Apache Friends Support Forum

[bul]

Hallo Zusammen,

gibt es eine Möglichkeit Angriffe wie den Folgenden frühzeitig zu erkennen, und dann die Angreifer-IP für 2 oder 3 Tage zu blockieren? Also im Prinzip eine Erkennung ob im Anfragestring "phpmyadmin" drin ist. Gibt es eventuell ein Plugin?

Wir haben (gezwungenermaßen) den Apache 2.2.10 unter Windows 2003 Server 64bit.

viele Grüße,
Bul

Code: Select all

74.95.182.57 - - [21/Nov/2008:03:41:12 +0100] "GET /phpmyadmin/read_dump.php HTTP/1.0" 404 222 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
74.95.182.57 - - [21/Nov/2008:03:41:12 +0100] "GET /PMA/read_dump.php HTTP/1.0" 404 215 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
74.95.182.57 - - [21/Nov/2008:03:41:13 +0100] "GET /mysql/read_dump.php HTTP/1.0" 404 217 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
74.95.182.57 - - [21/Nov/2008:04:17:03 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 404 217 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:03 +0100] "GET /phpMyAdmin/main.php HTTP/1.0" 404 217 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:03 +0100] "GET /db/main.php HTTP/1.0" 404 209 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:03 +0100] "GET /web/main.php HTTP/1.0" 404 210 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:04 +0100] "GET /PMA/main.php HTTP/1.0" 404 210 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:04 +0100] "GET /dbadmin/main.php HTTP/1.0" 404 214 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:04 +0100] "GET /mysql/main.php HTTP/1.0" 404 212 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:04 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 404 218 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:04 +0100] "GET /phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 230 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:05 +0100] "GET /PMA/read_dump.phpmain.php HTTP/1.0" 404 223 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:05 +0100] "GET /mysql/read_dump.phpmain.php HTTP/1.0" 404 225 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:05 +0100] "GET /xampp/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:05 +0100] "GET /typo3/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:05 +0100] "GET /mysqladmin/read_dump.phpmain.php HTTP/1.0" 404 230 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:06 +0100] "GET /admin/read_dump.phpmain.php HTTP/1.0" 404 225 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:06 +0100] "GET /db/read_dump.phpmain.php HTTP/1.0" 404 222 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:06 +0100] "GET /dbadmin/read_dump.phpmain.php HTTP/1.0" 404 227 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:06 +0100] "GET /web/phpMyAdmin/read_dump.phpmain.php HTTP/1.0" 404 234 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:07 +0100] "GET /admin/pma/read_dump.phpmain.php HTTP/1.0" 404 229 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:07 +0100] "GET /admin/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:07 +0100] "GET /padmin/read_dump.phpmain.php HTTP/1.0" 404 226 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:07 +0100] "GET /phpmyadmin2/read_dump.phpmain.php HTTP/1.0" 404 231 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:07 +0100] "GET /phpmyadmin1/read_dump.phpmain.php HTTP/1.0" 404 231 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:08 +0100] "GET /phpadmin/read_dump.phpmain.php HTTP/1.0" 404 228 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:08 +0100] "GET /myadmin/read_dump.phpmain.php HTTP/1.0" 404 227 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:08 +0100] "GET /phpMyAdmin-2.2.3/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:08 +0100] "GET /phpMyAdmin-2.2.7-pl1/read_dump.phpmain.php HTTP/1.0" 404 240 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:09 +0100] "GET /phpMyAdmin-2.5.6/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:09 +0100] "GET /phpMyAdmin-2.5.7-pl1/read_dump.phpmain.php HTTP/1.0" 404 240 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:09 +0100] "GET /phpMyAdmin-2.6.0/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:09 +0100] "GET /phpMyAdmin-2.6.0-pl3/read_dump.phpmain.php HTTP/1.0" 404 240 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:09 +0100] "GET /phpMyAdmin-2.6.1-pl3/read_dump.phpmain.php HTTP/1.0" 404 240 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:10 +0100] "GET /phpMyAdmin-2.6.3-pl1/read_dump.phpmain.php HTTP/1.0" 404 240 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:10 +0100] "GET /phpMyAdmin2.6.4-pl4/read_dump.phpmain.php HTTP/1.0" 404 239 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:10 +0100] "GET /phpMyAdmin2.7.0-beta1/read_dump.phpmain.php HTTP/1.0" 404 241 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:10 +0100] "GET /phpMyAdmin2.7.0-rc1/read_dump.phpmain.php HTTP/1.0" 404 239 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:10 +0100] "GET /phpMyAdmin2.7.0/read_dump.phpmain.php HTTP/1.0" 404 235 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:11 +0100] "GET /phpMyAdmin-2.6.4/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:11 +0100] "GET /phpMyAdmin2.7.0-pl1/read_dump.phpmain.php HTTP/1.0" 404 239 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:11 +0100] "GET /p/m/a/read_dump.phpmain.php HTTP/1.0" 404 225 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:11 +0100] "GET /pma/read_dump.phpmain.php HTTP/1.0" 404 223 "-" "-"
74.95.182.57 - - [21/Nov/2008:04:17:12 +0100] "GET /xampp/phpmyadmin/read_dump.phpmain.php HTTP/1.0" 404 236 "-" "-"

[glitzi85]

Das ist doch normal, oder? Kommt eigentlich auf jedem Server vor. Halte dein PMA aktuell und dann sollte da auch nichts passieren. Der scannt primär nach veralteten Installationen.

Unter Windows kenn ich leider nix, unter Linux gäbe es da evlt. Firewalls mit Content-Filter. Ansonsten bleibt dir nur der Weg über mod_rewrite: http://www.perlcode.org/tutorials/apache/attacks.html
Müsstest das Script halt anpassen, dass es den phpMyAdmin-String erkennt. Dann werden aber alle Zugriffe auf phpMyAdmin geblockt, also wenn du externe Zugriffe benötigst musst du dir halt ein entsprechendes Konzept überlegen!

mfg glitzi