At first I thought this was an attack was from a single attacker. But I am seeing the # of attacks increase from more and more IPs.
I have renamed phpMYAdmin directory and blocked access in the .conf file until this passes.
So do users think this is a worm or just attack? I've tracked 6 IPs so far to try and hit.
Here his a example cut of the apache logs:
0.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=proctor HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=bond HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=lives HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=zzzzzz HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=jjjjjj HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=spicey2000 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=mmmmmmm2000 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:24 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=darb HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=craft HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=iiiii HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=lennie HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=chronos HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=quick HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=forge HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=bbbbbsssss HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=1944 HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
70.85.142.130 - - [23/Oct/2008:15:48:25 -0400] "GET /phpmyadmin/index.php?lang=en&server=1&pma_username=sa&pma_password=ilulluli HTTP/1.0" 403 1142 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"