Web Admins - How common is this? [NA]

[CJones]

I know there are several web admins/gurus on here. I am slowly working my way into that realm. I have been poking around the server setup at my new job to get a feel for how everything is set up so I can make it better.

I was looking through the Apache logs and came across this:

213.112.14.175 - - [30/May/2008:14:36:30 -0500] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 223
213.112.14.175 - - [30/May/2008:14:36:31 -0500] "GET /phpMyAdmin-2.5.7/main.php HTTP/1.0" 404 223
213.112.14.175 - - [30/May/2008:14:36:31 -0500] "GET /phpMyAdmin-2.5.7-pl1/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:31 -0500] "GET /phpMyAdmin-2.6.0-alpha/main.php HTTP/1.0" 404 229
213.112.14.175 - - [30/May/2008:14:36:32 -0500] "GET /phpMyAdmin-2.6.0-alpha2/main.php HTTP/1.0" 404 230
213.112.14.175 - - [30/May/2008:14:36:32 -0500] "GET /phpMyAdmin-2.6.0-beta1/main.php HTTP/1.0" 404 229
213.112.14.175 - - [30/May/2008:14:36:32 -0500] "GET /phpMyAdmin-2.6.0-beta2/main.php HTTP/1.0" 404 229
213.112.14.175 - - [30/May/2008:14:36:33 -0500] "GET /phpMyAdmin-2.6.0-rc1/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:33 -0500] "GET /phpMyAdmin-2.6.0-rc2/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:33 -0500] "GET /phpMyAdmin-2.6.0-rc3/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:34 -0500] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 404 223
213.112.14.175 - - [30/May/2008:14:36:34 -0500] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:35 -0500] "GET /phpMyAdmin-2.6.0-pl2/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:35 -0500] "GET /phpMyAdmin-2.6.0-pl3/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:35 -0500] "GET /phpMyAdmin-2.6.1-rc1/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:36 -0500] "GET /phpMyAdmin-2.6.1-rc2/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:36 -0500] "GET /phpMyAdmin-2.6.1/main.php HTTP/1.0" 404 223
213.112.14.175 - - [30/May/2008:14:36:36 -0500] "GET /phpMyAdmin-2.6.1-pl1/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:37 -0500] "GET /phpMyAdmin-2.6.1-pl2/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:37 -0500] "GET /phpMyAdmin-2.6.1-pl3/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:37 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:38 -0500] "GET /phpMyAdmin-2.6.2-beta1/main.php HTTP/1.0" 404 229
213.112.14.175 - - [30/May/2008:14:36:38 -0500] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 404 227
213.112.14.175 - - [30/May/2008:14:36:38 -0500] "GET /phpMyAdmin-2.6.2/main.php HTTP/1.0" 404 223

That is just a snippet of a LARGE .log file of similar activity. To my highly untrained eye, it looks like someone is running a bot in attempt to get some mysql settings info by trying to directly d/l every possible directory structure. Unfortunately for them, we have nearly nothing on this server (one SQL05 table) with useless information.

My question is this: Is this a daily occurance for web servers? Or should I investigate further? Just curious how common this is.

 

[TMetzinger]

Certainly looks like a bot searching for the MyAdmin control panel in all common places.

And yes, it probably is an everyday occurrence.

 

[inav8r]

It's those darn Serbian hackers again...

Who ever's doing it uses this ISP: http://www.bredbandsbolaget.se/

 

[jason]

very very common for any public facing server. Protect anything that you put online. Don't ever assume that "nobody will find it" and you'll be fine.

If that server has SSH exposed, you'll see the same thing in those logs. Brute force password attempts trying to gain access to the server that way.

 

[jesse]

They're looking for specific versions of phpmyadmin. If they found it--they'd probably already have an automated bot that would attack a vulnerability. This is just a good reminder that one really needs to keep internet facing web applications well patched.

 

[CJones]

Thanks for the info..

This is my first experience actually being able to access the back-end of a web server, so I wasn't sure if this was 'normal'. Sounds like it's an everyday occurence more or less, though.

I'll be switching from Apache to IIS 6.0 today b/c the CMS we are using only runs on IIS/ASP.NET technology (add that to LONG the list of reasons I hate it). Should be fun trying to keep everything secure. At least I get to 'learn' it without any sensitive information being stored - just usernames/passwords to a purely informational website.

 

[jason]

Thanks for the info..

This is my first experience actually being able to access the back-end of a web server, so I wasn't sure if this was 'normal'. Sounds like it's an everyday occurence more or less, though.

I'll be switching from Apache to IIS 6.0 today b/c the CMS we are using only runs on IIS/ASP.NET technology (add that to LONG the list of reasons I hate it). Should be fun trying to keep everything secure. At least I get to 'learn' it without any sensitive information being stored - just usernames/passwords to a purely informational website.

Nooooooooooooooooooooooooooooooooooooooooooo

 

[CJones]

Nooooooooooooooooooooooooooooooooooooooooooo

Ha.. I know I know.. I just started here last week, and they went 'live' with this project in January. It's a poo-poo situation most any way you look at it, but I am officially low-man on the totem pole. I predict an increase in my Crown-n-Coke consumption over the next several weeks.

 

[mikea]

Ha.. I know I know.. I just started here last week, and they went 'live' with this project in January. It's a poo-poo situation most any way you look at it, but I am officially low-man on the totem pole. I predict an increase in my Crown-n-Coke consumption over the next several weeks.

Nah. Now when you're constantly having security breaches and web pages defaced by script kiddies you can work like mad for long hours (come in at like 5 AM so the bosses see you there and think you were there all night) and the bosses will see how much work you do and you'll be set up for kudos and raises, as opposed to guys like Jesse who never do anything because it works so well because the bosses bought the right stuff.

(The preceding is a variation of my sysadmin's lament.)