Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[User-Agent] making repeated requests to various phpMyAdmin URLs without a User-Agent string #546

Open
2 of 5 tasks
arhyneRWU opened this issue Jan 3, 2024 · 0 comments
Open
2 of 5 tasks

[User-Agent] making repeated requests to various phpMyAdmin URLs without a User-Agent string #546

arhyneRWU opened this issue Jan 3, 2024 · 0 comments
Assignees
@mitchellkrogza
Labels
Bots / User-Agents Bots to be checked for additions

Comments

@arhyneRWU
Copy link

Paste the full User-Agent String here

(no User-Agent string was provided in the logs)

Is this for Addition / Removal?

  • Addition
  • Removal
  • Keep a watch on this one

Did the User-Agent request robots.txt first?

  • Yes
  • No

Post Log Excerpt to show User-Agent behavior (10-20 lines is enough)

49.232.133.229 - - [03/Jan/2024:03:12:57 -0500] "GET http://40.121.23.143:80/myadmin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:12:57 -0500] "GET http://40.121.23.143:80/MyAdmin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:12:59 -0500] "GET http://40.121.23.143:80/PHPMYADMIN/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:12:59 -0500] "GET http://40.121.23.143:80/mysqladmin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:13:00 -0500] "GET http://40.121.23.143:80/SQL/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:03 -0500] "GET http://40.121.23.143:80/phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:04 -0500] "GET http://40.121.23.143:80/phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:05 -0500] "GET http://40.121.23.143:80/phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:05 -0500] "GET http://40.121.23.143:80/phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:06 -0500] "GET http://40.121.23.143:80/admin/pma/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:06 -0500] "GET http://40.121.23.143:80/phpMyAdmin-2/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:07 -0500] "GET http://40.121.23.143:80/web/phpMyAdmin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:07 -0500] "GET http://40.121.23.143:80/webadmin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:09 -0500] "GET http://40.121.23.143:80/admin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:09 -0500] "GET http://40.121.23.143:80/dbadmin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:10 -0500] "GET http://40.121.23.143:80/mysql/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:10 -0500] "GET http://40.121.23.143:80/phpMyAdmin2/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:11 -0500] "GET http://40.121.23.143:80/phpma/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:11 -0500] "GET http://40.121.23.143:80/sqlweb/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:12 -0500] "GET http://40.121.23.143:80/webdb/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:13 -0500] "GET http://40.121.23.143:80/websql/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:13 -0500] "GET http://40.121.23.143:80/_phpMyAdmin/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:14 -0500] "GET http://40.121.23.143:80/php/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:14 -0500] "GET http://40.121.23.143:80/admin/phpmyadmin/scripts/setup.txt HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:15 -0500] "GET http://40.121.23.143:80/db/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:15 -0500] "GET http://40.121.23.143:80/sqlmanager/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"
49.232.133.229 - - [03/Jan/2024:03:14:16 -0500] "GET http://40.121.23.143:80/mysqlmanager/scripts/setup.php HTTP/1.0" 301 186 "-" "-" "-"

Additional information

The source IP (49.232.133.229) is making repeated requests to various phpMyAdmin URLs without a User-Agent string. This behavior is indicative of a malicious bot or automated script and not of a regular user or benign crawler. The lack of a User-Agent string and the specific targeting of phpMyAdmin setup files are concerning and suggest the IP should be added to a blocklist.
@arhyneRWU arhyneRWU added the Bots / User-Agents Bots to be checked for additions label Jan 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchellkrogza mitchellkrogza

Labels
Bots / User-Agents Bots to be checked for additions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mitchellkrogza @arhyneRWU