Linode Forum

[joachimfermstad]

This is a extract from the access log of my default website (where portscanners and odd requests for the previous owners website goes).
Just trying to understand how/why the scriptkiddies that try to find phpmyadmin are taking more or less exactly 5 seconds for their requests.
Are they just sending a request and then wait 5 seconds before actually reading from the socket, or is there some "intelligence" behind doing something like this instead of just sloppy coding on their part?

Code: ::ffff:202.137.26.84 - - [01/Feb/2012:02:21:20 +0100]  "GET //index.php HTTP/1.1" 404 423 "-" "-" 5.004 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:20 +0100]  "GET //admin/index.php HTTP/1.1" 404 423 "-" "-" 5.000 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:25 +0100]  "GET //admin/phpmyadmin/index.php HTTP/1.1" 404 423 "-" "-" 5.000 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:30 +0100]  "GET //db/index.php HTTP/1.1" 404 423 "-" "-" 5.005 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:35 +0100]  "GET //myadmin/index.php HTTP/1.1" 404 423 "-" "-" 5.002 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:38 +0100]  "GET //mysql/index.php HTTP/1.1" 404 423 "-" "-" 5.001 - .
::ffff:202.137.26.84 - - [01/Feb/2012:02:21:38 +0100]  "GET //mysqladmin/index.php HTTP/1.1" 404 423 "-" "-" 5.001 - .

[hybinet]

An example of sloppy coding: two slashes at the beginning of the URI.

If this were Apache with mpm_prefork, holding up a connection for 5 seconds might count as a rudimentary DoS attack. But since this is nginx, I would guess there's no damage done.