The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security issue - Tired of seeing "GET /phpMyAdmin-2.6.0" in logs

Discussion in 'Security' started by jols, Apr 6, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I am tired of spineless hackers trying to get at phpMyAdmin. I am seeing tons of entries like this in the apache logs each and every day:

    72.148.168.226 - - [05/Apr/2006:17:01:32 -0500] "GET /myadmin/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:01:33 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:01:33 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:01:34 -0500] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:01:34 -0500] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:01:34 -0500] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:01:35 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:02:14 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:02:15 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:02:15 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 -
    72.148.168.226 - - [05/Apr/2006:17:02:16 -0500] "GET /PMA/main.php HTTP/1.0" 404 -


    Usually goes on for 50 to 200 lines at a throw. Then another IP comes in and tries to do the same thing.

    I would hope that the brute force detection thing we installed would do the trick here, but no dice. Does anyone know how I can tweak BFD or perhaps PortSentry to stop this stuff cold?
     
  2. WEB-PROS

    WEB-PROS Well-Known Member

    Joined:
    Feb 19, 2006
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Well you could just make that link redirect people to some other page, then people would see you have stopped them and give up on the first try. This can all be done through cpanel and redirects for your domain. Hope it helps, i don't really know much about the bfd config file.
     
  3. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    BFD probably wouldnt help in this case as these are not login attempts but file/page requests.

    Adding these addresses to a firewall would cause more hassles as they constantly and relentlessly change. Their goal may be to get your firewall or other services to hang up by maxing out your IP tent as well.

    Are you running mod_security with a good basic ruleset?

    Also, be sure to enable php open_basedir tweak is setup as well.

    If you are getting up to 200 connections from a single ip before they rotate to the next IP, then you might want to look at flood protection or perhaps setting max connections from a single IP to a certain limit.

    One of the better solutions would be finding a provider that offers this type of hardware firewall protection instead.
     
  4. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Look in /usr/local/bfd and find the 'pattern.auth' file. These strings are what BFD uses when it greps the log files. You can add strings and expressions here to tweak BFD to act on any string/regular expression you need. In your case, something like '[Pp][Hh][Pp].*HTTP.*404..' (reg expressions not my forte!) would probably do the trick. :)

    *edit*

    Keep in mind that this will ban IPs that get multiple 404s when looking for php files - this might cause unwanted bans so use with caution!! Not tested and I guarantee nothing. :)
     
    #4 mctDarren, Apr 6, 2006
    Last edited: Apr 6, 2006
Loading...

Share This Page