PHPMYADMIN scans

Published: 2009-06-26. Last Updated: 2009-06-26 00:28:03 UTC
by Mark Hofman (Version: 1)
1 comment(s)

We have received some reports (thanks Drew) of scanning for keyhandler.js which is part of PHPMyAdmin.  The PHPmyAdmin site does not specifically mention this script. Scans look as follows:

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:19 -1000] "GET HTTP/1.1 HTTP/1.1" 400 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:19 -1000] "GET /admin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:20 -1000] "GET /admin/pma/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:21 -1000] "GET /admin/phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:21 -1000] "GET /db/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:22 -1000] "GET /dbadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:22 -1000] "GET /myadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:23 -1000] "GET /mysql/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:23 -1000] "GET /mysqladmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /typo3/phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /phpadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:25 -1000] "GET /phpMyAdmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:25 -1000] "GET /phpmyadmin1/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:26 -1000] "GET /phpmyadmin2/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:26 -1000] "GET /pma/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:27 -1000] "GET /web/phpMyAdmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"


Modsecurity or suhosin should help you out keeping this away from your installation.  PHPMyadmin should probably only be available from the internal network or limited external sources.  So for most of you this shouldn't be an issue.  If you do have some captures of what happens when there is a compromise, please use the contact form to let us know. 

 

Mark H - Shearwater

1 comment(s)

Comments

I have at least 12 alerts in my modsecurity logs dated 23 June with one IP generating the alerts. Modsecurity blocked all of the activity, even though I don't run any PHP-based apps.

Diary Archives