Do you use PHPMyAdmin?

If so then were is it installed on your publicly accessible website. If the location is where the documentation states not to put it, or in other popular locations then you can easily become open to an attack. The following are apache logs of a simple hacker test to find a potential security hole on a new IP public address for a client.

My advice is never have PHPMyAdmin accessible by default. You should use HTTP authentication, firewall rules and additional security practices all to protect any level of access to your data.

78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //phpmyadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //phpMyAdmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //pma/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:24 -0500] "GET //dbadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:25 -0500] "GET //myadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:25 -0500] "GET //phppgadmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:26 -0500] "GET //PMA/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:26 -0500] "GET //admin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
78.111.81.180 - - [02/Feb/2011:05:29:26 -0500] "GET //MyAdmin/ HTTP/1.1" 401 290 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

If you are an administrator, 78.111.81.180 should be added to your blacklist permanently.
I should also state I do not use PHPMyAdmin on public servers, and also note the 401 response.

Comments

  1. says

    Can confirm that. The error log on heidisql.com is full with such hacking attempts. So, hackers: you can stop trying, I have no pma installed, at no location. Seriously. Hm..

  2. says

    Blocking ip’s is sometimes problematic. I think that most US people do not realize that places outside US (like most of Europe) ‘fixed ip’s’ is a rarity for personal and small-business Internet accounts.

    1) An intruder or spammer can simply renew his ip (“ipconfig /renew” in Windows). So next time he will try he will have another ip. And another person could be hit by the firewall rule tomorrow. Besides intruders will not use their own trackable ip, but connect through a generic proxy.

    2) blocking an ip may block a complete organization – for instance a complete university that operates a single gateway. Is that what you want?

    I generally only block ip’s when
    1) an urgency occurs and I have no better solution
    2) the same ip has been used multiple times over some time (hours or days)

  3. Steph says

    WTF ?
    Who permit public access to a back office administration tool ??

    This kind of scanning is also really ordinary. Fail2Ban is your Friend !

  4. SSH Port Forward says

    That’s why I access phpmyadmin via an ssh-forwarded port. I have an apache vhost for phpmyadmin listening on 127.0.0.1:X, where X is some free port, then I open an ssh connection and forward my localhost’s X to the remote server’s X, and then point my browser to 127.0.0.1:X. For additional security, I have ssh on something other than port 22, allow only pubkey authentication, and still use the phpmyadmin cookie-based auth.

  5. georgian says

    Not only 78.111.81.180 .

    This is a list with all (for me) requests of this computer (MAC=4c:ed:de:4f:c0:b4)
    If you want, test MAC address for 78.111.81.180 in /var/log/syslog.

    66.249.72.44
    74.125.39.109
    74.86.142.117
    82.193.15.144
    87.22.4.182
    119.155.27.204
    89.149.242.178
    91.121.192.62
    63.236.73.14
    119.184.115.222

  6. tronicum says

    It is true that you should not have phpmyadmin and alike on public servers or heavily secured only.

    I do not agree though that you propose to block static IPs. This is just a hacked server or client (maybe even a part of a botnet). It is not worth changing your configuration on the waves of some misguided or badly configured clients.

Trackbacks

  1. When creating a mySQL database, is it more practical to just use phpmyadmin?…

    You should always learn the CLI way of all commands. As your system grows in size, it’s impossible to automate human driven mouse movements, but it is possible to automate scripts.   Also, be sure you carefully secure PHPMyAdmin if the server is publi…