What is this?

H_Heisenberg

New Member
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"

So that came up on day one when I installed Nginx, PHP & mySQL. Just a few hours after I installed it today I checked access_log and found this.

Someone trying to break into my VPS? I don't even have any of these directories/scripts installed. Just the bare server system running.
 

H_Heisenberg

New Member
Would it be enough to block this IP via iptables? I have no hardware firewall or something. It's just a OpenVZ VPS.
 
Last edited by a moderator:

H_Heisenberg

New Member
I doubt this because this is a log of nginx (access_log) and it was trying to access folders that seem to be phpmyadmin ones. But thanks. I will block anything that scans for common software and such.

My SSH port is not 22. Changing the SSH port, disabling root login and using SSH key auth is the first thing I do when I get a VPS or server. 
 
Last edited by a moderator:

WebSearchingPro

VPS Peddler
Verified Provider
Basically what you got here is a bot that goes around and "rattles doorknobs" it looks for a default installation of phpmyadmin using common foldernames that people use. You'd be surprised how many PHPMA installations that are floating around on the internet with root access to a database somewhere - I believe their goal is to export databases and sell the information off or use it for other nefarious activities.

 

Generally this is not something you have to worry about, it just comes with having a server on the internet - just make sure you never leave anything insecure and open as there are thousands of bots probing servers 24/7.
 

Cloudrck

Member
Verified Provider
This is why you configure a firefall and something like fail2ban. It's usually not someone, but something in the early stages of finding a vector.
 
Last edited by a moderator:

Francisco

Company Lube
Verified Provider
Like Cloudrck said, fail2ban has an apache log watcher that will automatically block this :)

Francisco
 

Cloudrck

Member
Verified Provider
I have modified the several Apache rules to work with Nginx. I can add to my github if you'd like.
 
Top