If you’ve ever heard the term ‘script kiddies’ used and wondered what it meant, here’s an example from my life today that partially explains the term.

All the below code means is that the same user from IP 62.193.224.15 (returns a French origin) kept trying to execute a wide variety of programs that are intended to manage a database that may or may not be sitting on my server.

In other words, they are trying to guess where I have certain management programs and if I was dumb enough to leave the install file on the server.

Fortunately, none of these programs were sitting there waiting for 62.193.224.15 to come along but if they had, he/she could have installed a program that would have given him/her instant access to all the databases running on this server (well, could have before I blacklisted their IP).

Nothing really new here, but it’s interesting to see the variety of spelling and filenames the attacker was using to initiate a program install. This list is probably floating around some blackhat message board somewhere that people can pick up and try out on their own. Thus the term: script kiddie.

If you do happen to install phpMyAdmin on a publicly visible server, make sure you do it on a domain that only whitelist allows certain IPs you trust. In other words, if you want to run phpMyAdmin to manage the domain ‘pizzalover.com’ then install phpMyAdmin on something like ‘db.pizzalover.net’ and set the .htaccess file to allow only from your IPs.

—–

Here’s the raw access log of a server I just moved a particular domain to:


62.193.224.15 - - [10/Oct/2011:14:10:19 -0400] "GET /muieblackcat HTTP/1.1" 301 480 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:20 -0400] "GET //scripts/setup.php HTTP/1.1" 301 488 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:20 -0400] "GET //admin/scripts/setup.php HTTP/1.1" 301 498 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:20 -0400] "GET //admin/pma/scripts/setup.php HTTP/1.1" 301 504 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:20 -0400] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 301 514 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:21 -0400] "GET //db/scripts/setup.php HTTP/1.1" 301 493 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:21 -0400] "GET //dbadmin/scripts/setup.php HTTP/1.1" 301 501 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:21 -0400] "GET //myadmin/scripts/setup.php HTTP/1.1" 301 501 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:21 -0400] "GET //mysql/scripts/setup.php HTTP/1.1" 301 498 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:22 -0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 301 507 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:22 -0400] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 301 516 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:22 -0400] "GET //phpadmin/scripts/setup.php HTTP/1.1" 301 502 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:22 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 506 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:23 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 301 506 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:23 -0400] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 301 507 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:23 -0400] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 301 508 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:23 -0400] "GET //pma/scripts/setup.php HTTP/1.1" 301 494 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:24 -0400] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 301 513 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:24 -0400] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 301 516 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:24 -0400] "GET //web/scripts/setup.php HTTP/1.1" 301 495 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:24 -0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 301 509 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:24 -0400] "GET //websql/scripts/setup.php HTTP/1.1" 301 500 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:25 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 301 506 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:25 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 506 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:25 -0400] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 301 511 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:25 -0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 301 509 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:26 -0400] "GET //phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" 301 517 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:26 -0400] "GET //phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:26 -0400] "GET //phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:26 -0400] "GET //phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:27 -0400] "GET //phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:27 -0400] "GET //phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:27 -0400] "GET //phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:27 -0400] "GET //phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:28 -0400] "GET //phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:28 -0400] "GET //phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:28 -0400] "GET //phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" 301 519 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:28 -0400] "GET //phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" 301 519 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:29 -0400] "GET //phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" 301 526 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:29 -0400] "GET //phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" 301 528 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:29 -0400] "GET //phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" 301 530 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:29 -0400] "GET //phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" 301 528 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:30 -0400] "GET //phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" 301 528 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:30 -0400] "GET //phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:30 -0400] "GET //phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:30 -0400] "GET //phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:31 -0400] "GET //phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:31 -0400] "GET //phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:31 -0400] "GET //phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:31 -0400] "GET //phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:31 -0400] "GET //phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:32 -0400] "GET //phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:32 -0400] "GET //phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:32 -0400] "GET //phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:32 -0400] "GET //phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:33 -0400] "GET //phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:33 -0400] "GET //phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:33 -0400] "GET //phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" 301 528 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:33 -0400] "GET //phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:34 -0400] "GET //phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:34 -0400] "GET //phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:34 -0400] "GET //phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" 301 519 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:34 -0400] "GET //phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:35 -0400] "GET //phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" 301 519 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:35 -0400] "GET //phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:35 -0400] "GET //phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:35 -0400] "GET //phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:36 -0400] "GET //phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:36 -0400] "GET //phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" 301 526 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:36 -0400] "GET //phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" 301 526 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:36 -0400] "GET //phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" 301 519 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:37 -0400] "GET //phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" 301 528 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:37 -0400] "GET //phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:37 -0400] "GET //phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:37 -0400] "GET //phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:38 -0400] "GET //phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:38 -0400] "GET //phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" 301 528 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:38 -0400] "GET //phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:38 -0400] "GET //phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:38 -0400] "GET //phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:39 -0400] "GET //phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" 301 521 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:39 -0400] "GET //phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" 301 521 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:39 -0400] "GET //phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" 301 522 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:39 -0400] "GET //phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" 301 522 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:40 -0400] "GET //phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" 301 525 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:40 -0400] "GET //phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:40 -0400] "GET //phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" 301 518 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:40 -0400] "GET //sqlmanager/scripts/setup.php HTTP/1.1" 301 506 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:41 -0400] "GET //mysqlmanager/scripts/setup.php HTTP/1.1" 301 510 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:41 -0400] "GET //p/m/a/scripts/setup.php HTTP/1.1" 301 497 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:41 -0400] "GET //PMA2005/scripts/setup.php HTTP/1.1" 301 504 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:41 -0400] "GET //pma2005/scripts/setup.php HTTP/1.1" 301 503 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:42 -0400] "GET //phpmanager/scripts/setup.php HTTP/1.1" 301 505 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:42 -0400] "GET //php-myadmin/scripts/setup.php HTTP/1.1" 301 508 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:42 -0400] "GET //phpmy-admin/scripts/setup.php HTTP/1.1" 301 508 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:42 -0400] "GET //webadmin/scripts/setup.php HTTP/1.1" 301 503 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:43 -0400] "GET //sqlweb/scripts/setup.php HTTP/1.1" 301 500 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:43 -0400] "GET //websql/scripts/setup.php HTTP/1.1" 301 500 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:43 -0400] "GET //webdb/scripts/setup.php HTTP/1.1" 301 498 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:43 -0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 301 507 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:44 -0400] "GET //mysql-admin/scripts/setup.php HTTP/1.1" 301 509 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:44 -0400] "GET //databaseadmin/scripts/setup.php HTTP/1.1" 301 511 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:44 -0400] "GET //admm/scripts/setup.php HTTP/1.1" 301 496 "-" "-"
62.193.224.15 - - [10/Oct/2011:14:10:44 -0400] "GET //admn/scripts/setup.php HTTP/1.1" 301 496 "-" "-"

Advertisements