: What are spiders trying to achieve on my site by fetching lots of non-existant urls such as various versions of phpMyAdmin? I've recently set up a build server that compiles Java source on
I've recently set up a build server that compiles Java source on Github webhooks. I created a public page for downloading latest .jars with a top level domain and I'm logging requests to it. What are common intentions for the automated requests sent to my server?
[18.11.2014 02:06:23] 64.20.55.236 3ms /mysql/main.php
[18.11.2014 02:06:23] 64.20.55.236 2ms /sql/main.php
[18.11.2014 02:06:24] 64.20.55.236 2ms /PMA/main.php
[18.11.2014 02:06:24] 64.20.55.236 3ms /admin/main.php
[18.11.2014 02:06:24] 64.20.55.236 3ms /dbadmin/main.php
[18.11.2014 02:06:24] 64.20.55.236 3ms /myadmin/main.php
[18.11.2014 02:06:25] 64.20.55.236 3ms /db/main.php
[18.11.2014 02:06:28] 64.20.55.236 2ms /sqlmanager/main.php
[18.11.2014 02:06:28] 64.20.55.236 2ms /phpmyadmin2/main.php
[18.11.2014 02:06:28] 64.20.55.236 2ms /phpMyAdmin2/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-2/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /php-my-admin/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-3.5.8-rc1/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-4.0.0-rc1/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-3.5.7-1/main.php
[18.11.2014 02:06:30] 64.20.55.236 3ms /phpMyAdmin-3.5.7/main.php
[18.11.2014 02:06:30] 64.20.55.236 2ms /phpMyAdmin-3.5.6/main.php
[18.11.2014 02:06:31] 64.20.55.236 2ms /phpMyAdmin-3.5.5/main.php
[18.11.2014 02:06:31] 64.20.55.236 2ms /phpMyAdmin-3.5.4/main.php
[18.11.2014 02:06:31] 64.20.55.236 2ms /phpMyAdmin-3.5.3/main.php
[18.11.2014 02:06:32] 64.20.55.236 3ms /phpMyAdmin-3.5.2.2/main.php
[18.11.2014 02:06:35] 64.20.55.236 2ms /phpMyAdmin-3.4.11.1/main.php
[18.11.2014 02:06:35] 64.20.55.236 2ms /phpMyAdmin-3.4.11.1-1/main.php
[18.11.2014 02:06:35] 64.20.55.236 2ms /phpMyAdmin-3.5.2.1/main.php
[18.11.2014 02:06:39] 64.20.55.236 2ms /phpMyAdmin-3.5.2/main.php
[18.11.2014 02:06:39] 64.20.55.236 2ms /phpMyAdmin-3.5.1/main.php
Okay, someone tries to find out if I have phpmyadmin installed by requesting commonly used phpmyadmin folder paths. But what could an attacker do if he knows where I have phpmyadmin? Would he try to login as root with a wordlist of passwords?
[18.11.2014 21:53:00] 218.59.238.93 4ms www.anonymousproxylist.net/azenv2.php [18.11.2014 21:53:17] 218.59.238.93 4ms yazoodle.net/azenv.php [18.11.2014 21:53:43] 218.59.238.93 4ms sonke31.free.fr/world.php [18.11.2014 21:54:57] 218.59.238.93 5ms sonke31.free.fr/world.php [18.11.2014 21:57:08] 218.59.238.93 4ms sonke31.free.fr/world.php [18.11.2014 21:59:38] 218.59.238.93 4ms proxyjudge.us/ [18.11.2014 23:00:00] 218.59.238.93 4ms www.proxyjudge.biz/az.php [18.11.2014 23:00:20] 218.59.238.93 4ms azenv.net/ [18.11.2014 23:00:44] 218.59.238.93 7ms www.mesregies.com/azz.php
These requests do not start with /, so they can't come from a normal browser. If I visit the links, the pages display information about my request.
[17.11.2014 07:40:50] 198.27.100.229 3ms /baba/bab/ba.php
[18.11.2014 03:33:47] 123.57.15.26 3ms /xbxb/xbx/xb.php
[18.11.2014 14:39:52] 118.174.140.130 4ms /jcjc/jcj/jc.php
[18.11.2014 21:31:04] 118.142.99.110 3ms /aiai/aia/ai.php
These requests base on the same pattern, but I have no idea why someone could search for a .php file on those paths.
More posts by @LarsenBagley505
2 Comments
Sorted by latest first Latest Oldest Best
So there are already some answers given. For the second set, the one with the url in the request, these tries to find badly configured (not secured) proxy servers that could be wide open.
These can then be used to hide the real origin of attacks/scans directed onto an other machine. The other machine will then see the attack as if it was coming from you.
And about phpMyAdmin: many many things can be done by an attacker if he knows which software / which version you have. You can find a precise list of bugs/security problems here.
Okay. Most of these access (at least) are landscaping attempts to find potential vulnerabilities on your server. They are trying to fingerprint your server to know what web-based applications are installed. The first set and third set are clearly landscaping. The second set may be a result of forged request headers but still likely to be landscaping- not sure.
It is very likely that these are compromised systems.
Here are some specifics with .htaccess blocking code for each:
64.20.55.236 NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC
IP Address Range: 64.20.32.0 - 64.20.57.255
RewriteCond %{REMOTE_ADDR} ^64.20.(0*[3-5]*[2-7]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]
218.59.238.93 CNCGROUP China169 Backbone (This network is well known for hacking activity.)
IP Address Range: 218.56.0.0 - 218.62.127.255
RewriteCond %{REMOTE_ADDR} ^218.(0*[5-6]*[6789012]*).([0-1]*[0-2]*[0-7]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]
198.27.100.229 OVH Systems
IP Address Range: 198.27.64.0 - 198.27.127.255
RewriteCond %{REMOTE_ADDR} ^198.27.([0-1]*[6789012]*[4-7]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]
123.57.15.26 (I do not have an ASN assigned for this so the block code just blocks the one IP address.)
RewriteCond %{REMOTE_ADDR} ^123.57.15.26$ [NC]
RewriteRule .* - [F,L]
118.174.140.130 TOT Public Company Limited
IP Address Range: 118.174.19.0 - 118.175.255.255
RewriteCond %{REMOTE_ADDR} ^118.(1*7*[4-5]*).([0-2]*[1-5]*[9012345]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]
118.142.99.110 Hutchison Global Communications
IP Address Range: 118.140.0.0 - 118.143.0.255
RewriteCond %{REMOTE_ADDR} ^118.(1*4*[0-3]*).0.([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]
You can also combine these like in this example:
RewriteCond %{REMOTE_ADDR} ^123.57.15.26$ [NC, OR]
RewriteCond %{REMOTE_ADDR} ^118.(1*4*[0-3]*).0.([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]
... where the OR is included on each line to include multiple conditions.
If you have more IP addresses, please edit the question and include them and I can edit the answer with more code. Also, please let me know if it was required to escape the . [dot] so that I can update this answer and my utility to include them for the future.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.