Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: PHPMYADMIN scans - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PHPMYADMIN scans

We have received some reports (thanks Drew) of scanning for keyhandler.js which is part of PHPMyAdmin.  The PHPmyAdmin site does not specifically mention this script. Scans look as follows:

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:19 -1000] "GET HTTP/1.1 HTTP/1.1" 400 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:19 -1000] "GET /admin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:20 -1000] "GET /admin/pma/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:21 -1000] "GET /admin/phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:21 -1000] "GET /db/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:22 -1000] "GET /dbadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:22 -1000] "GET /myadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:23 -1000] "GET /mysql/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:23 -1000] "GET /mysqladmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /typo3/phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /phpadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:24 -1000] "GET /phpmyadmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:25 -1000] "GET /phpMyAdmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:25 -1000] "GET /phpmyadmin1/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:26 -1000] "GET /phpmyadmin2/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:26 -1000] "GET /pma/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"

aa.zzz.qqq.119 - - [24/Jun/2009:08:37:27 -1000] "GET /web/phpMyAdmin/js/keyhandler.js HTTP/1.1" 404 26 "-" "Toata dragostea mea pentru diavola"


Modsecurity or suhosin should help you out keeping this away from your installation.  PHPMyadmin should probably only be available from the internal network or limited external sources.  So for most of you this shouldn't be an issue.  If you do have some captures of what happens when there is a compromise, please use the contact form to let us know. 

 

Mark H - Shearwater

Mark

392 Posts
ISC Handler
I have at least 12 alerts in my modsecurity logs dated 23 June with one IP generating the alerts. Modsecurity blocked all of the activity, even though I don't run any PHP-based apps.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!