Weird Unauthorized Access Attempt to MYSQL

wordpress

#1

A while back I banned a couple of Tawainese IP blocks off my domain where I run wordpress. Today I caught the same IPs just going directly for MYSQL. WTH is that about? The table they tried to access doesn’t exist. I do use BadBehavior plug-in which has caught them before I just put the IP block into htaccess.

Obviously they couldn’t access the database, but I wonder if anyone has seen this and what’s going on there. It’s a URL only a handful of people have yet I kept seeing them hit it even after it moved - they magically just followed with a weird user agent, acting like a bot, from China. It’s just so bizarre. I don’t think this visitor has actually ever done anything, aside from act weird, maybe some comment spam in the past, but these IPs have been banned for so long I don’t even remember if they actually attempted to spam or I just banned them because they were suspcious and from China.

60.248.164.211 - - [26/Sep/2006:15:34:24 -0700] “GET /dh_phpmyadmin/mysql.mydomain.com/sql.php?db=(myDB)&table=w2_bad_behavior_log&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&pos=0 HTTP/1.0” 401 1031 “-” "MVAClient"
60.248.165.226 - - [26/Sep/2006:15:34:24 -0700] “GET /dh_phpmyadmin/mysql.mydomain.com/sql.php?db=(myDB)&table=w2_bad_behavior_log&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&pos=0 HTTP/1.0” 401 1031 “-” "MVAClient"
60.248.164.211 - - [26/Sep/2006:15:34:27 -0700] “GET /dh_phpmyadmin/mysql.mydomain.com/sql.php?db=(myDB)&table=w2_bad_behavior_log&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&pos=0 HTTP/1.0” 401 1031 “-” "-"
218.166.50.216 - - [26/Sep/2006:15:34:29 -0700] “GET /dh_phpmyadmin/mysql.mydomain.com/sql.php?db=(myDB)&table=w2_bad_behavior_log&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&pos=0 HTTP/1.0” 401 1031 “-” “-”


#2

I think they’re just randomly guessing at subdomains there, but I could be wrong. Either way, I’ve done a bit of research on MVAClient in the past, and it is actually a bot, though at the time that bot’s intentions were unclear. I just banned the IP range it came from anyway.

Yes, I have an opinion.

Get a minimum 50% off with the “haveadreamyday” promo code, and… have a dreamy day. Original, no?