Author Topic: phpMyAdmin Bruteforce From 127.0.0.1 ??  (Read 3246 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: September 30, 2022, 07:33:39 AM »
I have paid for 10x CWP Pro licenses and I am the only user of my servers but I occasionally see this in /var/log/secure:

Code: [Select]
....
Sep 29 06:04:27 tiberion phpMyAdmin[122141]: user denied: dev (mysql-denied) from 127.0.0.1
Sep 29 06:04:29 tiberion phpMyAdmin[122141]: user denied: blog (mysql-denied) from 127.0.0.1
Sep 29 06:04:30 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:31 tiberion phpMyAdmin[122141]: user denied: nas (mysql-denied) from 127.0.0.1
Sep 29 06:04:34 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:04:34 tiberion phpMyAdmin[122141]: user denied: root (empty-denied) from 127.0.0.1
Sep 29 06:04:35 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:36 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:36 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:37 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:39 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:40 tiberion phpMyAdmin[122141]: user denied: db (mysql-denied) from 127.0.0.1
Sep 29 06:04:54 tiberion phpMyAdmin[122141]: user denied: wordspress (mysql-denied) from 127.0.0.1
Sep 29 06:04:54 tiberion phpMyAdmin[122141]: user denied: shopdb (mysql-denied) from 127.0.0.1
Sep 29 06:04:55 tiberion phpMyAdmin[122141]: user denied: blog (mysql-denied) from 127.0.0.1
Sep 29 06:04:56 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:56 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:04:57 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:58 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:58 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:59 tiberion phpMyAdmin[122141]: user denied: database (mysql-denied) from 127.0.0.1
Sep 29 06:04:59 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:00 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:01 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:01 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:02 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:03 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:03 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:04 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:05 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:05 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:06 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:06 tiberion phpMyAdmin[122141]: user denied: pma (mysql-denied) from 127.0.0.1
Sep 29 06:05:07 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:08 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:08 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:09 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:10 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:10 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:11 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:12 tiberion phpMyAdmin[122141]: user denied: dbs (mysql-denied) from 127.0.0.1
Sep 29 06:05:12 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:13 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:14 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:14 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:15 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:15 tiberion phpMyAdmin[122141]: user denied: user (mysql-denied) from 127.0.0.1
Sep 29 06:05:16 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:17 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:17 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:18 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:19 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:19 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:20 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:21 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:21 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:22 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:22 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:23 tiberion phpMyAdmin[122141]: user denied: nas (mysql-denied) from 127.0.0.1
Sep 29 06:05:24 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:24 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:25 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:26 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:26 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:27 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:28 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:28 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:29 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:30 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:30 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:31 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:31 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:32 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:33 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:33 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:34 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:35 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:35 tiberion phpMyAdmin[122141]: user denied: dev (mysql-denied) from 127.0.0.1
Sep 29 06:05:36 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:37 tiberion phpMyAdmin[122141]: user denied: shopdb (mysql-denied) from 127.0.0.1
Sep 29 06:05:37 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:39 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:40 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:40 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:41 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:42 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:42 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:43 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:44 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:44 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:45 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:45 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:46 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:47 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:47 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:48 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:49 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:49 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:50 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:51 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:51 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:52 tiberion phpMyAdmin[122141]: user denied: sql (mysql-denied) from 127.0.0.1
Sep 29 06:05:53 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:53 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:54 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
....

At first I thought my server may have been compromised, but I do not think it is compromised because I see these failed login attempts on all of my servers occasionally. I have recently re-installed CWP. My systems are fully up-to-date as well.... I do not have anyone else using my servers.

When I try to replicate the issue using incorrect password on https://tiberion.mydomain.com:2087/pma I see this:
Code: [Select]
Sep 30 02:25:41 tiberion phpMyAdmin[1199600]: user denied: root (mysql-denied) from X.X.X.XX.X.X.X is my home IP address .....

How am I seeing failed login attempts from 127.0.0.1?? I am the ONLY user of my servers, no customers, no one else uses the servers.

Offline
*
[SOLVED] Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« Reply #1 on: December 12, 2022, 05:08:38 AM »
The solution dawned on me today when I saw another attack... I found the attacker by cat'ing /usr/local/apache/domlogs/<server-ip>.log
They're using PMA (of course) but the IP is being reported as 127.0.0.1 because nginx is proxy_pass'ing the connection.

cat /usr/local/apache/domlogs/*.log | grep pma
Code: [Select]
...
93.86.160.221 - - [11/Dec/2022:23:56:17 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:17 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4798 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "POST /pma/index.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4795 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "POST /pma/index.php HTTP/1.1" 200 4797 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "POST /pma/index.php HTTP/1.1" 200 4796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "POST /pma/index.php HTTP/1.1" 200 4792 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "POST /pma/index.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "POST /pma/index.php HTTP/1.1" 200 4801 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
...

Offline
*
[SOLVED] Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« Reply #2 on: December 13, 2022, 06:29:21 AM »
I've put the following config into the http{} block of /usr/local/cwpsrv/conf/cwpsrv.conf
Code: [Select]
log_format pma '[$time_local] $remote_addr, $http_x_real_ip, $http_x_forwarded_for - "$request" ($status) "$http_user_agent"';
and the following config into the location /pma {} block of /usr/local/cwpsrv/conf/cwp_services.conf
Code: [Select]
access_log /usr/local/apache/domlogs/pma-access.log pma;
Note that I've added $http_x_real_ip to the log_format line as /etc/nginx/proxy.inc contains "proxy_set_header X-Real-IP $remote_addr;" and the connections are being proxied (ie: proxy_pass http://127.0.0.1:2031) via /etc/nginx/conf.d/<SERVERIP>.conf (which is why they are showing up as originating from 127.0.0.1 in /var/log/secure)

So now I have a log, specifically for PMA bruteforce attempts, containing the attacker's IP the next time it happens. I can then probably use LFD to automatically block the attack in realtime.

 :)

Offline
***
Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« Reply #3 on: December 20, 2022, 12:32:57 AM »
/usr/local/cwpsrv/conf/cwp_services.conf
/usr/local/cwpsrv/conf/cwpsrv.conf

I think these files will be reset with every CWP auto update. Double check to see if your edit is still there after an update. If it's not there anymore, you should look into another way of blocking these attempts WITHOUT editing CWP files.

I advice taking a look into fail2ban and its filters or create a filter in fail2ban that works with these attempts. Fail2ban can be told to read a specific log file and take actions based on the activity going on there.
Remember to change fail2ban's ban method to (So it will work correctly in conjunction with CWP firewall manager):

Code: [Select]
banaction = csf
banaction_allports = csf

and create file '/etc/fail2ban/action.d/csf.conf'
and add this to file:
Code: [Select]
# fail2ban action config for csf deny / unblock IP
# /etc/fail2ban/action.d/csf.conf

[Definition]
actionstart =
actionstop =
actioncheck =

# to deny an IP and add to /etc/csf/csf.deny
#actionban = csf -d <ip> Fail2ban - <name> [<bantime> seconds]
actionban = csf -td <ip> <bantime> -p <port> Fail2ban - <name>

# to unblock an IP and remove from /etc/csf/csf.deny
actionunban = csf -tr <ip>

[Init]
name = default

« Last Edit: December 20, 2022, 12:41:40 AM by iraqiboy90 »

Offline
*
Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« Reply #4 on: December 23, 2022, 02:27:22 AM »
/usr/local/cwpsrv/conf/cwp_services.conf
/usr/local/cwpsrv/conf/cwpsrv.conf

I think these files will be reset with every CWP auto update. Double check to see if your edit is still there after an update. If it's not there anymore, you should look into another way of blocking these attempts WITHOUT editing CWP files.
Thank you for reminding me. When I make changes to system files I typically make the file immutable with chattr +i file but I forgot to do it this time and now you have reminded me  :D.

I advice taking a look into fail2ban and its filters or create a filter in fail2ban that works with these attempts. Fail2ban can be told to read a specific log file and take actions based on the activity going on there.
Remember to change fail2ban's ban method to (So it will work correctly in conjunction with CWP firewall manager):
I will look into it. Thank you!!