excerpt from the access log:
Code: Select all
103.108.195.244 - - [08/Dec/2020:21:23:52 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:52 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:53 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:54 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:54 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:55 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:56 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:56 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:57 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:58 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:58 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:59 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:00 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:00 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:01 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:02 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:02 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:03 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:04 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17064 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:05 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
so the first step is to us a non-standard URL. in Debian, using Apache2 and the phpmyadmin package from the repositories, you'll have to edit /etc/apache2/conf-available/phpmyadmin.conf
simply change the alias on top of the file:
Code: Select all
Alias /putyourcustomURLhere /usr/share/phpmyadmin
buuut....bots will still scan for the /phpmyadmin URL, so why not having a little fun with them? here's where a tarpit comes into play, as the name suggests it slows down bots and can occupy resources on the bot server side. in my case I am using Matthew Sigley's PHP-HTTP-Tarpit: https://github.com/msigley/PHP-HTTP-Tarpit
make sure to check the README and the script itself, it has super fun options like:
Code: Select all
function rand_content( $random_content_length = 2048 ) {
$random_words = array( '',
//Send them down a wild goose chase.
'Public Key:',
'Private Key:',
'Password',
'Username',
//Piss off people who aren't escaping content correctly in Unix or piping to Grep.
"\x03", //Interupt
"\x04", //Logout
"\x07", //Beep
"\x21", //Communcation Error
" | shutdown -r now",
//Exploit grep debian bug #736919 for those running out of date software and put grep in an infinite loop
"\xe9\x65\n\xab\n"
);
the setup is really easy and straight forward, make sure to use a URL rewrite and not a redirect to forward bots to the tarpit script.
in my example access to /phpmyadmin is rewritten to the tarpit script dildo.php:
Code: Select all
RewriteEngine on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^phpmyadmin$ /dildo.php? [R=301,L]