Threat Level: green Handler on Duty: John Bambenek

SANS ISC: InfoSec Handlers Diary Blog - PHPMYADMIN scans InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PHPMYADMIN scans

Published: 2009-06-26
Last Updated: 2009-06-26 00:28:03 UTC
by Mark Hofman (Version: 1)
1 comment(s)

We have received some reports (thanks Drew) of scanning for keyhandler.js which is part of PHPMyAdmin.  The PHPmyAdmin site does not specifically mention this script. Scans look as follows:

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:19 -1000] "GET HTTP/1.1 HTTP/1.1" 400 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:19 -1000] "GET /admin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:20 -1000] "GET /admin/pma/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:21 -1000] "GET /admin/phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:21 -1000] "GET /db/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:22 -1000] "GET /dbadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:22 -1000] "GET /myadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:23 -1000] "GET /mysql/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:23 -1000] "GET /mysqladmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /typo3/phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /phpadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:25 -1000] "GET /phpMyAdmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:25 -1000] "GET /phpmyadmin1/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:26 -1000] "GET /phpmyadmin2/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:26 -1000] "GET /pma/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:27 -1000] "GET /web/phpMyAdmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"


Modsecurity or suhosin should help you out keeping this away from your installation.  PHPMyadmin should probably only be available from the internal network or limited external sources.  So for most of you this shouldn't be an issue.  If you do have some captures of what happens when there is a compromise, please use the contact form to let us know. 

 

Mark H - Shearwater

1 comment(s)
Diary Archives