Hi,
I checked my website’s traffic log today and noticed lots of suspicious URLs in 404 error report as follows:
//phpMyAdmin/index.php
//php-my-admin/index.php
//phpMyAdmin-2.5.5-pl1/index.php
//admin/pma/index.php
//mysqladmin/index.php
//phpMyAdmin-2.5.5-rc2/index.php
...
My questions are:
Thanks for any advice.
Hi,
Did you find something like the below entry in those files.
${eval(base64_decode($_SERVER[HTTP_REFERER]))}
eval base functions can be used get information from databases
Sorry but which file are you talking about? The log file?
Check for the eval(base64_decode in all your php files. It is an automated hack which affects all the php files.
That looks like one of the many zombie bots that regularly try to find vulnerabilities in a website. Probably nothing to worry about, probably nothing you can easily do to stop such requests unless you are able to identify and block the IP (unlikely).
Thanks, I don’t have that function in any of my files or content.
Thanks for your input. Now I know it can’t be prevented totally. I would like to add a security step something like “if X number of failed attempts, block that IP for Y minutes etc.” but I have no idea how to do that.
Thanks for your input. Now I know it can’t be prevented totally. I would like to add a security step something like “if X number of failed attempts, block that IP for Y minutes etc.” but I have no idea how to do that.
If you’re on *nix something like fail2ban might help.
Check the log files of your server as well as your scripts. You might be vulnerable of XSS attacks.
You could try Crawl Protect. It will block known “bad bots” and code injection attempts, and also gives you the option to ban those IPs from your site. (Don’t be put off by the rather curious English on the site - the author’s native language is French. 
)