Angriff auf PMA?

**fan-com** · Feb 7th 2019

Hallo zusammen

ich habe gerade festgestellt, dass auf meinem Server ein Angriff läuft. Offensichtlich versuchen die Angreifer auf phpmyadmin zuzugreifen. Gibt es da eine Schwachstelle?

Jemand eine Idee?

Gruß

Fan-Com

Hier mal ein "kleiner" 1 Sekunden Auszug :

Code

70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3233 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
31.56.84.144 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3319 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
31.56.84.144 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3319 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
176.248.95.94 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3234 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
190.237.143.193 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3234 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3233 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3232 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
176.248.95.94 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3234 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3233 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3234 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3240 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3234 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3233 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3232 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3233 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3235 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3242 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3233 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3233 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
184.161.1.171 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3242 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3249 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3242 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
176.248.95.94 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3232 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3245 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3252 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3250 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3242 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3246 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3242 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
70.29.76.143 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3250 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3249 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
176.248.95.94 - - [07/Feb/2019:20:33:55 +0100] "POST /pma//index.php HTTP/1.1" 200 3236 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3250 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
178.148.72.49 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3244 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
190.238.105.44 - - [07/Feb/2019:20:33:55 +0100] "GET /pma/ HTTP/1.1" 200 3250 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
190.237.143.193 - - [07/Feb/2019:20:33:56 +0100] "GET /pma/ HTTP/1.1" 200 3243 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"

Display More

**Otzelott** · Feb 7th 2019

https://www.cvedetails.com/vul…or_id-784/Phpmyadmin.html

Akinos · Feb 7th 2019

Hi,

in welcher Log hast du das genau?

suche mal nach Fail2ban .... dann hat der Spuck auch ein Ende...

**Nuxwin** · Feb 8th 2019

Quote from fan-com

Hallo zusammen

ich habe gerade festgestellt, dass auf meinem Server ein Angriff läuft. Offensichtlich versuchen die Angreifer auf phpmyadmin zuzugreifen. Gibt es da eine Schwachstelle?

Jemand eine Idee?

Gruß

Fan-Com

The bbcode tags are not for dogs. This is the first and last warning. Next time, you'll get a ban. Please fix, else, the full post will be deleted.

**fan-com** · Feb 8th 2019

Hallo,

das ist aus der /var/log/nginx/access.log.

fail2ban läuft schon und es sind auch bestimmt schon 100 IPs gesperrt aber es kommen immer noch so viele Anfragen das der Server (16 Cores und 32 GB) eine Auslastung von 90-100% hat.

Gruß

Fan-Com

**fan-com** · Feb 8th 2019

Quote from Nuxwin

The bbcode tags are not for dogs. This is the first and last warning. Next time, you'll get a ban. Please fix, else, the full post will be deleted.

Auch wenn ich jetzt vermutlich gesperrt werde, ist es doch schön zu wissen das die offensichtlich die Optik wichtiger ist als der Inhalt.

Wie es auch sei, der Angriff scheint beendet, am Ende hat es nur geholfen nginx über Nacht abzuschalten.

Akinos · Feb 8th 2019

kannst du mal bitte deine Fail2ban Einstellungen dazu Posten?

Angriff auf PMA?

Share

Similar Threads

Neuinstallation - Server Schützen

Daily visitors