On 6/19/2012 2:31 PM, m.roth@xxxxxxxxx wrote:
> It appears to be a low-level attack, not so frequent as to be banned
> permanently, just a number of times a day.
>
> I did google on this, and I gather it's looking for phpmyadmin. We've been
> getting one from one specific network in Russia for weeks
>
> Here are more information about 91.201.64.24:
>
> [Querying whois.ripe.net]
> [whois.ripe.net]
> <snip>
> % Information related to '91.201.64.0 - 91.201.67.255'
>
> inetnum: 91.201.64.0 - 91.201.67.255
> netname: Donekoserv
> descr: DonEkoService Ltd
> country: RU
> <snip>
>
> But now I'm seeing the same from Azerbaijan, and France, and elsewhere.
> Two questions: first, are other folks seeing this? and second, I can't
> imagine malware this stupid, to keep hitting the same sites over and over
> when it's not found, rather than bad password or user, so I'm wondering if
> this could be a targetting vector for an upcoming serious attack using
> another vector.
>
> Opinions?
>
> mark
>
>
I also see these frequently. As for dumb script? Well there are plenty
of those out there. And, if you care to, you can set up rules in
Fail2Ban to auto block these.
This brings up a question I have. We do virtualhosting and keep separate
http logs for every website. I have not been running any Fail2Ban rules
on those logs as many are very active and spread about. I suppose I
could concentrate only on the error logs which would be much smaller. My
question... is anybody running something like Fail2Ban under a situation
like this and does it use much horsepower?
--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
