A New Attack
Just when I was running out of memory to run my new photo gallery (Gallery 2),
I checked my log files to see what was causing some issues for me. It
turns out that Gallery2 and SELinux do not get along so well, but if
you edit your policy files, it can be made to work.
The new attack:
195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 296 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /PMA/main.php HTTP/1.0" 404 289 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /admin/main.php HTTP/1.0" 404 291 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /mysql/main.php HTTP/1.0" 404 291 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /dbadmin/main.php HTTP/1.0" 404 293 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /db/main.php HTTP/1.0" 404 288 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 300 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/pma/main.php HTTP/1.0" 404 295 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 302 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/mysql/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpmyadmin2/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 302 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 302 "-" "pmafind"
Apparently, there's a new tool out called "pmafind" looking for
phpmyadmin installs. I hadn't seen this one before. I guess enough
people have phpmyadmin installed in some unprotected directory to make
this worthwhile.
More attacks to come...