How can I fake 404 error for 403 error?

darkbear · Sep 7, 2022

Hi, I got lot of error about someone/ some group scaning my server's phpmyadmin, I want to know how can I make a fake 404 error for 403 error ?

(I limited some ip can access only by htaccess, however when the ip is not in list, they show 403 error, and I want they show 404 and let them think there is no phpmyadmin)

I know phpmyadmin at servre /var/www/html/phpMyAdmin-x.x.x-all-languages/
but when I add ErrorDocument 403 /404.shtml and server still show 403 error.

how can I change error 403 to fake 404's error for phpmyadmin?

Thank you

darkbear · Sep 12, 2022

Anyone can help?

Thanks

Zhenyapan · Sep 13, 2022

change phpmyadmin path

darkbear · Sep 13, 2022

Zhenyapan said:
change phpmyadmin path

You mean change directadmin's phpmyadmin url right? thanks
but they always scan my server, I think fake 404 will more help(but I don't know how to do that)

Thank you

Zhenyapan · Sep 13, 2022

if you make url like r597yh87yhg6789 - they will newer parse it

darkbear · Sep 13, 2022

Zhenyapan said:
if you make url like r597yh87yhg6789 - they will newer parse it

Thank you, You right.
But my client will complaint about that

Zhenyapan · Sep 13, 2022

you can make it easier but not like phpmyadmin, something like "mana2base" or "mysconfiger" any non vocabulary word

darkbear · Sep 13, 2022

Zhenyapan said:
if you make url like r597yh87yhg6789 - they will newer parse it

Thank you for your help, I just follow your suggestion and change it to another name via /etc/httpd/conf/extra/httpd-alias.conf

Yes, it work as I want, thank you again.

IXPLANET · Sep 13, 2022

You can use custom mod security rules too ?

Secrule REQUEST_URI "^.*phpMyAdmin.*$" "phase:1,id:728277,log,deny,status:404,msg:'Forbidden'"

LawsHosting · Sep 13, 2022

Going off-topic, to be fair, if you rely on phpmyadmin a lot (I do, as I do a lot of development work), you'll need to remove mod_security from scanning its directory, a lot of what I do in there gets caught and it's a pain.

darkbear · Sep 13, 2022

IXPLANET said:
You can use custom mod security rules too ?

Secrule REQUEST_URI "^.*phpMyAdmin.*$" "phase:1,id:728277,log,deny,status:404,msg:'Forbidden'"

Thank you

Peter Laws said:
Going off-topic, to be fair, if you rely on phpmyadmin a lot (I do, as I do a lot of development work), you'll need to remove mod_security from scanning its directory, a lot of what I do in there gets caught and it's a pain.

Thank you so much

Dettol · Sep 27, 2022

IXPLANET said:
You can use custom mod security rules too ?

Secrule REQUEST_URI "^.*phpMyAdmin.*$" "phase:1,id:728277,log,deny,status:404,msg:'Forbidden'"

may I ask you about msg?
is that only log for your debug, or it will show for the one deny for error message : Forbidden?

thanks

Dettol · Sep 28, 2022

IXPLANET said:
You can use custom mod security rules too ?

Secrule REQUEST_URI "^.*phpMyAdmin.*$" "phase:1,id:728277,log,deny,status:404,msg:'Forbidden'"

also could I add one rule to block multiple url ? (phpmyadmin, pma, dbadmin )
Thank you so much

IXPLANET · Sep 28, 2022

Dettol said:
also could I add one rule to block multiple url ? (phpmyadmin, pma, dbadmin )
Thank you so much

Yes sure you can just change prefix url like this "^.*(/pma/|/dbadmin/|/xx/).*$"

IXPLANET · Sep 28, 2022

Dettol said:
may I ask you about msg?
is that only log for your debug, or it will show for the one deny for error message : Forbidden?

thanks

Msg just for log mod security only @Dettol

Dettol · Sep 28, 2022

IXPLANET said:
Yes sure you can just change prefix url like this "^.*(/pma/|/dbadmin/|/xx/).*$"

Thank you so much

Dettol · Sep 28, 2022

IXPLANET said:
Yes sure you can just change prefix url like this "^.*(/pma/|/dbadmin/|/xx/).*$"

sorry for ask for help again, because my case, they try to get a lot of phpMyAdmin3, phpMyAdmin2, phpMyAdmin5.2, phpMyAdmin2006, phpMyAdmin2007...

152.136.33.12 - - [28/Sep/2022:22:42:25 +0800] "GET /phpmyadmin4/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:26 +0800] "GET /1phpmyadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:26 +0800] "GET /sql/phpmyadmin5/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:27 +0800] "GET /phpmyadmin2016/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:27 +0800] "GET /admin/sqladmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:28 +0800] "GET /db/dbadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:28 +0800] "GET /phpMyAdmin1/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:29 +0800] "GET /sql/phpMyAdmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:29 +0800] "GET /administrator/phpMyAdmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:30 +0800] "GET /administrator/db/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:30 +0800] "GET /phpMyAdmin2/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:31 +0800] "GET /mysql/sqlmanager/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:31 +0800] "GET /sql/webadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:31 +0800] "GET /db/webdb/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:32 +0800] "GET /phpmyadmin5/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:32 +0800] "GET /mysql/admin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:33 +0800] "GET /db/phpMyAdmin-5/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:33 +0800] "GET /db/phpmyadmin4/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:34 +0800] "GET /mysql/pma/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:34 +0800] "GET /sql/websql/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:35 +0800] "GET /phpMyAdmin-5.1.0/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:35 +0800] "GET /administrator/phpmyadmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:36 +0800] "GET /database/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:36 +0800] "GET /phpmyadmin2017/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:37 +0800] "GET /sql/phpmyadmin3/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:37 +0800] "GET /db/phpMyAdmin-3/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:37 +0800] "GET /phpMyAdmin-5.1.2/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:38 +0800] "GET /admin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36"
152.136.33.12 - - [28/Sep/2022:22:42:38 +0800] "GET /_phpMyAdmin/index.php?lang=en HTTP/1.1" 301 519 "-" "Mozilla/5.0 (Windows NT 10.0;

can I ask for keywords ban's rule?(phpMyAdmin* ), because I don't use any phpmyadmin* for url, how can I directly ban some ip that request for phpymadmin*?

Thank you

Dettol · Sep 29, 2022

I just try this rule:
Secrule REQUEST_URI "^.*(/pma|/dbadmin|/phpMyAdmin).*$" "phase:1,id:728277,severity:'CRITICAL',log,deny,status:406,msg:'Forbidden'"

any suggestion? thanks

How can I fake 404 error for 403 error?

darkbear

Verified User

darkbear

Verified User

Zhenyapan

Verified User

darkbear

Verified User

Zhenyapan

Verified User

darkbear

Verified User

Zhenyapan

Verified User

darkbear

Verified User

IXPLANET

Verified User

LawsHosting

Verified User

darkbear

Verified User

Dettol

Verified User

Dettol

Verified User

IXPLANET

Verified User

IXPLANET

Verified User

Dettol

Verified User

Dettol

Verified User

Dettol

Verified User