45 replies
I Googled this and found it to be a technique that is used fairly often, but I'd never heard of it before.

Apparently some really bored hacker with nothing better to do gets a list of sites and then either types them in one-by-one or loads them into a special script. Here's what he is looking for:

Code:
http://www.yoursite.com/phpmyadmin/scripts/setup.php
If your WordPress and everything is up to date (like mine was today), then they don't get anything.

If it's not, they can hack your site. I'd suggest you try this with yours and see if you have any security holes. If you do, contact your hosting company immediately and get it fixed!!

-- j
#hacker #warning
  • Profile picture of the author mindreaderwriter
    Banned
    Hi Jarycu,

    Thanks for sharing this. It made me curious.

    What do we need to do with this link?

    http://www.yoursite.com/phpmyadmin/scripts/setup.php

    If my URL is www.abc.com, I'll put "http://www.abc.com/phpmyadmin/scripts/setup.php" on the address bar of my browser?

    Sorry, I think I didn't get what you meant at first.

    JC
    {{ DiscussionBoard.errors[6369157].message }}
    • Profile picture of the author Emily B
      Thanks for sharing this. Looks like all of my sites are safe, but it's good to know.
      Signature

      {{ DiscussionBoard.errors[6369175].message }}
  • Profile picture of the author so11
    Hello,

    Emily B, not a good idea to execute stuff that people tell you here...
    If you are signedin, then you might execute the install function of all scripts in the specified directory.
    If you are not signedin, probably nothing will happen.

    cheers,
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[6369329].message }}
    • Profile picture of the author Joseph Robinson
      Banned
      Originally Posted by so11 View Post

      Hello,

      Emily B, not a good idea to execute stuff that people tell you here...
      If you are signedin, then you might execute the install function of all scripts in the specified directory.
      If you are not signedin, probably nothing will happen.

      cheers,
      Yeah, because if there is one thing I know about Jason from his time on the forum, it's that he secretly wants to hack all of our websites :rolleyes:.
      {{ DiscussionBoard.errors[6369495].message }}
      • Profile picture of the author fin
        My spidey senses tell me this could be an elaborate ploy by the two J's to hack all our sites.

        Ja lays the trap and Joe leads us into a false sense of security.

        {{ DiscussionBoard.errors[6369524].message }}
        • Profile picture of the author Joseph Robinson
          Banned
          Originally Posted by fin View Post

          My spidey senses tell me this could be an elaborate ploy by the two J's to hack all our sites.

          Ja lays the trap and Joe leads us into a false sense of security.

          We can cut you in or silence you...your call. We have a highly trained squad of smileys to send after you.


          {{ DiscussionBoard.errors[6370000].message }}
    • Profile picture of the author MattCatania
      Originally Posted by so11 View Post

      Hello,

      Emily B, not a good idea to execute stuff that people tell you here...
      If you are signedin, then you might execute the install function of all scripts in the specified directory.
      If you are not signedin, probably nothing will happen.

      cheers,
      Don't listen to this advice.

      He was merely asking you to try it with YOUR OWN domain. How can you install malicious scripts if it's coming from your website?
      Signature

      Logic outweighs all.

      {{ DiscussionBoard.errors[6370069].message }}
      • Profile picture of the author TheArticlePros
        Originally Posted by Joe Robinson View Post

        Yeah, because if there is one thing I know about Jason from his time on the forum, it's that he secretly wants to hack all of our websites :rolleyes:.
        Dammit Joe. I asked you to tell people how great my services were, not blow my master plan to take 1% of everyone's AdSense earnings for myself. Now I'm gonna have to go and create another alter ego and start over again here. I bet I could be Eoj Nosnibor. Whaddya think?

        Originally Posted by fin View Post

        My spidey senses tell me this could be an elaborate ploy by the two J's to hack all our sites.

        Ja lays the trap and Joe leads us into a false sense of security.

        Fin, you left out the part where you hack their Paypal accounts and steal all of the rounded down change, like in OfficeSpace.

        Originally Posted by so11 View Post

        Hello,

        Emily B, not a good idea to execute stuff that people tell you here...
        If you are signedin, then you might execute the install function of all scripts in the specified directory.
        If you are not signedin, probably nothing will happen.

        cheers,
        so11...no offense bud, but I'd be listening to the guy with 700+ posts and 360+ thanks before I'd listen to the guy with 20 posts total. I'm just sayin....

        Originally Posted by MattCatania View Post

        Don't listen to this advice.

        He was merely asking you to try it with YOUR OWN domain. How can you install malicious scripts if it's coming from your website?
        Bingo. It was a really odd result on my stats page, and it came from a HostGator account based in India. Just make sure all of your stuff's up to date. If you can get somewhere by typing in that line of code, call your hosting company immediately and get them to fix it.

        -- j
        Signature

        Posting About Life & Video Games:
        http://www.jarycu.com

        {{ DiscussionBoard.errors[6370114].message }}
      • Profile picture of the author so11
        Originally Posted by MattCatania View Post

        Don't listen to this advice.

        He was merely asking you to try it with YOUR OWN domain. How can you install malicious scripts if it's coming from your website?

        thats not the point....the point is that you might install stuff that you dont need/want...thats all!
        Signature
        www.groupesoloviev.com
        We help businesses manage cyber risk and compliance requirements.
        {{ DiscussionBoard.errors[6371453].message }}
    • Profile picture of the author TheArticlePros
      Originally Posted by so11 View Post

      Hello,

      Emily B, not a good idea to execute stuff that people tell you here...
      If you are signedin, then you might execute the install function of all scripts in the specified directory.
      If you are not signedin, probably nothing will happen.

      cheers,
      Ya know, I think this post is worth going after twice. I really like this advice, but it should be further explained that you should run and hide from most WSO's and whatever this guy is advertising in his signature. I think it's funny he wants you to ask, but he can't even do PMs yet.

      -- j
      Signature

      Posting About Life & Video Games:
      http://www.jarycu.com

      {{ DiscussionBoard.errors[6370122].message }}
      • Profile picture of the author Joseph Robinson
        Banned
        Originally Posted by JaRyCu View Post

        I think it's funny he wants you to ask, but he can't even do PMs yet.

        -- j
        I asked. Things are getting weird.

        {{ DiscussionBoard.errors[6370153].message }}
        • Profile picture of the author azmanar
          Just Exposed !

          The dangers of having 2 J's and 1 F in WF.
          Signature
          === >>> Tomorrow Should Be Better Than Today

          {{ DiscussionBoard.errors[6370414].message }}
  • Profile picture of the author khaspar
    That looks familiar.
    I think I saw it today on one of my projects. In the Recent pages section (traffic)
    So, tell me, What did you Find?
    A Well put together Site?
    {{ DiscussionBoard.errors[6369569].message }}
  • Profile picture of the author so11
    Hello guys,

    No offense to anybody... It was a general comment. Though, i dont think it matters how many comments somebody has...important thing is how pertinent the comment is. I think mine was... its just not a good idea to try things on live/production sites, especially if you dont really know what it is.
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[6371441].message }}
    • Profile picture of the author TheArticlePros
      Originally Posted by so11 View Post

      Hello guys,

      No offense to anybody... It was a general comment. Though, i dont think it matters how many comments somebody has...important thing is how pertinent the comment is. I think mine was... its just not a good idea to try things on live/production sites, especially if you dont really know what it is.
      On that point, I'll agree. Unless you're a programmer who can read the code and know what's going on with each line, it's rarely a good idea to trust something from a stranger. (Even if that stranger is me.)

      The way I found out what the code that I posted does is that I simply put quotes around it and Googled it. I found entries in Yahoo Answers and several other places and found out for myself that it was safe, and then I found out why someone else would attempt it on my domain.

      One I found that, I went and installed IP Filter for WordPress (free plugin) and blocked the IP of the offending user. If they're good at what they do, it was probably a proxy IP and they can try again, but it's all I knew to do.

      Since your sig really does talk about security, what else do you think we could do?

      -- j
      Signature

      Posting About Life & Video Games:
      http://www.jarycu.com

      {{ DiscussionBoard.errors[6371506].message }}
      • Profile picture of the author Chris Silvey
        Actually that is a very old hack.
        Signature
        WP Animate - Increases Conversions & Clicks!
        Create Amazing CSS3 Animations in just a few Clicks - New!

        WPHeadline.net - Create Blazing Headlines in just a few clicks. Updated to WordPress 4.1.1
        {{ DiscussionBoard.errors[6371529].message }}
        • Profile picture of the author Kingfish85
          Originally Posted by Chris Silvey View Post

          Actually that is a very old hack.
          X2, this is nothing new.
          {{ DiscussionBoard.errors[6371693].message }}
          • Profile picture of the author TheArticlePros
            Originally Posted by Chris Silvey View Post

            Actually that is a very old hack.
            Originally Posted by Kingfish85 View Post

            X2, this is nothing new.
            Thank you both for that extremely useful information.

            Can you be so kind as to provide something a little more useful, like maybe a fix for those us out there that aren't professional security experts such as yourselves?

            -- j
            Signature

            Posting About Life & Video Games:
            http://www.jarycu.com

            {{ DiscussionBoard.errors[6371773].message }}
            • Profile picture of the author Kingfish85
              Originally Posted by JaRyCu View Post

              Thank you both for that extremely useful information.

              Can you be so kind as to provide something a little more useful, like maybe a fix for those us out there that aren't professional security experts such as yourselves?

              -- j
              It's common scanning. In most cases it's nothing to worry about. You will spend more time "wasting time" than you will trying to figure it out. You can give your web host the IP and have them block it at the server level. If your using shared hosting or reseller hosting, there's not much you can do.

              A lot of the paths you see in the logs will be non-existent or not accessible by anything other than localhost.


              It would also help if the OP posted the entire line from the logs, as you will probably see "http code 404"

              Older versions of phpmyadmin, mySQL etc are susceptible to exploits.

              You can also configure your firewall to block these types of things. Solution is that if your web host is up to date, there shouldn't be any problems.
              {{ DiscussionBoard.errors[6371859].message }}
              • Profile picture of the author TheArticlePros
                Originally Posted by Kingfish85 View Post

                It would also help if the OP posted the entire line from the logs, as you will probably see "http code 404"
                Much better answer, and really good information as well. I appreciate that. As far as posting all of the code, I did. That's all my stat tracker returned to me. When you actually go to the URL with my domain substituted, it does generate a 404 error, so I figured I was safe. I've noticed that I also get constantly scanned for my robots.txt file, but I read countless times where that's harmless so I don't worry about it.

                When you say scan and scan...what am I scanning with? I use a plain ol' HostGator hosting package, so I'm not on my own server. My traffic's not high enough to warrant that yet. Do I just make sure and hit the update button whenever WordPress tells me to and trust that HG is doing everything else correctly in the background?

                -- j
                Signature

                Posting About Life & Video Games:
                http://www.jarycu.com

                {{ DiscussionBoard.errors[6371882].message }}
                • Profile picture of the author dowho
                  robots.txt is harmless. It just keeps search engines out of files/areas you don't want them in. Not actually used to protect or exploit you.
                  {{ DiscussionBoard.errors[6371911].message }}
                • Profile picture of the author Kingfish85
                  Originally Posted by JaRyCu View Post

                  Much better answer, and really good information as well. I appreciate that. As far as posting all of the code, I did. That's all my stat tracker returned to me. When you actually go to the URL with my domain substituted, it does generate a 404 error, so I figured I was safe. I've noticed that I also get constantly scanned for my robots.txt file, but I read countless times where that's harmless so I don't worry about it.

                  When you say scan and scan...what am I scanning with? I use a plain ol' HostGator hosting package, so I'm not on my own server. My traffic's not high enough to warrant that yet. Do I just make sure and hit the update button whenever WordPress tells me to and trust that HG is doing everything else correctly in the background?

                  -- j
                  Don't pay attention to Wordpress logs. Use raw logs.

                  When I say "scan", I'm referring to scans like script scans, url scans, port scans etc.

                  As far as server security & firewall settings go, there's nothing you can do. That is on the web host to ensure their environments are secure.

                  If you go to the url and it generates a 404, then it's a url that doesn't exist. The scan that you have a log for is an exploit for an older version of phpmyadmin.
                  {{ DiscussionBoard.errors[6371928].message }}
                • Profile picture of the author so11
                  Originally Posted by JaRyCu View Post

                  Much better answer, and really good information as well. I appreciate that. As far as posting all of the code, I did. That's all my stat tracker returned to me. When you actually go to the URL with my domain substituted, it does generate a 404 error, so I figured I was safe. I've noticed that I also get constantly scanned for my robots.txt file, but I read countless times where that's harmless so I don't worry about it.

                  When you say scan and scan...what am I scanning with? I use a plain ol' HostGator hosting package, so I'm not on my own server. My traffic's not high enough to warrant that yet. Do I just make sure and hit the update button whenever WordPress tells me to and trust that HG is doing everything else correctly in the background?

                  -- j
                  Be careful with this statement... robots.txt might get scanned to see what gets indexed... a lot of unexperienced web developpers will index everything and i mean everything, so indexing the right stuff is very important.

                  Im not a big fan of free scan tools. the problem is they create lots of false positive/negative results, so basically they'll misguide you and make you waste your time for not important stuff...Another story real scanner, they get pricy. So its like anything else,your choice : go free, , pay for a product, outsouce the service or do nothing.

                  don't update right away, unless its a special update fixing a specific critical issue needed to be patched right away. Wait a couple of months...they'll take care of buggy stuff and then patch and then scan
                  Signature
                  www.groupesoloviev.com
                  We help businesses manage cyber risk and compliance requirements.
                  {{ DiscussionBoard.errors[6371976].message }}
      • Profile picture of the author andersvinther
        Originally Posted by JaRyCu View Post

        what else do you think we could do?
        -- j
        You can run through this WordPress Security Checklist to see if you have missed anything... if you're running WordPress that is :-)
        Signature

        Visit WordPress Security Checklist for a FREE comprehensive guide on improving your security.

        Visit Easy-Email for the solution to all your email problems.

        {{ DiscussionBoard.errors[6372765].message }}
        • Profile picture of the author TheArticlePros
          Originally Posted by andersvinther View Post

          You can run through this WordPress Security Checklist to see if you have missed anything... if you're running WordPress that is :-)
          *wink wink* LOL!

          I'll check that out when I get home this evening and see if it can fit my needs.

          -- j
          Signature

          Posting About Life & Video Games:
          http://www.jarycu.com

          {{ DiscussionBoard.errors[6373177].message }}
  • Profile picture of the author OldLodgeSkins
    I've seen some of these attacks appear in my logs recently... I mean, the first one I've seen is maybe a week old. Makes me laugh...
    Something as vital as PhpMyAdmin - or any admin tool for that matter - shouldn't be accessible by anybody without prior identification, period. All my admin areas are protected by a .htaccess, always. This is actually one of my first orders of business when I build a new website...

    Seb.
    Signature
    Do you use Facebook ? Then you can make money just by inviting people to a Facebook group ! It's called the Instant Income System. How cool is that?
    {{ DiscussionBoard.errors[6371526].message }}
  • Profile picture of the author so11
    The reason I've made a comment in the fist place, is the actual code line itself...just dont run it... period. In your directory you might have bunch of stuff, installed and not installed scripts and so on. You run the script, you might execute everything under that directory, including the stuff you dont want...thats all.

    Now, why somebody would want to do that? The person is searching for WP sites with default configurations...Ex.: admin password is by default... you are cooked!

    IP block is only effective if your site gets bombed with requests...like a DOS attack. In this situation, that wont work.

    What you can do:

    1. Follow good practices (passwords, configurations, etc.)
    2. Dont execute anything, unless you know what it is
    3. Periodically scan your sites with Web application security scanner to identify vulnerabilities and patch/correct them.

    so11
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[6371564].message }}
    • Profile picture of the author magiclouie
      Originally Posted by so11 View Post

      The reason I've made a comment in the fist place, is the actual code line itself...just dont run it... period. In your directory you might have bunch of stuff, installed and not installed scripts and so on. You run the script, you might execute everything under that directory, including the stuff you dont want...thats all.

      Now, why somebody would want to do that? The person is searching for WP sites with default configurations...Ex.: admin password is by default... you are cooked!

      IP block is only effective if your site gets bombed with requests...like a DOS attack. In this situation, that wont work.

      What you can do:

      1. Follow good practices (passwords, configurations, etc.)
      2. Dont execute anything, unless you know what it is
      3. Periodically scan your sites with Web application security scanner to identify vulnerabilities and patch/correct them.

      so11
      Nice one, so11.

      Just out of curiosity, do you do penetration testing?
      {{ DiscussionBoard.errors[6374042].message }}
      • Profile picture of the author so11
        Hello Magiclouie,

        just to make sure we are talking about the same stuff.

        Penetration testing and vulnerability scanning are two different things, though very closely related.

        Vulnerability scanning is a passive scan that checks for gaps, misconfiguration, security issues/vulnerabilities and so on. Usually this kind of test is harmless, but very effective to identify security issues/holes/problems.

        Now, penetration testing is actually when you try to exploit those vulnerabilities to penetrate security perimeter, which could lead to potential problems such as DOS attack for example. This kind of tests are not welcomed and not authorized by hosting providers, because its basically hacking...Imaging if everybody would be doing that... Sometimes though, special/major clients can get that kind of authorization.

        So I hope this clarifies some things...

        PS. : if interested, you can look me up in Warriors for hire section. thanks

        so11
        Signature
        www.groupesoloviev.com
        We help businesses manage cyber risk and compliance requirements.
        {{ DiscussionBoard.errors[6375228].message }}
  • Yup, don't immediately try anything especially if it includes code that will involve your sites or ip addresses. Others may not have the right intentions...
    {{ DiscussionBoard.errors[6371629].message }}
  • Profile picture of the author so11
    JaRyCu,

    dont worry about it...people scan sites all the time to probe them for vulnerabilities...its another story if you've got them than you are at risk.

    So be in advance, scan and patch, scan and patch ...
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[6371848].message }}
    • Profile picture of the author dowho
      Well that "attack" only actually poses a threat on a windows server. On a linux server, they would have to be logged in as root (or sudo it) to run phpmyadmin setup. Provided that your host hasn't completely mangled their setup.

      Other, (often simpler) exploits include looking for:
      yourdomain.com/install.php
      /admin.php
      /thanks.php (on sales sites)
      /cp.php

      Often you will find you need one of these on your site to setup a plugin. Always remember to remove that file after it's installed.
      {{ DiscussionBoard.errors[6371893].message }}
  • Profile picture of the author alistair
    I've seen this on a few of my sites today and wondered what it was.

    Everything is in lower case letters except the actual domain name for some reason which is in capitals.
    {{ DiscussionBoard.errors[6371929].message }}
  • Profile picture of the author Noel Cunningham
    Interesting thread guys...coming from someone here who isn't very knowledgeable on security issues could I ask...

    What would be a good way to analyze your sites and assess how secure they are? I'd be interested to hear your thoughts...

    It's something I need to learn more about. Thanks.
    {{ DiscussionBoard.errors[6371950].message }}
    • Profile picture of the author so11
      Originally Posted by Noel Cunningham View Post

      Interesting thread guys...coming from someone here who isn't very knowledgeable on security issues could I ask...

      What would be a good way to analyze your sites and assess how secure they are? I'd be interested to hear your thoughts...

      It's something I need to learn more about. Thanks.
      just keep reading it gets better and better...
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[6372011].message }}
  • Profile picture of the author TheArticlePros
    OK it looks like I'm outta thanks for the day, but this thread has turned out to be a lot better than I thought it would when I posted it yesterday.

    A lot of good information is starting to surface about how to protect yourself and I'm really grateful to yall for chipping in.

    I will say that I traced the IP back to a Bluehost account, and I attempted to file a complaint with them. After going through their live chat for 15-20 minutes this morning, their admin told me that he could not determine which user was running the script, so it was all for nought. At least I know now, and I'm happy with that.

    -- j
    Signature

    Posting About Life & Video Games:
    http://www.jarycu.com

    {{ DiscussionBoard.errors[6372161].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by JaRyCu View Post

      OK it looks like I'm outta thanks for the day, but this thread has turned out to be a lot better than I thought it would when I posted it yesterday.

      A lot of good information is starting to surface about how to protect yourself and I'm really grateful to yall for chipping in.

      I will say that I traced the IP back to a Bluehost account, and I attempted to file a complaint with them. After going through their live chat for 15-20 minutes this morning, their admin told me that he could not determine which user was running the script, so it was all for nought. At least I know now, and I'm happy with that.

      -- j
      I'm glad you got some useful info here. As for the other comment regarding BlueHost - I'm not surprised. they are notorious for lacking security. Can't track down the user that's running the script? That's the most ridiculous thing I've ever heard.
      {{ DiscussionBoard.errors[6372174].message }}
      • Profile picture of the author TheArticlePros
        Originally Posted by Kingfish85 View Post

        I'm glad you got some useful info here. As for the other comment regarding BlueHost - I'm not surprised. they are notorious for lacking security. Can't track down the user that's running the script? That's the most ridiculous thing I've ever heard.
        You're not just saying that because of the really big ad in your sig, are ya? LOL!

        I kinda figured it was a load of hogwash when they told me that. I'm an IT guy (in training) and I have some experience with this...they told me that next time I need to let them know when it's actually happening. I guess that means I have to monitor all of my domains to find that .02 seconds when someone unsuccessfully runs that script and let Bluehost know about it right then, huh?

        -- j
        Signature

        Posting About Life & Video Games:
        http://www.jarycu.com

        {{ DiscussionBoard.errors[6372216].message }}
        • Profile picture of the author Kingfish85
          Originally Posted by JaRyCu View Post

          You're not just saying that because of the really big ad in your sig, are ya? LOL!

          I kinda figured it was a load of hogwash when they told me that. I'm an IT guy (in training) and I have some experience with this...they told me that next time I need to let them know when it's actually happening. I guess that means I have to monitor all of my domains to find that .02 seconds when someone unsuccessfully runs that script and let Bluehost know about it right then, huh?

          -- j
          Nope. It's an honest statement.

          I wouldn't worry too much about that script though.
          {{ DiscussionBoard.errors[6372242].message }}
  • Profile picture of the author Dylan Lars
    Well, this is an attempt that has been noticed before, I think early 2011, maybe mid. This was a scan for leaks in the site, but since the file ".../phpMyAdmin/scripts/setup.php" doesn't exist on updated installations, this brute force technique doesn't compromise anything. So if there is a problem for whatever reason, just update your installation.

    Also, check your logs. Find the host, which will be the IP (usually marked as Host) and find who the service provider is. Report it to their abuse center.

    Hope this helps.

    Thanks for the heads up JaRyCu

    Best,

    Dylan
    {{ DiscussionBoard.errors[6372325].message }}
  • Profile picture of the author so11
    Hello all,

    I've created a security thread "Security FAQ". I thought it could be useful for all security related stuff...

    feel free to post your questions...

    so11
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[6373905].message }}
  • Profile picture of the author *Gabriel*
    Thanks. It's a good reminder to keep all your software & servers up-to-date.
    {{ DiscussionBoard.errors[6375457].message }}
  • Profile picture of the author williamk
    Banned
    Thanks JaRyCu. I just triple checked all my sites and they look good so far. But its good to know this fault in the sites. It will help in safeguarding my future sites too.
    {{ DiscussionBoard.errors[6382710].message }}
  • Profile picture of the author ankur sharma
    thanks for sharing I think it's time to go and check my own WordPress website.
    {{ DiscussionBoard.errors[6504600].message }}
    • Profile picture of the author Jays80
      Thanks for sharing this. as of now my all websites look fine.
      {{ DiscussionBoard.errors[6525477].message }}

Trending Topics