Aspegic
Verified User
- Joined
- Aug 4, 2005
- Messages
- 282
A couple of weeks ago I discovered some software in a hidden folder in one of my clients subdirectories. He did not upload it there and had no idea where it came from (i believe him). The software appeared to be related to IRC (one of the files was called 'eggdrop'). I deleted the files and that was the end of it...
or so I thought...
Today, while checking the server, I found another hidden folder named '.SOCK'. this folder was inside the /tmp folder. Again this folder is filled with software that appears to be IRC related ("psyBNC").
Like the folder in the clients subdirectory, this folder also was created by user 'Apache'.
I then check the httpd access log for that date and time and found several peculiar entries, one of which was: "GET /w00tw00t.at.ISC.SANS.DFind: HTTP/1.1" 400 407 "-" "-"
Googling for '/w00tw00t.at.ISC.SANS.DFind' i found a few webpages that mention this line in combination with hacking attempts. Unfortunately there isn't much more info I could find. One site said it could often be accompanied by several searches for phpMyAdmin files, which appears to be exactly what this person was doing, according to the log:
someone appears to be 'guessing' for common names for phpMyAdmin folders?! And look at the time indexes, they all are 2 to 4 seconds apart. I'm guessing this was an automated attempt.
Because I found the software in the /tmp folder, as well as in the clients subdirectory a few weeks ago, it appears these attacks were somehow successful. But how? Does anyone know of any vulnerability in phpMyAdmin? What can I do to keep these as******s out??? Damn!
or so I thought...
Today, while checking the server, I found another hidden folder named '.SOCK'. this folder was inside the /tmp folder. Again this folder is filled with software that appears to be IRC related ("psyBNC").
Like the folder in the clients subdirectory, this folder also was created by user 'Apache'.
I then check the httpd access log for that date and time and found several peculiar entries, one of which was: "GET /w00tw00t.at.ISC.SANS.DFind: HTTP/1.1" 400 407 "-" "-"
Googling for '/w00tw00t.at.ISC.SANS.DFind' i found a few webpages that mention this line in combination with hacking attempts. Unfortunately there isn't much more info I could find. One site said it could often be accompanied by several searches for phpMyAdmin files, which appears to be exactly what this person was doing, according to the log:
Code:
[SIZE=2]
163.28.32.100 - - [22/Mar/2006:06:01:09 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 401 2463 "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:11 +0100] "GET /PMA/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:13 +0100] "GET /mysql/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:15 +0100] "GET /admin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:16 +0100] "GET /db/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:19 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:20 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:22 +0100] "GET /admin/pma/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:24 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:26 +0100] "GET /admin/mysql/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:28 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:30 +0100] "GET /mysqladmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:32 +0100] "GET /mysql-admin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:33 +0100] "GET /main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:35 +0100] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:37 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:39 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:41 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:43 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:45 +0100] "GET /myadmin/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:47 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:50 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:52 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:53 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:55 +0100] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 404 - "-" "-"
163.28.32.100 - - [22/Mar/2006:06:01:56 +0100] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 - "-" "-"
[/size]
someone appears to be 'guessing' for common names for phpMyAdmin folders?! And look at the time indexes, they all are 2 to 4 seconds apart. I'm guessing this was an automated attempt.
Because I found the software in the /tmp folder, as well as in the clients subdirectory a few weeks ago, it appears these attacks were somehow successful. But how? Does anyone know of any vulnerability in phpMyAdmin? What can I do to keep these as******s out??? Damn!
Last edited: