Gingercat1.png Welcome to...
GingerCat Software
We make software for the Web the Macintosh and linux
(among other things!) We hope you enjoy our site

Blog | New Site
A simple script for some basic web security

I often look thru my web logs and it's surprising what one finds. Things like strange web crawlers, strange browsers and browser versions, all sorts of quirky bits and bobs will have a ferret about your web server.

This is not a bad thing, and it's interesting that over the last 6-12 months their seems to be a bigger variety of web based search / robot type things out there. Theses crawlers are not just looking at web data but also rss and a few other things as well.

But there are also some nasty things out there, and in some cases you might just want to block access for these machines if not at the server level but may be even at the routed entry to your network.

Have a look at this collection of nasty poking behavior for example.

I use the following basic script to sift thru my weblogs and generate the below list

cat /var/log/apache2/apache.log | cut -d ' ' -f 7


//PMA/config/config.inc.php?p=phpinfo();
//PMA2005/config/config.inc.php?p=phpinfo();
//admin/config/config.inc.php?p=phpinfo();
//admin/phpmyadmin/config/config.inc.php?p=phpinfo();
//admin/pma/config/config.inc.php?p=phpinfo();
//db/config/config.inc.php?p=phpinfo();
//dbadmin/config/config.inc.php?p=phpinfo();
//myAdmin/config/config.inc.php?p=phpinfo();
//myadmin/config/config.inc.php?p=phpinfo();
//mysql-admin/config/config.inc.php?p=phpinfo();
//mysql/config/config.inc.php?p=phpinfo();
//mysqladmin/config/config.inc.php?p=phpinfo();
//mysqlmanager/config/config.inc.php?p=phpinfo();
//p/m/a/config/config.inc.php?p=phpinfo();
//php-my-admin/config/config.inc.php?p=phpinfo();
//php-myadmin/config/config.inc.php?p=phpinfo();
//phpMyAdmin-2/config/config.inc.php?p=phpinfo();
//phpMyAdmin/config/config.inc.php?p=phpinfo();
//phpMyAdmin2/config/config.inc.php?p=phpinfo();
//phpadmin/config/config.inc.php?p=phpinfo();
//phpmanager/config/config.inc.php?p=phpinfo();
//phpmy-admin/config/config.inc.php?p=phpinfo();
//phpmyadmin/config/config.inc.php?p=phpinfo();
//phpmyadmin1/config/config.inc.php?p=phpinfo();
//phpmyadmin2/config/config.inc.php?p=phpinfo();
//pma/config/config.inc.php?p=phpinfo();
//pma2005/config/config.inc.php?p=phpinfo();
//sqlmanager/config/config.inc.php?p=phpinfo();
//sqlweb/config/config.inc.php?p=phpinfo();
//web/config/config.inc.php?p=phpinfo();
//web/phpMyAdmin/config/config.inc.php?p=phpinfo();
//webadmin/config/config.inc.php?p=phpinfo();
//webdb/config/config.inc.php?p=phpinfo();
//websql/config/config.inc.php?p=phpinfo();

Obviously someone or more likely something is looking for various types phpmyadmin - mysql vulnerability. This is probably a script run via a virus or a bot but it's the sort of thing one would like to keep an eye on.

One can also compare or add useful things like date and Ip information just by manipulating the cut command


cat /var/log/apache2/apahe.log | cut -d ' ' -f 1,4,5,7

Which would print out something like this

192.168.1.11 [21/Sep/2009:15:08:47 +1000] /favicon.ico

Then if there is anything that is looking snarly try isolating down to ip address level.

cat /var/log/apache2/apache.log | cut -d ' ' -f 1,4,5,7 | grep 192.168.1.15


This is the scan someone did on my machine (ip address changed for various reasons)

cat /var/log/apache2/apache.log | cut -d ' ' -f 1,4,5,7 | grep 1.1.1.1

1.1.1.1 [25/Sep/2009:08:57:26 +1000] //PMA/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:26 +1000] //PMA2005/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:27 +1000] //admin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:28 +1000] //admin/phpmyadmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:28 +1000] //admin/pma/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:29 +1000] //db/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:30 +1000] //dbadmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:31 +1000] //myAdmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:31 +1000] //myadmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:32 +1000] //mysql-admin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:33 +1000] //mysql/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:33 +1000] //mysqladmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:34 +1000] //mysqlmanager/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:35 +1000] //p/m/a/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:36 +1000] //php-my-admin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:36 +1000] //php-myadmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:37 +1000] //phpMyAdmin-2/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:38 +1000] //phpMyAdmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:39 +1000] //phpMyAdmin2/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:39 +1000] //phpadmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:40 +1000] //phpmanager/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:41 +1000] //phpmy-admin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:41 +1000] //phpmyadmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:42 +1000] //phpmyadmin1/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:43 +1000] //phpmyadmin2/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:44 +1000] //pma/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:44 +1000] //pma2005/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:45 +1000] //sqlmanager/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:46 +1000] //sqlweb/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:47 +1000] //web/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:47 +1000] //web/phpMyAdmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:48 +1000] //webadmin/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:49 +1000] //webdb/config/config.inc.php?p=phpinfo();
1.1.1.1 [25/Sep/2009:08:57:49 +1000] //websql/config/config.inc.php?p=phpinfo();


As a finle note, you may get various milage out of this script depending on the style of apache web log you may be roleing I'm using the combined setting in the above.

From apache config ...

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Drop me a line if the above was any use! Also be interested if anyone has scripts they may want to share.

You can contact me via this address.




© 2006 Steve Abrahall