Every now and then, I’ll spot a bot hitting the server looking for an installation of phpMyAdmin. Presumably it’s looking for a version to exploit or one that can be used to swipe data from. They typically come as a burst of requests trying to find it in some variation of commonly used folders.
Today though was the first day I spotted a bot that actually specified a user-agent in it’s HTTP request. Isn’t that kind of like a burgular wearing a bright red shirt that has ‘THIEF’ written on it?
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:54 -0400] “GET /PMA/main.php HTTP/1.0” 404 4998 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:54 -0400] “GET /phpmyadmin/main.php HTTP/1.0” 404 5005 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:55 -0400] “GET /mysql/main.php HTTP/1.0” 404 5000 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:55 -0400] “GET /admin/main.php HTTP/1.0” 404 5000 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /db/main.php HTTP/1.0” 404 4997 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /dbadmin/main.php HTTP/1.0” 404 5002 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /web/phpMyAdmin/main.php HTTP/1.0” 404 5009 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /admin/pma/main.php HTTP/1.0” 404 5004 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /admin/phpmyadmin/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /admin/mysql/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /mysql-admin/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /phpmyadmin2/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:58 -0400] “GET /mysqladmin/main.php HTTP/1.0” 404 5005 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:58 -0400] “GET /mysql-admin/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:59 -0400] “GET /main.php HTTP/1.0” 404 4994 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:59 -0400] “GET /phpMyAdmin-2.5.4/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:20:00 -0400] “GET /phpMyAdmin-2.5.1/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:20:08 -0400] “GET /phpMyAdmin-2.5.6/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
This bot didn’t just hit my server once…it visited three times in the same day…from the same address.
Not much useful in Google about this beast. Just a couple of posts. The rest of Google’s results are just webserver usage statistics showing hits by the bot.
Discover more from Imablog
Subscribe to get the latest posts sent to your email.
I got some similar entry …..
[Thu Nov 10 11:10:11 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/phpmyadmin
[Thu Nov 10 11:10:11 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/PMA
[Thu Nov 10 11:10:12 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/mysql
[Thu Nov 10 11:10:12 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/admin
[Thu Nov 10 11:10:12 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/db
[Thu Nov 10 11:10:12 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/dbadmin
[Thu Nov 10 11:10:12 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/web
[Thu Nov 10 11:10:13 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/admin
[Thu Nov 10 11:10:13 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/admin
[Thu Nov 10 11:10:13 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/admin
[Thu Nov 10 11:10:13 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/mysql-admin
[Thu Nov 10 11:10:13 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/phpmyadmin2
[Thu Nov 10 11:10:14 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/mysqladmin
[Thu Nov 10 11:10:14 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/mysql-admin // script not found or unable to stat
[Thu Nov 10 11:10:14 2005] [error] [client 164.67.152.47] File does not exist: /usr/local/www/data/phpMyAdmin-2.5.6
164.67.152.47 – – [10/Nov/2005:11:10:11 +0100] “GET /phpmyadmin/main.php HTTP/1.0” 404 313 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:11 +0100] “GET /PMA/main.php HTTP/1.0” 404 306 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:12 +0100] “GET /mysql/main.php HTTP/1.0” 404 308 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:12 +0100] “GET /admin/main.php HTTP/1.0” 404 308 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:12 +0100] “GET /db/main.php HTTP/1.0” 404 305 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:12 +0100] “GET /dbadmin/main.php HTTP/1.0” 404 310 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:12 +0100] “GET /web/phpMyAdmin/main.php HTTP/1.0” 404 317 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:13 +0100] “GET /admin/pma/main.php HTTP/1.0” 404 312 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:13 +0100] “GET /admin/phpmyadmin/main.php HTTP/1.0” 404 319 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:13 +0100] “GET /admin/mysql/main.php HTTP/1.0” 404 314 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:13 +0100] “GET /mysql-admin/main.php HTTP/1.0” 404 314 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:13 +0100] “GET /phpmyadmin2/main.php HTTP/1.0” 404 314 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:14 +0100] “GET /mysqladmin/main.php HTTP/1.0” 404 313 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:14 +0100] “GET /mysql-admin/main.php HTTP/1.0” 404 314 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:14 +0100] “GET /main.php HTTP/1.0” 404 302 “-” “PMAFind”
164.67.152.47 – – [10/Nov/2005:11:10:14 +0100] “GET /phpMyAdmin-2.5.6/main.php HTTP/1.0” 404 319 “-” “PMAFind”
Search results for: 164.67.152.47
OrgName: University of California, Los Angeles
OrgID: UCLA
Address: UCLA Communications Technology Services
Address: Campus Services Building I, 2nd Floor
Address: 741 Charles E. Young Drive South
City: Los Angeles
StateProv: CA
PostalCode: 90095-1363
Country: US
NetRange: 164.67.0.0 – 164.67.255.255
CIDR: 164.67.0.0/16
NetName: UCLANET3
NetHandle: NET-164-67-0-0-1
Parent: NET-164-0-0-0-0
NetType: Direct Assignment
NameServer: DNS.UCLA.EDU
NameServer: DNS2.UCLA.EDU
NameServer: DNS3.UCLA.EDU
NameServer: ADNS2.BERKELEY.EDU
Comment:
RegDate: 1992-12-17
Updated: 2004-03-12
RTechHandle: NO102-ORG-ARIN
RTechName: Network Operations Center
RTechPhone: +1-310-794-9495
RTechEmail: noc@ucla.edu
OrgAbuseHandle: UBO-ARIN
OrgAbuseName: UCLA Bruin Online
OrgAbusePhone: +1-310-825-7452
OrgAbuseEmail: abuse@ucla.edu
OrgNOCHandle: NO102-ORG-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-310-794-9495
OrgNOCEmail: noc@ucla.edu
OrgTechHandle: NO102-ORG-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-310-794-9495
OrgTechEmail: noc@ucla.edu