[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sat, 22 Jan 2011, Dava wrote:
Gordon Henderson wrote:Ok thanks Gordon, I'm all updated, hopefully nothing will come of this, i saw the 404s so wasnt immediately thinking that was the end of it haha, but still was a bit worried. Any ideas on the ip? proxied or owned? Im not looking for anything malicious, was just interested to see if it was this facebook user or an outside attack...On Fri, 21 Jan 2011, Dan Dart wrote:As long as you have a firewall, and you have no potentially dangerous publically accessible files, like the ones referenced there (which you don't by the looks of those 404s) you should be fine.A firewall won't neccessarily block someone attacking phpMyAdmin like this, nor will it stop someone taking control of your server if they do find a vulnerable version of phpMyAdmin.The attack vector allows them to upload and run code - under the user ID of the web server - but that can still be used to launch spam attacks, etc.Gordon
The IP address belongs to a machine in Romania. It's very likely to be a PC under the control of someone else - ie. "pwned" running a suite of generic penetration softwares. Your server was found at random or by the software going through IP addresses sequentially.
There appears to be many different hosts that have been compromosed to run this code - a very quick check on just one site:
$ fgrep ZmEu access_log | cut -d\ -f 1-1 | sort -rn | uniq | wc -l 95 Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq