Hack attempt

As I was trying to build a simple system to control downloads for a project I’m working on I happened to leave journalctl open and following logs for the application I was trying to debug. When I came back to my computer I noticed that I had inadvertently captured an attempt to hack my server. The full list of paths the hacker tried are at the bottom of the post.

Looking through the list of attempted paths I couldn’t help but notice some interesting trends. First, with the exception of /webdav/ all of the paths have the .php extension. PHP has what I’ll call the ‘Windows problem’. Windows catches all kinds of flak because of all the viruses that get into Windows systems and wreak havoc. I believe this is mostly due to Windows success as an operating system. If the Windows operating system didn’t have the market penetration that it did then people wouldn’t bother writing malware for the platform. Likewise, PHP is an extremely popular if not the most popular technology used for building web applications, thus it becomes the primary target for hackers on the internet. While I’m sure both Windows and PHP could improve their security by default I think the issue comes with popularity in that you get a lot of people without experience using the technology in unsafe ways that cannot be helped by the underlying tools.

I’m not familiar with many PHP projects but some of the names (assuming they are relevant to their functionality) are downright frightening. I see a number of files with shell in the name which seems to say that there are a significant number of people with PHP applications running that simply expose a command line shell to the internet. Similar to this, phpMyAdmin appears to be a popular target for much the same reason as I do know that is a popular agent for managing a server that gives pretty low level access. There are also a number of db entries in the list which again, is not something you want to be exposing to the wider internet unsecured.

So looking at the list below, does your server have any of those PHP files served publicly? Are they properly secured behind some type of authentication? Are they running with the least amount of permissions possible to perform their function?

/webdav/
/help.php
/java.php
/_query.php
/test.php
/db_cts.php
/db_pma.php
/logon.php
/help-e.php
/license.php
/log.php
/hell.php
/pmd_online.php
/x.php
/shell.php
/desktop.ini.php
/z.php
/lala.php
/lala-dpr.php
/wpo.php
/text.php
/wp-config.php
/muhstik.php
/muhstik2.php
/muhstiks.php
/muhstik-dpr.php
/lol.php
/uploader.php
/cmd.php
/cmx.php
/cmv.php
/cmdd.php
/knal.php
/cmd.php
/shell.php
/appserv.php
/scripts/setup.php
/phpmyadmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/phpmyadmin/scripts/db___.init.php
/phpMyAdmin/scripts/db___.init.php
/wuwu11.php
/xw.php
/xw1.php
/9678.php
/wc.php
/xx.php
/s.php
/w.php
/sheep.php
/qaq.php
/db.init.php
/db_session.init.php
/db__.init.php
/wp-admins.php
/m.php?pbid=open
/db_dataml.php
/db_desql.php
/mx.php
/wshell.php
/xshell.php
/qq.php
/conflg.php
/lindex.php
/phpstudy.php
/phpStudy.php
/weixiao.php
/feixiang.php
/ak47.php
/ak48.php
/xiao.php
/yao.php
/defect.php
/webslee.php
/q.php
/pe.php
/hm.php
/cainiao.php
/zuoshou.php
/zuo.php
/aotu.php
/cmd.php
/bak.php
/system.php
/l6.php
/l7.php
/l8.php
/q.php
/56.php
/mz.php
/xx.php
/yumo.php
/min.php
/wan.php
/wanan.php
/ssaa.php
/qq.php
/aw.php
/12.php
/hh.php
/ak.php
/ip.php
/infoo.php
/qq.php
/qwe.php
/1213.php
/post.php
/h1.php
/test.php
/3.php
/phpinfi.php
/aaaa.php
/9510.php
/python.php
/default.php
/sean.php
/app.php
/help.php
/tiandi.php
/miao.php
/xz.php
/linuxse.php
/zuoindex.php
/zshmindex.php
/tomcat.php
/ceshi.php
/1hou.php
/boots.php
/she.php
/s.php
/qw.php
/test.php
/caonma.php
/ss.php
/wcp.php
/uuu.php
/sss.php
/1.php
/2.php
/qaz.php
/sha.php
/1.php
/confg.php
/ver.php
/hack.php
/qa.php
/Ss.php
/xxx.php
/92.php
/z.php
/xiaoma.php
/xiaomae.php
/xiaomar.php
/qq.php
/data.php
/log.php
/fack.php
/angge.php
/index.php
/phpmyadmin/index.php
/phpMyAdmin/index.php
/pmd/index.php
/pma/index.php
/PMA/index.php
/PMA2/index.php
/pmamy/index.php
/pmamy2/index.php
/mysql/index.php
/admin/index.php
/db/index.php
/dbadmin/index.php
/web/phpMyAdmin/index.php
/admin/pma/index.php
/admin/PMA/index.php
/admin/mysql/index.php
/admin/mysql2/index.php
/admin/phpmyadmin/index.php
/admin/phpMyAdmin/index.php
/admin/phpmyadmin2/index.php
/mysqladmin/index.php
/mysql-admin/index.php
/phpadmin/index.php
/phpAdmin/index.php
/phpmyadmin0/index.php
/phpmyadmin1/index.php
/phpmyadmin2/index.php
/myadmin/index.php
/myadmin2/index.php
/xampp/phpmyadmin/index.php
/phpMyadmin_bak/index.php
/www/phpMyAdmin/index.php
/tools/phpMyAdmin/index.php
/phpmyadmin-old/index.php
/phpMyAdminold/index.php
/phpMyAdmin.old/index.php
/pma-old/index.php
/claroline/phpMyAdmin/index.php
/typo3/phpmyadmin/index.php
/phpma/index.php
/phpmyadmin/phpmyadmin/index.php
/phpMyAdmin/phpMyAdmin/index.php
/v/index.php
/phpmyadm1n/index.php
/phpMyAdm1n/index.php
 
8
Kudos
 
8
Kudos

Now read this

Defending Christian doctrine with sensibility

Listening to The Briefing this morning Albert Mohler described an exchange between Senator Bernie Sanders and President Trump’s nominee for the White House Office of Management and Budget, Russell Vought, during a Senate Budget committee... Continue →