This week I read though my web server logs and I noticed a lot of unusual web requests for nonexistent web pages (like stuff for PHPMyAdmin).
Needless to say I found this very odd I know that it is very common to have random machines check for open ports (like SSH) on random addresses on the Internet but actively searching a website for a specific administration console for a specific type of website seems a bit odd to me.
What struck me as odd about this was that the address was making a lot of requests for things like “admin/login.php” and other variations of that within milliseconds of each other. Which screams a type of scripted reconnaissance. I largely assumed that there was some sort of unspoken rule about these types of scans. They are easy to detect and easy to prove. So they would only serve as a good way to get you on several blacklists and then get blocked by many websites. But I guess not.
Later into the week I was further proven wrong after reading this news article. In it I learned that this type of reconnaissance gathering are actually quite common these days and may actually lead up to some very real, and very scary large-scale attacks on potentially some very large organizations. While I still maintain that WebGUI management tools like PHPMyAdmin, Webmin, and others mostly just serve as a way to get new IT administrators started when experimenting at home (and there’s nothing wrong with that). It still wouldn’t surprise me if some very large companies still use such tools. Either as a long-term and primary method for server configuration or simply a tool an IT worker used when they where first starting out and then completely forgot that it was running (which might explain the default credentials).
As much as I don’t like seeing such poor security practices in IT, as much as I’m determined not to follow these poor security practices myself, It still doesn’t surprise me when I see others follow them.