0

I see on my webserver some logs as follows 

203.252.157.98 -   :25:02    "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:03    "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:03    "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:04    "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:05    "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:06    "GET //phppgadmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:06    "GET //PMA/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:07    "GET //admin/ HTTP/1.1" 404 389 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :25:08    "GET //MyAdmin/ HTTP/1.1" 404 392 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:36    "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:42    "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:42    "GET //pma/ HTTP/1.1" 404 388 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 -   :27:43    "GET //dbadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - -    "GET //myadmin/ HTTP/1.1" 404 391 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

and some more as follows 

118.219.234.254 - - [19/Oct/2010:22:57:41    "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:41    "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42    "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:42    "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:43    "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44    "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:44    "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45    "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:22:57:45    "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:51    "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 407 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52    "GET /admin/pma/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:52    "GET /admin/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:53    "GET /db/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54    "GET /dbadmin/scripts/setup.php HTTP/1.1" 404 402 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:54    "GET /myadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55    "GET /mysql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:55    "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56    "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 405 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:56    "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57    "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 404 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:57    "GET /pma/scripts/setup.php HTTP/1.1" 404 399 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58    "GET /scripts/setup.php HTTP/1.1" 404 397 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:58    "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59    "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:38:59    "GET /web/phpmyadmin/scripts/setup.php HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:00    "GET /web/scripts/setup.php HTTP/1.1" 404 400 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01    "GET /webadmin/scripts/setup.php HTTP/1.1" 404 403 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:01    "GET /webdb/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
118.219.234.254 - - [19/Oct/2010:05:39:02    "GET /websql/scripts/setup.php HTTP/1.1" 404 401 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

I have 2 questions
1) When such an attack happens on my site then while such scanning is going on how do I detect it? (In a very less time)
2)I have decided to rate limit the IPTABLES so as to reduce such DOS attacks by some script kiddies (to scan for vulnerabilities in phpmyadmin or some other script) to some extent.So how much should it be limited so that genuine users do not get kicked out.What is the best practise for question 2?

Registered User
  • 1,463
  • 5
  • 18
  • 37

2 Answers2

2

Rather than rate limiting your webserver you should consider installing something like fail2ban. With a suitable filter it can be used to ban IP addresses at the iptables firewall. You can configure it to ban a matching IP address from a few minutes to permanent.

EDIT:

You can use fail2ban for this. The /etc/fail2ban/filter.d/apache-noscript.conf file goes a long way to achieving what you want.

You can add a jail to /etc/fail2ban/jail.conf which uses it 

[apache-noscript]

enabled  = true
filter   = apache-noscript
action   = iptables[name=Apache, port=80, protocol=tcp]
           sendmail[name=Postfix, dest=you@mail.com]
logpath  = /var/log/httpd/error_log
maxretry = 5
bantime = some value you like

Note that your error log may me in a different location to mine e.g. /var/log/apache2/error.log

user9517
  • 115,471
  • 20
  • 215
  • 297
  • can fail2ban check for this type of script kiddie things I am already using denyhosts. – Registered User Feb 04 '11 at 10:13
  • @Registered User: If your using Centos or Red Hat then apache isn't compiled with tcpwrapper support so the fail2ban action hostsdeny doesn't work with it. – user9517 Feb 06 '11 at 17:56
1

When such an attack happens on my site then while such scanning is going on how do I detect it?

Use IDS such Snort or log analyzer(fail2ban).

What is the best practise for question 2?

Best practices block IP and CAPTCHA redirect.

alvosu
  • 8,437
  • 25
  • 22
  • I was referring to some command like top which shows CPU consumption can some package detect any scan happening like that immediate. Captcha will come into scene when that phpmyadmin actually exist which is not present on my site. – Registered User Feb 04 '11 at 09:30