Am Do, den 20.10.2005 schrieb James Kosin um 17:57: > On 19-Oct-05 at about 1:00pm my time, someone from IP 194.150.85.114 > accessed my web-server trying to access a file called > main.php in the following places: > 194.150.85.114 - - [19/Oct/2005:13:01:53 -0400] "GET > /phpmyadmin/main.php HTTP/1.0" 404 304 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:53 -0400] "GET /PMA/main.php > HTTP/1.0" 404 297 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /mysql/main.php > HTTP/1.0" 404 299 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /admin/main.php > HTTP/1.0" 404 299 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /db/main.php > HTTP/1.0" 404 296 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET /dbadmin/main.php > HTTP/1.0" 404 301 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET > /web/phpMyAdmin/main.php HTTP/1.0" 404 308 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:54 -0400] "GET > /admin/pma/main.php HTTP/1.0" 404 303 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET > /admin/phpmyadmin/main.php HTTP/1.0" 404 310 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET > /admin/mysql/main.php HTTP/1.0" 404 305 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET > /mysql-admin/main.php HTTP/1.0" 404 305 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:55 -0400] "GET > /phpmyadmin2/main.php HTTP/1.0" 404 305 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET > /mysqladmin/main.php HTTP/1.0" 404 304 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET > /mysql-admin/main.php HTTP/1.0" 404 305 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET /main.php > HTTP/1.0" 404 293 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET > /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 310 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET > /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 310 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:56 -0400] "GET > /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 310 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:57 -0400] "GET > /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 310 "-" "pmafind" > 194.150.85.114 - - [19/Oct/2005:13:01:57 -0400] "GET > /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 310 "-" "pmafind" > > Of course, this attack fell on deaf ears on my server.... but, I'd > like everyone to know since this is a security risk if they do have a > PHP document configuring some of these administrative tasks open on > the internet. > > Thanks, > James Kosin This looks like a specific search for a vulnerable phpMyAdmin installation, taking into account that the target directory on the webserver may be different than the default (i.e. PMA is simply the short form for phpMyAdmin). And I bet that there are plenty of old phpMyAdmin installs running all over the planet with well known security issues. People are lazy, don't read security notes, nor the main page of the phpMyAdmin project where security alerts are too published and of course they do not update. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 18:03:25 up 1 day, 23:37, load average: 0.38, 0.41, 0.34
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
