My server (CentOS 5.4) is being bombarded 24x7 with IP addresses from China trying to exploit phpMyAdmin. For every one I block on the firewall, half a dozen come to the funeral! It's a pity these morons don't have something better to occupy their time. I'm getting page after page of this (see below) every day and it's been going on for weeks. I don't even have phpMyAdmin on the server. I don't use it and I deleted it.

I've read that you can use .htaccess and / or mod_rewrite to redirect / block them based on any query for phpMyAdmin (they try all letters in upper and lower case, leading to page after page). Unfortunately, I have no idea of how to do this. I already have an .htaccess file. Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems. I don't want to block the entire country, seems a bit like overkill, not all Chinese are morons. we aren't even in the USA, so why they are doing this is beyond me.

A TINY sample!
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.2
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.3
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.4
[Sun Aug 08 13:29:09 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.5
[Sun Aug 08 13:29:09 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.6
[Sun Aug 08 13:29:09 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.7
[Sun Aug 08 13:29:10 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.8
[Sun Aug 08 13:29:10 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.9

Hi,

You can use:
The 2nd condition is because from what I see in my logs, these bots are also looking for /PMA

1 members found this post helpful.

I had a similar problem with SSH attempts to my server. I used a tool called DenyHosts to get past this. I blogged the howto here: http://technologyrnd.blogspot.com/20...s-attacks.html

0 members found this post helpful.

+1 for rewriting (or using mod_security?).
-1 for using DenyHosts (in the default setup). See why.


Sure you may be pissed of but that's not the way to handle things.

1 members found this post helpful.

I'm already using Denyhosts for SSH, but I only use SSH on rare occasions so most of the time the Port isn't open. I use a Smoothwall Express Firewall as well as IPTables.

I've put Bathory's offering into my .htaccess file. I'll check over the next day or two and let you know if it works, but it looks good.

Pissed off isn't a word I would use, I passed that already a few weeks ago. If I had MY way, it would be the death penalty for spammers and these spotty-faced morons with nothing better to do than try to deface other people's work.

IMO, the best tool for the job would be modsecurity (or any other IPS-like application).

And, no matter how you look at it, you're going to be wasting bandwidth...blocking is about the only thing you can do. Such traffic nowadays doesn't really constitute a huge waste issue, not when talking about web servers and the traffic they typically handle.

I tried Bathory's additions to my .htaccess file. It didn't work. Attacks and error messages are still the same.

Seems like it may have to be mod_security. What exactly must I put into the .conf file. I assume that then I can take out the lines from .htaccess.