With all the recent data thefts lately, I've been looking at the security of my websites. Notwithstanding the particularly appalling password security at DH, I've been thinking about the automatic links that DH provides to everyone's databases through phpMyAdmin.
I've seen phpMyAdmin probes in my Apache access logs where they request dozens of setup and install scripts for a variety of phpMyAdmin versions. I can only assume that they are probing for these versions because of known exploits.
I have no control over this setup, along with a few other subdomains and URL directories, which DH provides/imposes on every domain, so if a vulnerability is found in phpMyAdmin, squirrelMail, webFTP, or the stats program, or anything else, every site at DH would be vulnerable. Accessing DH's stats, for example, is done through Basic Authentication, which means passwords are being sent in cleartext. How many people have assigned the same password to their stats as to other critical parts of their account / website?
Is there any way to disable these services? I realise they are provided for convenience, but for those of us who never use them, preferring to do everything through an SSH tunnel for example, these are nothing but unnecessary risks.
What are others doing to prevent data theft and security breaches?
Just looked at my logs and discovered more probes: