Apparent attack on MySQL database


#1

Recently, there seems to be an attack on my site from IP 70.86.27.154 and here are the 404 errors generated by the scumbag:

/typo3/phpmyadmin/scripts/setup.php
/mysqladmin/scripts/setup.php
/myadmin/scripts/setup.php
/mysql/scripts/setup.php
/db/scripts/setup.php
/scripts/setup.php
/dbadmin/scripts/setup.php
/phpadmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/pma/scripts/setup.php
/phpmyadmin2/scripts/setup.php
/phpmyadmin1/scripts/setup.php
/phpmyadmin/scripts/setup.php
/php-my-admin/scripts/setup.php
/xampp/phpmyadmin/scripts/setup.php
/web/phpMyAdmin/scripts/setup.php
/websql/scripts/setup.php
/phpMyAdmin-2/scripts/setup.php
/phpMyAdmin-2.5.5-rc1/scripts/setup.php
/phpMyAdmin-2.5.4/scripts/setup.php
/phpMyAdmin-2.5.6-rc1/scripts/setup.php
/phpMyAdmin-2.5.5/scripts/setup.php
/phpMyAdmin-2.2.3/scripts/setup.php
/phpMyAdmin-2.6.0-alpha/scripts/setup.php
/phpMyAdmin-2.6.0-rc3/scripts/setup.php
/phpMyAdmin-2.6.0-pl1/scripts/setup.php
/phpMyAdmin-2.6.0-pl3/scripts/setup.php
/phpMyAdmin-2.6.1-rc1/scripts/setup.php
/phpMyAdmin-2.6.1-pl2/scripts/setup.php
/phpMyAdmin-2.6.3/scripts/setup.php
/phpMyAdmin-2.6.1-pl1/scripts/setup.php
/phpMyAdmin-2.6.2-pl1/scripts/setup.php
/phpMyAdmin-2.6.2-rc1/scripts/setup.php
/phpMyAdmin-2.6.1-rc2/scripts/setup.php
/phpMyAdmin-2.6.2-rc1/scripts/setup.php
/phpMyAdmin-2.6.2-beta1/scripts/setup.php
/phpMyAdmin-2.6.4-pl2/scripts/setup.php
/phpMyAdmin-2.6.3-pl1/scripts/setup.php
/phpMyAdmin-2.6.3-rc1/scripts/setup.php
/phpMyAdmin-2.6.4-rc1/scripts/setup.php
/phpMyAdmin-2.7.0-rc1/scripts/setup.php
/phpMyAdmin-2.6.4-pl3/scripts/setup.php
/phpMyAdmin-2.8.0-rc1/scripts/setup.php
/phpMyAdmin-2.6.4-pl4/scripts/setup.php
/phpMyAdmin-2.7.0-pl2/scripts/setup.php
/phpMyAdmin-2.8.0/scripts/setup.php
/phpMyAdmin-2.8.0.2/scripts/setup.php
/phpMyAdmin-2.8.2/scripts/setup.php
/phpMyAdmin-2.8.0.3/scripts/setup.php
/phpMyAdmin-2.8.0.4/scripts/setup.php
/phpmanager/scripts/setup.php
/sqlmanager/scripts/setup.php
/phpMyAdmin-2.8.1/scripts/setup.php
/phpMyAdmin-2.8.1-rc1/scripts/setup.php
/pma2005/scripts/setup.php
/PMA2005/scripts/setup.php
/phpmy-admin/scripts/setup.php
/webadmin/scripts/setup.php
/websql/scripts/setup.php
/mysql-admin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/web/scripts/setup.php
/phpMyAdmin-2.2.6/scripts/setup.php
/php-my-admin/scripts/setup.php
/phpMyAdmin-2.5.1/scripts/setup.php
/phpmyadmin/scripts/setup.php
/phpMyAdmin-2.5.5-pl1/scripts/setup.php
/phpMyAdmin-2.5.5-rc2/scripts/setup.php
/phpMyAdmin-2.5.6/scripts/setup.php
/phpMyAdmin-2.5.6-rc2/scripts/setup.php
/phpMyAdmin-2.5.7/scripts/setup.php
/phpMyAdmin-2.5.7-pl1/scripts/setup.php
/phpMyAdmin-2.6.0-alpha2/scripts/setup.php
/phpMyAdmin-2.6.0-rc2/scripts/setup.php
/phpMyAdmin-2.6.0-rc1/scripts/setup.php
/phpMyAdmin-2.6.0-beta1/scripts/setup.php
/phpMyAdmin-2.6.0-beta2/scripts/setup.php
/phpMyAdmin-2.6.1-pl3/scripts/setup.php
/phpMyAdmin-2.6.0-pl2/scripts/setup.php
/phpMyAdmin-2.6.0/scripts/setup.php
/phpMyAdmin-2.6.1/scripts/setup.php
/phpMyAdmin-2.6.2/scripts/setup.php
/phpMyAdmin-2.6.4-pl1/scripts/setup.php
/phpMyAdmin-2.7.0-beta1/scripts/setup.php
/phpMyAdmin-2.6.3/scripts/setup.php
/phpMyAdmin-2.7.0/scripts/setup.php
/phpMyAdmin-2.7.0-pl1/scripts/setup.php
/phpMyAdmin-2.6.4/scripts/setup.php
/phpMyAdmin-2.8.0-rc2/scripts/setup.php
/phpMyAdmin-2.8.0-beta1/scripts/setup.php
/phpMyAdmin-2.8.0.1/scripts/setup.php
/p/m/a/scripts/setup.php
/mysqlmanager/scripts/setup.php
/webdb/scripts/setup.php
/mysqladmin/scripts/setup.php
/php-myadmin/scripts/setup.php
/sqlweb/scripts/setup.php

Here is the full transcript of an example 404 message I got:

Time of the error: January 26 07:18pm
browser: ZmEu
Page Requested: /web/scripts/setup.php
Referer:
IP Address: 70.86.27.154
Hostname: img329.imageshack.us

Could DreamHost ban the IP address from all their hosted sites?


#2

The IP address is owned by ThePlanet.com and is associated with a site called comportco.com which is a company that provides software related to petroleum engineering. It is possible that his site was hacked and then used as a jump off point for additional attacks on your site and others. I would notify ThePlanet.com of the situation at abuse@theplanet.com (see the whois info posted below.) You might also consider sending an email to the owner of the site at wfair@comportco.com since he may be unaware that he could potentially be a victim.

Whois record:

[Querying whois.arin.net]
[Redirected to rwhois.theplanet.com:4321]
[Querying rwhois.theplanet.com]
[rwhois.theplanet.com]
%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-13
network:Auth-Area:70.84.0.0/14
network:Network-Name:TPIS-BLK-70-86-27-0
network:IP-Network:70.86.27.152/29
network:IP-Network-Block:70.86.27.152 - 70.86.27.159
network:Organization-Name:comportco.com
network:Organization-City:Houston
network:Organization-State:TX
network:Organization-Zip:77034
network:Organization-Country:USA
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20100828
network:Updated:20110126

Mark


#3

Today my site was attacked IP 70.86.27.154. I’ve blocked it, of course. And strange why owners of THEPLANET.COM continue it?


#4

That IP address tried attacking one of my Drupal sites on Monday night