "GET
/phpMyAdmin-2.5.6/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:17 -0600] "GET
/phpMyAdmin-2.5.7-pl1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:18 -0600] "GET
/phpMyAdmin-2.6.0/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:18 -0600] "GET
/phpMyAdmin-2.6.0-pl3/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:18 -0600] "GET
/phpMyAdmin-2.6.0-pl3/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:19 -0600] "GET
/phpMyAdmin-2.6.1-pl3/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:19 -0600] "GET
/phpMyAdmin-2.6.3-pl1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:20 -0600] "GET /phpMyAdmin
2.6.4-pl4/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:20 -0600] "GET /phpMyAdmin
2.7.0-beta1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:20 -0600] "GET /phpMyAdmin
2.7.0-rc1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:21 -0600] "GET /phpMyAdmin
2.7.0/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:21 -0600] "GET
/phpMyAdmin-2.6.4/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:21 -0600] "GET /phpMyAdmin
2.7.0-pl1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"
89.12.65.208 - - [29/Nov/2006:06:32:22 -0600] "GET
/phpMyAdmin-2.2.7-pl1/read_dump.phpmain.php HTTP/1.0" 404 967 "-" "-"

R Krause

2006-11-29, 7:24 pm

nomorespameventhoughthejapanesespamgives
meachuckle wrote:
> I recently switched to an Apache server for my website and was looking
> through my access logs and found this today. Can I assume that someone
> is trying to gain access to sensitive information about the server and
> may be attempting to hack into it?
>

There are a few exploits out there for phpMyAdmin. But, the example
you've shown appears to be an automated user-agent attempting to find a
vulnerability -- in this case open-door access to your phpMyAdmin
console. But as long as you secure your server these requests are
really more of a nuisance than a threat. If you use phpMyAdmin or any
other kind of control panel Web application, then I highly advise
placing them in a special directory that has strict access controls and
is preferably SSL-only (you can generate your own dummy cert just for
such purposes). Basically, you want to make it so that your server is
so secure, it is simply too much trouble to compromise using everyday
exploits. That doesn't mean your site has to be too inconvenient for
regular visitors, however. It's a tradeoff and there are basic things
you can do with Apache, to make these kinds of intrusions less likely.

--Randall

shimmyshack

2006-11-29, 7:24 pm

yeah there are worms out there just hunting for things like
horde/phpmyadmin/phpgallery etc...
just ensure you are always up to date applying patches. Dont be tempted
to relax your auth mechanisms for ease of use.
For instance, if you use phpmyadmin, dont give it the root password
unless it really needs it, make regular backups, and consider uploading
the config file when needed.
Ban by IP, if you connect from a static IP.
Consider the fact that FTP is sent in the clear, so try to use SFTP or
ftp over ssl, unless you trust your local net.
Consider mod_security, (I ban anything which doesnt bother to use a
user-agent)

If you do get hacked and a thousand php files have some randomly
generated remote command execution code inserted into them, will you be
able to identify which files are infected? How will you return them to
a working state? Consider using checksums on your files, and so on.

I totally agree it is more of a curiosity and an irritation, but I've
seen these attacks suceed when lazy admins are playing around, or try
naming their files with obscure names and think that will save them, or
just relax auth rules "while I test" etc... It can be a REAL
irritation. (especially when 200,000 emails have been sent from your
machine overnight!) Call me paranoid but I never want to have to deal
with the aftermath - <smug grin!> - although I guess it will happen
someday.

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2009 webservertalk.com