Every now and then, I’ll spot a bot hitting the server looking for an installation of phpMyAdmin. Presumably it’s looking for a version to exploit or one that can be used to swipe data from. They typically come as a burst of requests trying to find it in some variation of commonly used folders.
Today though was the first day I spotted a bot that actually specified a user-agent in it’s HTTP request. Isn’t that kind of like a burgular wearing a bright red shirt that has ‘THIEF’ written on it?
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:54 -0400] “GET /PMA/main.php HTTP/1.0” 404 4998 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:54 -0400] “GET /phpmyadmin/main.php HTTP/1.0” 404 5005 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:55 -0400] “GET /mysql/main.php HTTP/1.0” 404 5000 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:55 -0400] “GET /admin/main.php HTTP/1.0” 404 5000 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /db/main.php HTTP/1.0” 404 4997 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /dbadmin/main.php HTTP/1.0” 404 5002 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /web/phpMyAdmin/main.php HTTP/1.0” 404 5009 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:56 -0400] “GET /admin/pma/main.php HTTP/1.0” 404 5004 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /admin/phpmyadmin/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /admin/mysql/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /mysql-admin/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:57 -0400] “GET /phpmyadmin2/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:58 -0400] “GET /mysqladmin/main.php HTTP/1.0” 404 5005 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:58 -0400] “GET /mysql-admin/main.php HTTP/1.0” 404 5006 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:59 -0400] “GET /main.php HTTP/1.0” 404 4994 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:19:59 -0400] “GET /phpMyAdmin-2.5.4/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:20:00 -0400] “GET /phpMyAdmin-2.5.1/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
h-69-3-143-228.nycmny83.covad.net – – [11/Oct/2005:08:20:08 -0400] “GET /phpMyAdmin-2.5.6/main.php HTTP/1.0” 404 5011 “-” “PMAFind”
This bot didn’t just hit my server once…it visited three times in the same day…from the same address.
Not much useful in Google about this beast. Just a couple of posts. The rest of Google’s results are just webserver usage statistics showing hits by the bot.
Like this:
Like Loading...