I got hit by a phpMyAdmin scan a few days ago, and the scan started with a "GET /muieblackcat". phpMyAdmin is not installed, nor do I have a CMS installed, so I am safe as far as I can tell, but I'd like to determine what other accesses are known scans.

I have a Fail2ban setup that blocks known attack signatures. These signatures match accesses to files like "/muieblackcat" and user agents such as "ZmEu". I recently added a more generic signature that matches all accesses containing "/scripts/setup.php".

What other signatures do I need to block?

--DragonLord

_________________
House of DragonLord, powered by openSUSE

Why?

If you don't have the target, it's just more Internet noise to ignore.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

I just took down PHPmyAdmin today. If you don't have what's trying to be hacked, or if you don't have a vulnerability, just ignore it as random internet noise. That happens.

_________________
Homepage www.sturmkrieg.com
Social network Gamernet
Development website Sashaweb Development
Imageboard img.sturmkrieg.com
WikiHub free wiki host Community Wiki