This morning, when i checked my Give Back India site’s access log i found some scripts/setup.php request attempts. In fact, not ‘some’ but hundreds of them. All requests were made targeting phpMyAdmin’ installations on my server. Here are a few of them:
… so on. As i said there are hundred of them, so i cannot list them all here.
This was an hack attempt
After Googling a bit i learned that it was a part of “phpMyAdmin PHP Code Injection Exploit” attempt. The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 184.108.40.206 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. (Ref. http://www.cvedetails.com/cve/CVE-2010-3055/)
How/Why does it work?
The most common exploit that could happen to a dedicated server is a script exploit. The hackers would pass the script some variables and commands in an http URL and the vulnerability is that the script would allow the commands to be run.
The exploit could give hacker non root access to a server. At one time some known php scripts such as phpMyAdmin, PHPBB and AWstats were vulnerable to such exploits. Then, corresponding community would know the script vulnerability and get it fixed. To read more about the ‘how and why’ of the exploit here is a good source, http://forums.atjeu.com/showthread.php?t=789.
How to protect yourself
Before installing/using any script go through all possible reviews and feedbacks about the script. Avoid using outdated or beta scripts on a production server. Well protect your private scripts and areas. Regularly check your site’s access logs and if possible set some email forwarder carrying your access logs or site errors. Whenever you find that some intruder was consistently hitting your urls think of blocking it from accessing your server altogether.
Here are some methods you can use to block unwanted user or servers by their IP addresses or addresses respectively. You need to place these rules in a .htaccess file and place this .htaccess file at the web root folder of your website.
To block by ip address:
deny from 220.127.116.11
deny from 18.104.22.168
allow from all
To block a whole range of ip addresses
deny from 192.168.
deny from 85.114.137.
allow from all
To block an evil ISP (Internet Service Providers)
deny from some-evil-isp.com
deny from subdomain.another-evil-isp.com
allow from all
Thanks to a good articles on blocking internet attackers/leeches by John here http://blamcast.net/articles/block-bots-hotlinking-ban-ip-htaccess.
I hope this post helps many.
Hello Friends, I’m Arvind Kumar, founder of Inimist Technologies, Inimist Academy, The Fundabook and many more. I am a Full Stack Web Developer and Programmer by heart, and a Hindi/English blogger by chance. I build Web and Mobile Application around React, VueJS, NodeJS and PHP frameworks.
Have a project in mind? Get in touch