Site hack attempted?

Sharksfan

Sharksfan

New member
May 28, 2009
1,088
22
0
WI
I've got a site set up for benefit for a friend of mine that died - a bunch of you guys know that. The site lists some stuff for a silent auction and accepts donations, etc etc.

I look tonight and I see someone attempted to load this page on the site:

hxxp://domain-goes-here.ORG/phpmyadmin/scripts/setup.php

Fortunately this page goes nowhere.

I believe I have this site locked down but if someone is familiar with this sort of attack and wants to let me know more about what to check I'd appreciate it. I don't see any injections, etc.

The idiot was too dumb to bother using a proxy too - WHOIS information reveals stuff below - if anyone knows what country this is please let me know so I can block it.

Registration Service Provided By: Kreative Bug
Contact: info@kreativebug.com
Visit: Kreative BUG - Kreative Basilisk United Group - Communication Arts

Domain name: aneides.com

Administrative Contact:
Kreative Bug
Joao Neves (info@kreativebug.com)
+351.261332778
Fax: +351.261332778
Praca 25 de Abril, 16 1J - Ed. Peninsular
Torres Vedras, 2560-286
PT

Technical Contact:
Kreative Bug
Joao Neves (info@kreativebug.com)
+351.261332778
Fax: +351.261332778
Praca 25 de Abril, 16 1J - Ed. Peninsular
Torres Vedras, 2560-286
PT

Registrant Contact:
Kreative Bug
Joao Neves ()

Fax:
Praca 25 de Abril, 16 1J - Ed. Peninsular
Torres Vedras, 2560-286
PT

Status: Active

Name Servers:
ns1.aneides.com
ns2.aneides.com

Creation date: 06 Dec 2007 13:19:32
Expiration date: 06 Dec 2010 13:19:00
 


know what's dumb (if the folder is there)... putting phpmyadmin in a folder named phpmyadmin in the root folder, especially if without an extra layer of password protection such as .htaccess/.htpasswd on top of it.

Btw there's not much use wasting time trying to track down bots who randomly try to hit up various urls on your site hoping for an exploit. I get those kind of hits on client sites every couple of weeks usually just some bot that found the domain name and tries to access a list of 20 or more urls before moving on.

PS: The only countries worth blocking are China, N.Korea and Russia. :p Least that will cut down on the number of script-kiddy hack attempts showing up.

Old thread of mine on blocking china/n.korea IPs via iptables/htaccess
http://www.wickedfire.com/hosting-domains/67157-block-chinese-korean-visitors.html
 
Did you check the UserAgent on the request? There are a bunch of scripts out there that just scan for vulnerabilities all day long, hitting setup files for commonly installed scripts (Wordpress, Jamula, PhPMyAdmin, etc.). Typically the user agent on those scripts is like "Magnus is god" is something stupid that 14 year olds would write. These are usually harmless because they kids aren't even doing the scanning directly, and they're not smart enough to use proxies so they run them off their servers or desktops.

Doesn't mean you can't add their IP to your "Forward to dickroll" IP range.
 
Its not a big deal, just be sure you don;t have any shitty scripts installed. My servers get scanned every minute of every day looking for scripts with holes in them.
 
Also don't forget to disable root logins in phpmyadmin:

in /etc/phpmyadmin/config.inc.php
  1. Change the ‘auth_type’ to ‘cookie’. This will be under the /* Authentication type */ comment. The line should read as
    $cfg['Servers'][$i]['auth_type'] = ‘cookie’;​
    Make sure it is uncommented by removing the “//” before it, and then change the parameter to ‘cookie’ if that’s not already set.
  2. Add a new line below this, that says
    $cfg['Servers'][$i]['AllowRoot'] = FALSE;​
Boomski
 
Berto said:
Also don't forget to disable root logins in phpmyadmin:

in /etc/phpmyadmin/config.inc.php
  1. Change the ‘auth_type’ to ‘cookie’. This will be under the /* Authentication type */ comment. The line should read as
    $cfg['Servers'][$i]['auth_type'] = ‘cookie’;​
    Make sure it is uncommented by removing the “//” before it, and then change the parameter to ‘cookie’ if that’s not already set.
  2. Add a new line below this, that says
    $cfg['Servers'][$i]['AllowRoot'] = FALSE;​
Boomski
Click to expand...

Even better, make sure your mysql root user isn't using blank password (which is so common seeing as some people don't expect outside connection on mysqld listening on 127.0.0.1)
 
I wouldn't worry about it...

You say you locked it down, so you're probably good.

Looks like someone was simply attempting to setup a new version of phpmyadmin for you - and fuck it up hardcore if they could of course - but if that file does not exist, looks like that's the extent of their attempt.
 
You must log in or register to reply here.
Top Bottom
Back