What is this?

[H_Heisenberg]

85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"
85.25.95.213 - - [11/Sep/2013:18:59:01 +0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 136 "-" "ZmEu"

So that came up on day one when I installed Nginx, PHP & mySQL. Just a few hours after I installed it today I checked access_log and found this.

Someone trying to break into my VPS? I don't even have any of these directories/scripts installed. Just the bare server system running.

 

[drmike]

Well the w00tw00t thing you can read about here:

http://www.securityweek.com/hacked-mit-server-used-stage-attacks-scan-vulnerabilities

The accessing IP 85.25.95.213, that's a former Counter Strike game server.  Unsure if currently active and has been hacked or what.

Yes, the requests are malicious in nature.  They are looking for common scripts to compromise.

I typically start by blocking the IP. 

 

[H_Heisenberg]

Would it be enough to block this IP via iptables? I have no hardware firewall or something. It's just a OpenVZ VPS.

 

[drmike]

Yeppers IPTABLES is more than sufficient.

 

[Reece-DM]

Same with brute force attempts on new box's for port 22.

 

[H_Heisenberg]

I doubt this because this is a log of nginx (access_log) and it was trying to access folders that seem to be phpmyadmin ones. But thanks. I will block anything that scans for common software and such.

My SSH port is not 22. Changing the SSH port, disabling root login and using SSH key auth is the first thing I do when I get a VPS or server. 

 

[WebSearchingPro]

Basically what you got here is a bot that goes around and "rattles doorknobs" it looks for a default installation of phpmyadmin using common foldernames that people use. You'd be surprised how many PHPMA installations that are floating around on the internet with root access to a database somewhere - I believe their goal is to export databases and sell the information off or use it for other nefarious activities.

 

Generally this is not something you have to worry about, it just comes with having a server on the internet - just make sure you never leave anything insecure and open as there are thousands of bots probing servers 24/7.

 

[Cloudrck]

This is why you configure a firefall and something like fail2ban. It's usually not someone, but something in the early stages of finding a vector.

 

[Francisco]

Like Cloudrck said, fail2ban has an apache log watcher that will automatically block this

Francisco

 

[Cloudrck]

I have modified the several Apache rules to work with Nginx. I can add to my github if you'd like.

 

[wlanboy]

And always check the official github repro too:

https://github.com/fail2ban/fail2ban/tree/master/config/filter.d