views:

131

answers:

5

Hello!

I've been getting these messages in apache error.log for quite a while:

[client 217.197.152.228] File does not exist: /var/www/phpmyadmin
[client 217.197.152.228] File does not exist: /var/www/pma
[client 217.197.152.228] File does not exist: /var/www/admin
[client 217.197.152.228] File does not exist: /var/www/dbadmin
[client 217.197.152.228] File does not exist: /var/www/myadmin
[client 217.197.152.228] File does not exist: /var/www/PHPMYADMIN
[client 217.197.152.228] File does not exist: /var/www/phpMyAdmin

And many more different addresses. Looks like somebody is trying to guess where my admin applications are located. What should I fear in this situation, and what a knowledge of my admin addresses can give to attacker, if everything is password protected?

+2  A: 

If they find a login page they could try to do a brute force attack or other password cracking approach.

In these cases if there is an IP that is consistently displaying such behaviour we block it with denyhosts and ModSecurity.

DanSingerman
Thanks. I'll try to have my passwords as long as possible
Silver Light
+2  A: 

If everything is locked down well, fear nothing. These are just automated attacks that happen to every URL in existence. Same thing happens to me, and I don't even run PHP on my server.

If you don't have the latest patches (like on say, WordPress), then yes this is a big problem, but one that's relatively easy to fix.

swilliams
Thank you, this answers my question. I'll ignore these warnings and focus on application security.
Silver Light
A: 

It seems he's looking for PHPMySQLAdmin installations, probably to automatically try and use known exploits on old versions.

If you're not using PHPMyAdmin you should be fine. If you do, make sure it's updated to the latest version, and maybe move it to a non-guessable URL.

Pies
A: 

If you have protected everything it's no real big deal. http://217.197.152.228/phpmyadmin/ <- that's where your phpmyadmin is running. Seems it's pass protected etc so don't worry too much!

There are some exploits that will reveal info in fact, your phpmyadmin is vulnarable to some attacks:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0204

Maybe you should check for exploit docs on your phpmyadmin version.

Younes
217.197.152.228 is not the host of my server, but a host of "atacker". Looks like he's protected :)
Silver Light
+3  A: 

if you have admin or restricted folders you could configure it in htaccess to restrict access only to your ip or ip range like this

<Directory /var/www/AdminFolder/>
    Options FollowSymLinks
    Order Deny,Allow
    Deny from all
    Allow from 128.98.2.4 # your ip only
</Directory>

It will only be a good solution if you have static ip, but then you will be completely sure that you ll be the only one to get inside adminfolder

markcial
Thank you for your answer. I guess it's the best way to protect myself, but I have several people connecting to my admin area's from different places.
Silver Light
You can deny too, try adding the aggresor ip to the deny field
markcial
IP's are different every day. Like swilliams said, those are probably robots.
Silver Light