American Programmers Independent, LLC.

When you want something done, call API

Menu
  • API Leather Crafting
    • About API Leather Crafting
  • API Labor
    • Terms of Service
    • Rate Sheet
  • API Makerspace
    • GRUB_INIT_TUNE Necropolis
    • Raspberry Pi
    • Arduino
    • TI LaunchPads
  • About Us
  • Contact Us
  • Privacy Policy
Menu

Warned not Mourned

Posted on June 12, 2015June 12, 2015 by John Nash

We need a fail2ban filter that reads the /var/log/apache2/access.log, not just error.log. When someone is getting lots of 404’s, then something is up, especially if those access are coming un-humanly quickly!  By the way, if you are the owner of IP 104.243.24.211 you might want to scan it for malware. 8)

For your viewing pleasure, some Apache2 log entries from this morning:

192.168.4.133 – – [12/Jun/2015:15:32:12 -0400] “GET /currentsetting.htm HTTP/1.1” 404 509 “-” “-”
104.243.24.211 – – [12/Jun/2015:16:14:50 -0400] “GET /muieblackcat HTTP/1.1” 404 466 “-” “-”
104.243.24.211 – – [12/Jun/2015:16:14:50 -0400] “GET //phpMyAdmin/scripts/setup.php HTTP/1.1” 404 482 “-” “-”
104.243.24.211 – – [12/Jun/2015:16:14:50 -0400] “GET //phpmyadmin/scripts/setup.php HTTP/1.1” 404 482 “-” “-”
104.243.24.211 – – [12/Jun/2015:16:14:51 -0400] “GET //pma/scripts/setup.php HTTP/1.1” 404 475 “-” “-”
104.243.24.211 – – [12/Jun/2015:16:14:51 -0400] “GET //myadmin/scripts/setup.php HTTP/1.1” 404 479 “-” “-”
104.243.24.211 – – [12/Jun/2015:16:14:51 -0400] “GET //MyAdmin/scripts/setup.php HTTP/1.1” 404 479 “-” “-“

Current web site hackers look for phpmyadmin in various incarnations / folder names, and something called “muieblackcat”. I’m told it is really a search for WordPress with unprotected setup.php files.

muieblackcat is script/bot, supposedly of Ukrainian origin, that attempts to exploit PHP vulnerabilities or misconfigurations. See SUC027: Muieblackcat setup.php Web Scanner/Robot for more detail.

http://serverfault.com/questions/309309/what-is-muieblackcat

Good reasons to put PhpMyAdmin somewhere away from the web site, possibly using a port number as well as a different directory structure in the virtual container, and also to change the permits on all your apache2-accessible files to 640 with you as the owner and www-data as the group, to allow access only to yourself and Apache2.

If you doubt this, then ask yourself what happens if the hacker does find phpmyadmin/scripts/setup.php and runs it.

Other various interesting information on current threats can be perused at http://www.emergingthreats.net/about-us/blog

Share on Social Media
x facebook pinterest linkedin tumblr reddit emailwhatsapptelegrammastodon

Search for Topic:

Buy Programming Labor

Buy WordPress Setup

Subscribers

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
Copyright © 2019 American Programmers Independent, LLC. - All Rights Reserved Worldwide
©2025 American Programmers Independent, LLC.