Mobile app version of vmapp.org
Login or Join
LarsenBagley505

: What are spiders trying to achieve on my site by fetching lots of non-existant urls such as various versions of phpMyAdmin? I've recently set up a build server that compiles Java source on

@LarsenBagley505

Posted in: #Apache #Phpmyadmin #Security #WebCrawlers

I've recently set up a build server that compiles Java source on Github webhooks. I created a public page for downloading latest .jars with a top level domain and I'm logging requests to it. What are common intentions for the automated requests sent to my server?

[18.11.2014 02:06:23] 64.20.55.236 3ms /mysql/main.php
[18.11.2014 02:06:23] 64.20.55.236 2ms /sql/main.php
[18.11.2014 02:06:24] 64.20.55.236 2ms /PMA/main.php
[18.11.2014 02:06:24] 64.20.55.236 3ms /admin/main.php
[18.11.2014 02:06:24] 64.20.55.236 3ms /dbadmin/main.php
[18.11.2014 02:06:24] 64.20.55.236 3ms /myadmin/main.php
[18.11.2014 02:06:25] 64.20.55.236 3ms /db/main.php
[18.11.2014 02:06:28] 64.20.55.236 2ms /sqlmanager/main.php
[18.11.2014 02:06:28] 64.20.55.236 2ms /phpmyadmin2/main.php
[18.11.2014 02:06:28] 64.20.55.236 2ms /phpMyAdmin2/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-2/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /php-my-admin/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-3.5.8-rc1/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-4.0.0-rc1/main.php
[18.11.2014 02:06:29] 64.20.55.236 2ms /phpMyAdmin-3.5.7-1/main.php
[18.11.2014 02:06:30] 64.20.55.236 3ms /phpMyAdmin-3.5.7/main.php
[18.11.2014 02:06:30] 64.20.55.236 2ms /phpMyAdmin-3.5.6/main.php
[18.11.2014 02:06:31] 64.20.55.236 2ms /phpMyAdmin-3.5.5/main.php
[18.11.2014 02:06:31] 64.20.55.236 2ms /phpMyAdmin-3.5.4/main.php
[18.11.2014 02:06:31] 64.20.55.236 2ms /phpMyAdmin-3.5.3/main.php
[18.11.2014 02:06:32] 64.20.55.236 3ms /phpMyAdmin-3.5.2.2/main.php
[18.11.2014 02:06:35] 64.20.55.236 2ms /phpMyAdmin-3.4.11.1/main.php
[18.11.2014 02:06:35] 64.20.55.236 2ms /phpMyAdmin-3.4.11.1-1/main.php
[18.11.2014 02:06:35] 64.20.55.236 2ms /phpMyAdmin-3.5.2.1/main.php
[18.11.2014 02:06:39] 64.20.55.236 2ms /phpMyAdmin-3.5.2/main.php
[18.11.2014 02:06:39] 64.20.55.236 2ms /phpMyAdmin-3.5.1/main.php


Okay, someone tries to find out if I have phpmyadmin installed by requesting commonly used phpmyadmin folder paths. But what could an attacker do if he knows where I have phpmyadmin? Would he try to login as root with a wordlist of passwords?

[18.11.2014 21:53:00] 218.59.238.93 4ms www.anonymousproxylist.net/azenv2.php [18.11.2014 21:53:17] 218.59.238.93 4ms yazoodle.net/azenv.php [18.11.2014 21:53:43] 218.59.238.93 4ms sonke31.free.fr/world.php [18.11.2014 21:54:57] 218.59.238.93 5ms sonke31.free.fr/world.php [18.11.2014 21:57:08] 218.59.238.93 4ms sonke31.free.fr/world.php [18.11.2014 21:59:38] 218.59.238.93 4ms proxyjudge.us/ [18.11.2014 23:00:00] 218.59.238.93 4ms www.proxyjudge.biz/az.php [18.11.2014 23:00:20] 218.59.238.93 4ms azenv.net/ [18.11.2014 23:00:44] 218.59.238.93 7ms www.mesregies.com/azz.php

These requests do not start with /, so they can't come from a normal browser. If I visit the links, the pages display information about my request.

[17.11.2014 07:40:50] 198.27.100.229 3ms /baba/bab/ba.php
[18.11.2014 03:33:47] 123.57.15.26 3ms /xbxb/xbx/xb.php
[18.11.2014 14:39:52] 118.174.140.130 4ms /jcjc/jcj/jc.php
[18.11.2014 21:31:04] 118.142.99.110 3ms /aiai/aia/ai.php


These requests base on the same pattern, but I have no idea why someone could search for a .php file on those paths.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @LarsenBagley505

2 Comments

Sorted by latest first Latest Oldest Best

 

@Shelley277

So there are already some answers given. For the second set, the one with the url in the request, these tries to find badly configured (not secured) proxy servers that could be wide open.

These can then be used to hide the real origin of attacks/scans directed onto an other machine. The other machine will then see the attack as if it was coming from you.

And about phpMyAdmin: many many things can be done by an attacker if he knows which software / which version you have. You can find a precise list of bugs/security problems here.

10% popularity Vote Up Vote Down


 

@Alves908

Okay. Most of these access (at least) are landscaping attempts to find potential vulnerabilities on your server. They are trying to fingerprint your server to know what web-based applications are installed. The first set and third set are clearly landscaping. The second set may be a result of forged request headers but still likely to be landscaping- not sure.

It is very likely that these are compromised systems.

Here are some specifics with .htaccess blocking code for each:

64.20.55.236 NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC

IP Address Range: 64.20.32.0 - 64.20.57.255

RewriteCond %{REMOTE_ADDR} ^64.20.(0*[3-5]*[2-7]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


218.59.238.93 CNCGROUP China169 Backbone (This network is well known for hacking activity.)

IP Address Range: 218.56.0.0 - 218.62.127.255

RewriteCond %{REMOTE_ADDR} ^218.(0*[5-6]*[6789012]*).([0-1]*[0-2]*[0-7]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


198.27.100.229 OVH Systems

IP Address Range: 198.27.64.0 - 198.27.127.255

RewriteCond %{REMOTE_ADDR} ^198.27.([0-1]*[6789012]*[4-7]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


123.57.15.26 (I do not have an ASN assigned for this so the block code just blocks the one IP address.)

RewriteCond %{REMOTE_ADDR} ^123.57.15.26$ [NC]
RewriteRule .* - [F,L]


118.174.140.130 TOT Public Company Limited

IP Address Range: 118.174.19.0 - 118.175.255.255

RewriteCond %{REMOTE_ADDR} ^118.(1*7*[4-5]*).([0-2]*[1-5]*[9012345]*).([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


118.142.99.110 Hutchison Global Communications

IP Address Range: 118.140.0.0 - 118.143.0.255

RewriteCond %{REMOTE_ADDR} ^118.(1*4*[0-3]*).0.([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


You can also combine these like in this example:

RewriteCond %{REMOTE_ADDR} ^123.57.15.26$ [NC, OR]
RewriteCond %{REMOTE_ADDR} ^118.(1*4*[0-3]*).0.([0-2]*[0-5]*[0-5]*)$ [NC]
RewriteRule .* - [F,L]


... where the OR is included on each line to include multiple conditions.

If you have more IP addresses, please edit the question and include them and I can edit the answer with more code. Also, please let me know if it was required to escape the . [dot] so that I can update this answer and my utility to include them for the future.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme