Was my phpMyAdmin hacked?

Question

On a server of mine I have a current version of phpMyAdmin running. Unfortunately (my bad I knew I had to delete this folder for security after installation, I simply forgot... dangit) I still had the setup folder still in the phpMyAdmin's root directory, so anybody who accessed my server with http://example.com/phpMyAdmin/setup.php had access to the setup site.

Today I found this in my nginx access.log files (excerpt):

SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.0.1.0/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.1.2.0/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.1.2.0-english/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin2/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.1.0.0/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin3/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.0.1.0-english/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-2.9.2/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [02/Mar/2016:21:03:22 +0100] "GET //phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [04/Mar/2016:05:02:58 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 185 "-" "-"
SOMEBADIP - - [26/Feb/2016:10:10:58 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 185 "-" "ZmEu"

This looks like the attacker used a script, to scan my main domain for the folders listed above. What I don't understand is, why does he use // rather than / because http://example.com//phpMyAdmin/setup.php would directly end in an invalid path / redirection.

Second of all I was using a subdomain for phpMyAdmin, no folder structure which renders this attack completely useless because there is no such folder structure on my server that the attacker's script tried to find.

What I am currently wondering is, what could potentially happen if a attacker has success with such an attack on phpMyAdmin? What could he do with it?

Answer 1

Those log entries look like normal scanning activity.

You can also notice that the scanner did not target your setup specifically, because multiple versions and directories are tried. And as you said, none of those actually exist in your setup.

What I don't understand is, why does he use // rather than /

That's likely a bug in their scanning software (eg resulting from having a list of URLs, some of which have trailing slashes, and having a list of paths to scan, some of which have leading slashes).

They may not have noticed it, as it doesn't matter in many cases, as // is interpreted as / by many setups.

What I am currently wondering is, what could potentially happen if a attacker has success with such an attack on phpMyAdmin? What could he do with it?

That really depends on the version. Here is an overview over some vulnerabilities in phpmyadmin. Note for example that the setup script was vulnerable to code execution in previous versions.

I still had the setup folder still in the phpMyAdmin's root directory

Removing install folders is always a good idea, as the scripts are no longer needed and just provide an additional attack surface. Additionally, some developers don't bother coding them securely, as they could instead suggest that users delete them.

Still, phpmyadmin should be secure even if the script is not deleted (although looking at the list of fixed vulnerabilities, you can see that that was at least not always the case in the past). It's more important that you have a current version.

Was my phpMyAdmin hacked?

We really can't tell you that with just the info you provided. The logs definitely do not tell us that, as they are just normal background noise.