While examining my webserver statistics, I noticed that quite a lot 404’s are being served on most of my domains to scan bots that are trying to find exploits in possible running PHPMyAdmin configurations. Though harmless if you keep a clean ship with a decently configured PHPMyAdmin and the latest updates like I do, I still decided I couldn’t let this behaviour unanswered. So I took action, and wrote a small fail2ban filter that permanently drops all traffic from the IP addresses these scans originate from, like I do with every address that misbehaves in any way.
The regex used won’t capture all attempts, but with my configuration only 1 hit is enough to get you banned (the scripts these scans call are
config.inc.php, which aren’t to be called directly, especially not when they fail with a 404 like these), and all scanning attempts I’ve seen so far cycle through at least 20 different combinations.
Well, enough talk, here is the
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
And this is of course accompanied by a bit in
1 2 3 4 5 6 7 8 9
Works for me, another 20 additional IPs/day onto the shitlist!
It seems another variation of these scans are hitting the NIC’s quite often; One for Zen Cart to be more precise. You can easily add support countering this scanner as well, simply by expanding the failregex with this line:
^<HOST> -.*'GET .*(cart|boutique|catalog|butik|shop|zen|store).*/install\.txt.*'.*404.*
You can put multiple regexes within one failregex, just put each one on a new line.