3

I'm working on writing a set of rules for fail2ban to make life a little more interesting for whoever is trying to bruteforce his way into my system. A good majority of the attempts tend to revolve around trying to get into phpinfo() via my webserver -as below

GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1

I'm wondering if there's any valid reason for a user to attempt to access phpinfo() via apache, since if not, i can simply use that, or more specifically the regex 

GET //[^>]+=phpinfo\(\)

as a filter to eliminate these attacks

Journeyman Geek
  • 6,969
  • 3
  • 31
  • 49
  • i don't know what's your use-case scenario, but perhaps banning ips that sent consecutive [say 10 of them] requests to non-existing php scripts can also make some sense? just be careful not to create dead links on your site ;-] – pQd Mar 20 '10 at 10:39
  • well the idea is that more than 2-3 attempts to access phpinfo() from any ip address other than mine will result in that ip address from being banned. Considering how bad my spelling is at times, i think its better i don't ban just *any* non existant php scripts ;) – Journeyman Geek Mar 20 '10 at 10:57

1 Answers1

2

well - if you can execute phpinfo command this way [ via some vulnerability in php that evals code provided by url ] - it can be as well used to download some binary and execute it or maybe include code from remote server.

anyway - if i were you - i would not only take action seeing phpinfo in the url but also any 404-resulting requests to phpmyadmin / pma / other popular web scripts.

still - remember to scan regularly what software your users have installed to avoid outdated phpbbs/phpmyadmins and others. and secure your server - take a look here and here.

Community
  • 1
pQd
  • 29,561
  • 5
  • 64
  • 106
  • Well, its part of the puzzle for me - i'm working on using the last few weeks worth of hacking attempts to set up some rules for fail2ban- this would handle 70% of em with a single rule, but i was wondering if its overbroad. Its already a suhosin modded server, but i figure i should have some fun with pro-active security ;) – Journeyman Geek Mar 20 '10 at 10:25