Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2011-05-27 11:41:49

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

is this an attack?

I have a number (6) of these (all at 10.23am but different ips, all canadian) in my logs. Is it an attack? Should I do something about it?

→ 184.107.132.218 	27 May 			Canada
→/events//xmlsrv/xmlrpc.php 	10:23 	 
→/events/ 	  	 
→//xmlsrv/xmlrpc.php 	  	 

→ 64.15.147.90 	27 May 			Canada
→/events//xmlsrv/xmlrpc.php 	10:23 	 
→/events/ 	  	 
→//xmlsrv/xmlrpc.php

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#2 2011-05-27 13:35:16

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: is this an attack?

Meh, random misc, possibly script-kiddie, request. You should get them all the time. If you want to increase list of random banned IPs and save bandwidth block the IPs, or don’t do anything special from the usual.

I would just go to take cup of coffee, or glass of water, whichever rocks your boat, and continue normal life by keeping software up-to-date and taking frequent backups.

is this an attack?

Fishing.

Last edited by Gocom (2011-05-27 13:37:45)

Offline

#3 2011-05-28 01:00:09

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: is this an attack?

Gocom wrote:

Meh, random misc, possibly script-kiddie, request.

… Cool:) I’ll let them play then:) Thanks Jukka.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#4 2011-06-06 08:23:20

candyman
Member
From: Italy
Registered: 2006-08-08
Posts: 684

Re: is this an attack?

Today I’ve discovered this in the admin/access page:

05 giu 2011 07:31:16 xxxxxx.​hu /​phpmyadmin1/​scripts/​setup.​php
05 giu 2011 07:31:16 xxxxxx.​hu /​phpmyadmin2/​scripts/​setup.​php
05 giu 2011 07:31:16 xxxxxx.​hu /​pma/​scripts/​setup.​php
05 giu 2011 07:31:16 xxxxxx.​hu /​web/​phpMyAdmin/​scripts/​setup.​php
05 giu 2011 07:31:17 xxxxxx.​hu /​xampp/​phpmyadmin/​scripts/​setup.​php
05 giu 2011 07:31:15 xxxxxx.​hu /​phpmyadmin/​scripts/​setup.​php
05 giu 2011 07:31:15 xxxxxx.​hu /​phpadmin/​scripts/​setup.​php
05 giu 2011 07:31:15 xxxxxx.​hu /​phpMyAdmin/​scripts/​setup.​php
05 giu 2011 07:31:14 xxxxxx.​hu /​typo3/​phpmyadmin/​scripts/​setup.​php
05 giu 2011 07:31:14 xxxxxx.​hu /​mysqladmin/​scripts/​setup.​php
05 giu 2011 07:31:14 xxxxxx.​hu /​mysql/​scripts/​setup.​php
05 giu 2011 07:31:13 xxxxxx.​hu /​myadmin/​scripts/​setup.​php

is this an attack?

In that case: how can I block this IP for the future?

Many thanks!

Offline

#5 2011-06-06 10:08:36

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: is this an attack?

Hi Alessandro

It’s a hacking attempt. As you don’t know if the IP is static or dynamic there is no reason of blocking it but should you want to block it anyway add

Order Allow,Deny
Deny from xx.xx.xx.xx
Deny from xxx.xxx.xxx.xxx
etc
Allow from all

in your htaccess file


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#6 2011-06-06 11:38:21

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: is this an attack?

Don’t block it. Just make sure your PHPMyAdmin software is up-to-date.

Offline

#7 2011-06-06 21:58:25

JimJoe
Member
From: United States
Registered: 2010-01-30
Posts: 573
Website

Re: is this an attack?

My domain page ‘not found’ checker shows someone out there looking for dlls, word docs, music files. I just ignore them. Although, on one site I put I have have music files. So that type of search dropped off.

Offline

#8 2011-06-12 20:23:48

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: is this an attack?

ruud wrote:

Don’t block it. Just make sure your PHPMyAdmin software is up-to-date.

Also: don’t have it located in some obviously-named directory (/phpmyadmin, /pma, etc), flip the folder & file permissions to 000 when it’s not being used and rename your config file so it won’t work. Simple things, but they’re all useful measures against opportunist scumbags.

Offline

#9 2011-06-13 14:16:15

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: is this an attack?

All of the hosts I use have PHPMyAdmin installed in a more secure location where you need to log in; just ask them.
You shouldn’t need to install it in your own publicly accessible web root at all.

Offline

Board footer

Powered by FluxBB