If so then were is it installed on your publicly accessible website. If the location is where the documentation states not to put it, or in other popular locations then you can easily become open to an attack. The following are apache logs of a simple hacker test to find a potential security hole on a new IP public address for a client.
My advice is never have PHPMyAdmin accessible by default. You should use HTTP authentication, firewall rules and additional security practices all to protect any level of access to your data.
78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //phpmyadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //phpMyAdmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //pma/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //dbadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:25 -0500] "GET //myadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:25 -0500] "GET //phppgadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:26 -0500] "GET //PMA/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:26 -0500] "GET //admin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro" 78.111.81.180 - - [02/Feb/2011:05:29:26 -0500] "GET //MyAdmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
If you are an administrator, 78.111.81.180 should be added to your blacklist permanently.
I should also state I do not use PHPMyAdmin on public servers, and also note the 401 response.
Can confirm that. The error log on heidisql.com is full with such hacking attempts. So, hackers: you can stop trying, I have no pma installed, at no location. Seriously. Hm..
Blocking ip’s is sometimes problematic. I think that most US people do not realize that places outside US (like most of Europe) ‘fixed ip’s’ is a rarity for personal and small-business Internet accounts.
1) An intruder or spammer can simply renew his ip (“ipconfig /renew” in Windows). So next time he will try he will have another ip. And another person could be hit by the firewall rule tomorrow. Besides intruders will not use their own trackable ip, but connect through a generic proxy.
2) blocking an ip may block a complete organization – for instance a complete university that operates a single gateway. Is that what you want?
I generally only block ip’s when
1) an urgency occurs and I have no better solution
2) the same ip has been used multiple times over some time (hours or days)
WTF ?
Who permit public access to a back office administration tool ??
This kind of scanning is also really ordinary. Fail2Ban is your Friend !
That’s why I access phpmyadmin via an ssh-forwarded port. I have an apache vhost for phpmyadmin listening on 127.0.0.1:X, where X is some free port, then I open an ssh connection and forward my localhost’s X to the remote server’s X, and then point my browser to 127.0.0.1:X. For additional security, I have ssh on something other than port 22, allow only pubkey authentication, and still use the phpmyadmin cookie-based auth.
Not only 78.111.81.180 .
This is a list with all (for me) requests of this computer (MAC=4c:ed:de:4f:c0:b4)
If you want, test MAC address for 78.111.81.180 in /var/log/syslog.
66.249.72.44
74.125.39.109
74.86.142.117
82.193.15.144
87.22.4.182
119.155.27.204
89.149.242.178
91.121.192.62
63.236.73.14
119.184.115.222
It is true that you should not have phpmyadmin and alike on public servers or heavily secured only.
I do not agree though that you propose to block static IPs. This is just a hacked server or client (maybe even a part of a botnet). It is not worth changing your configuration on the waves of some misguided or badly configured clients.