phpMyAdminのスキャン
初めてこのログを見たときは少しびっくりしました。
40秒ほどのあいだに以下のログが記録されてて「ヤバい!なんかされてる!」と焦ってしまいましたが、ネットで調べてみるとたくさん報告されてますね。
ーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーー
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
GET /scripts/setup.php HTTP/1.1
GET /admin/scripts/setup.php HTTP/1.1
GET /admin/pma/scripts/setup.php HTTP/1.1
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1
GET /db/scripts/setup.php HTTP/1.1
GET /dbadmin/scripts/setup.php HTTP/1.1
GET /myadmin/scripts/setup.php HTTP/1.1
GET /mysql/scripts/setup.php HTTP/1.1
GET /mysqladmin/scripts/setup.php HTTP/1.1
GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1
GET /phpadmin/scripts/setup.php HTTP/1.1
GET /pma/scripts/setup.php HTTP/1.1
GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1
GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1
GET /web/scripts/setup.php HTTP/1.1
GET /php-my-admin/scripts/setup.php HTTP/1.1
GET /websql/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1
GET /_phpmyadmin/scripts/setup.php HTTP/1.1
GET /administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php HTTP/1.1
GET /apache-default/phpmyadmin/scripts/setup.php HTTP/1.1
GET /blog/phpmyadmin/scripts/setup.php HTTP/1.1
GET /cpanelphpmyadmin/scripts/setup.php HTTP/1.1
GET /cpphpmyadmin/scripts/setup.php HTTP/1.1
GET /forum/phpmyadmin/scripts/setup.php HTTP/1.1
GET /php/phpmyadmin/scripts/setup.php HTTP/1.1
GET /phpmyadmin/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.10.0.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.10.0.1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.10.0.2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.10.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.10.1.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.10.2.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.11.0.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.11.1-all-languages/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.11.1.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.11.1.1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.11.1.2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.5/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.6/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.6.9/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.7.5/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.7.6/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.7.7/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.2.3/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.3/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.4/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.5/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.6/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.7/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.8/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.8.9/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.9.0-rc1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.9.0.1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.9.0.2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.9.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.9.1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2.9.2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.0.0-rc1-english/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.0.1.0-english/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.0.1.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.0.1.1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.1.2.0-english/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.4.3.1/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.1.0.0-english/scripts/setup.php HTTP/1.1
GET /phpMyAdmin2/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.1.0.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin-3.1.2.0/scripts/setup.php HTTP/1.1
GET /phpMyAdmin3/scripts/setup.php HTTP/1.1
ーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーーー
これはphpMyAdminの脆弱性を狙う攻撃のスキャン行為とのこと。
先日のStrutsと同様、phpMyAdmin入れてないから関係ない…
ネット上の過去の情報と比べるとVerの数字(「phpMyAdmin-3.1.2.0」とか)あたりの種類が増えてました。スキャンツールもどんどん更新されてるんでしょうね。
これらと同様のスキャンですが、3月中に計5回のスキャンが来ていました。
User-Agentを見ると
- Mozilla/5.0 Jorgee
- ZmEu
の2種類がありました。
「Mozilla/5.0 Jorgee」は計4つのIPから来ているので、よく使われるツールなのか、このツールを使っている攻撃者がいろんなところのサーバを乗っ取っているのか…。
User-Agentを見てアクセス拒否することも可能なようなので、それで避けることもできそうです。
それ以外にも「標準設定のパスやファイル名使わない」とか、「コンソールへのアクセスをIPで制限する」とかできるようです。
根本的にはさっさとバージョンアップ…(システムの稼働などに問題なければ)