Warned not Mourned

We need a fail2ban filter that reads the /var/log/apache2/access.log, not just error.log. When someone is getting lots of 404’s, then something is up, especially if those access are coming un-humanly quickly!  By the way, if you are the owner of IP you might want to scan it for malware. 8)

For your viewing pleasure, some Apache2 log entries from this morning: – – [12/Jun/2015:15:32:12 -0400] “GET /currentsetting.htm HTTP/1.1” 404 509 “-” “-” – – [12/Jun/2015:16:14:50 -0400] “GET /muieblackcat HTTP/1.1” 404 466 “-” “-” – – [12/Jun/2015:16:14:50 -0400] “GET //phpMyAdmin/scripts/setup.php HTTP/1.1” 404 482 “-” “-” – – [12/Jun/2015:16:14:50 -0400] “GET //phpmyadmin/scripts/setup.php HTTP/1.1” 404 482 “-” “-” – – [12/Jun/2015:16:14:51 -0400] “GET //pma/scripts/setup.php HTTP/1.1” 404 475 “-” “-” – – [12/Jun/2015:16:14:51 -0400] “GET //myadmin/scripts/setup.php HTTP/1.1” 404 479 “-” “-” – – [12/Jun/2015:16:14:51 -0400] “GET //MyAdmin/scripts/setup.php HTTP/1.1” 404 479 “-” “-“

Current web site hackers look for phpmyadmin in various incarnations / folder names, and something called “muieblackcat”. I’m told it is really a search for WordPress with unprotected setup.php files.

muieblackcat is script/bot, supposedly of Ukrainian origin, that attempts to exploit PHP vulnerabilities or misconfigurations. See SUC027: Muieblackcat setup.php Web Scanner/Robot for more detail.


Good reasons to put PhpMyAdmin somewhere away from the web site, possibly using a port number as well as a different directory structure in the virtual container, and also to change the permits on all your apache2-accessible files to 640 with you as the owner and www-data as the group, to allow access only to yourself and Apache2.

If you doubt this, then ask yourself what happens if the hacker does find phpmyadmin/scripts/setup.php and runs it.

Other various interesting information on current threats can be perused at http://www.emergingthreats.net/about-us/blog

Comments are closed