1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:54 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

what are they up to?

         

lucy24

10:25 pm on May 22, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



This will sound more like a robot question, but I already know they're a robot and that they were up to no good. My Error Log was unusually fat so I took a closer look and found

21 May 22:20:32//scripts/setup.php
21 May 22:20:32//admin/scripts/setup.php
21 May 22:20:32//admin/pma/scripts/setup.php
21 May 22:20:33//admin/phpmyadmin/scripts/setup.php
21 May 22:20:33//db/scripts/setup.php
21 May 22:20:33//dbadmin/scripts/setup.php
21 May 22:20:34//myadmin/scripts/setup.php
21 May 22:20:34//mysql/scripts/setup.php
21 May 22:20:34//mysqladmin/scripts/setup.php
21 May 22:20:35//typo3/phpmyadmin/scripts/setup.php

et cetera for a total of 94 nonexistent php and/or sql pages in 47 seconds. Mostly variations, for example phpMyAdmin-2.2.3 all the way up to 2.8.2. The double slashes are in the original.

Question: Can someone explain in words of two syllables what this evil robot (I instantly htaccessed 'em, of course) was trying to find, and what it most likely intended to do when it got there? I don't have any php-type stuff at all, hence the request for two syllables or less.

It's a teeny little site, mostly personal, so they can't have been motivated by anything beyond boredom or random malice. Unless they were looking for a way to sneak upstairs-- can you do this?-- and thought a small site was the best way to slip in unnoticed.

Leosghost

10:38 pm on May 22, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Looking for php setup scripts to use to exploit ..sneak upstairs..;-)
No word longer than two syllables ..except of course , the word syllables itself ..:)

brotherhood of LAN

10:46 pm on May 22, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Exploit finders, hack attempt, blockable requests.

mostly personal


and these bots aren't, they're just trawling a long list of domains and looking for ones to take advantage of.

rocknbil

5:17 pm on May 23, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's looking to see if the setup directory still exists for phpMyAdmin, which would allow them to re-run setup and potentially bork up your site. I imagine it works too, I see CMS based sites all the time with the setup directories still present and in default locations, config files still set to world write . . .

lucy24

3:40 am on May 24, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



which would allow them to re-run setup and potentially bork up your site

Well, if he wants to hijack the people who keep blundering into Grandmother Puss (honestly, do they not even glance at the two-line snippet? and thanks all the same, google, but sometimes I'd just as soon not be #1 in the results) and redirect them to his own filthy spammy virus-laden #*$!ographic site, he's welcome to 'em.

If you keep sending robots out to do this stuff at random, do you eventually land on a place where you can slurp up wads of bank passwords or credit-card numbers?
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:54 am Apr 28, 2026