Do you run a website?
Even if you don’t, if you plan to, this is a good list to have. I detected a hacking attempt on Poker Terms from a Chinese IP. The hacker attempted to access these directories on the website:
/administrator/admin/
/administrator/PMA/
/administrator/web/
/administrator/db/
/administrator/pma/
/administrator/phpMyAdmin/
/administrator/phpmyadmin/
/administrator/web/
/administrator/phpMyAdmin/
/administrator/db/
/administrator/phpmyadmin/
/phpMyAdmin-2.11.5.1-all-languages/
/phpMyAdmin-2.11.6-all-languages/
/phpMyAdmin-2.11.7.1-all-languages/
/phpMyAdmin-2.11.7.1-all-languages-utf-8-only/
/phpMyAdmin-2.11.8.1-all-languages/
/phpMyAdmin-2.11.8.1-all-languages-utf-8-only/
/db/phpMyAdmin2/
/db/phpMyAdmin-2/
/db/phpmyadmin2/
/db/db-admin/
/db/dbadmin/
/db/webdb/
/db/websql/
/db/dbweb/
/db/webadmin/
/db/myadmin/
/database/phpMyAdmin/
/database/phpMyAdmin2/
/database/phpmyadmin2/
/database/database/
/database/phpMyAdmin/
/database/phpmyadmin/
/sql/phpMyAdmin/
/sql/phpMyAdmin2/
/sql/phpmyadmin2/
/sql/sql-admin/
/sql/sqladmin/
/sql/webdb/
/sql/websql/
/sql/sqlweb/
/sql/webadmin/
/sql/myadmin/
/sql/sql/
/sql/phpmy-admin/
/sql/php-myadmin/
/sql/phpmanager/
/mysql/mysqlmanager/
/mysql/sqlmanager/
/mysql/dbadmin/
/mysql/admin/
/mysql/pMA/
/mysql/web/
/mysql/db/
/mysql/pma/
/admin/pMA/
/admin/web/
/admin/db/
/admin/sqladmin/
/admin/sysadmin/
/admin/phpMyAdmin/
/admin/phpmyadmin/
/mysql-admin/
/mysqladmin/
/webdb/
/websql/
/sqlweb/
/webadmin/
/phpmy-admin/
/php-myadmin/
/mysqlmanager/
/sqlmanager/
/db/phpMyAdmin/
/db/phpmyadmin/
/database/
/qql/
/mysql/
/dbadmin/
/admin/
/db/
/pma/
/dbadmin/
/PMA/
/program/
/MyAdmin/
/myadmin/
/phppma/
/phpmy/
/phpmyadmin2/
/2phpmyadmin/
/phpmyAdmin/
/phpMyAdmin/
/phpMyadmin/
/phpmyadmin/
/mysql/mysqlmanager/
/mysql/sqlmanager/
/mysql/dbadmin/
/mysql/admin/
Even if you’re not a technical person, it’s clear that the guy was trying to get into some sort of admin backend system for PokerTerms. All of the “phpmyadmin” stuff relates to a program which is a commonly used database administration tool. While actually having your admin system in one of these directories isn’t the worst thing in the world (they still need to get through your user/pass system most of the time), it obviously isn’t smart. Having your admin system in a completely random directory is vastly superior because FINDING the admin system is the first step for a hacker to take when they’re attempting to break into your website. Of course you should also have a strong username and password so, if they do find a way to the login page of one of your admin systems, they cannot get in with brute force.
If you know someone who is an admin of a website, feel free to pass this list along as it could prove to be very helpful to them.
Related posts:
Leave a comment
Thanks Nat.
Eric
December 17, 2008
Nice post Nat.
Garbage like this happens all the time. The most lethal is junk coming into your site from URL parameters, form submissions, etc..
Just today, 65.254.224.34 tried the following SQL injection attack on our site:
“viewPage.cfm?id=convert(int,select%20top%201%20table_name%20from%20information_schema.tables%20where%20table_name%20not%20in%20(char(0))))–sp_password”
Therefore, along with a completely random “admin” section, its also VERY important to make sure to check anything the user can pass to you. url parameters, forum postings, comments, the list goes on and on……
Thanks for the long list of urls checked by spammers/hackers.
Jeff
December 17, 2008
Yea, I sanitize all of the data on the websites I code. I use a lot of pre-written regex to make sure that SQL injection never makes it to my database (hopefully that regex is solid!!).
Nat
December 17, 2008
Just wondering, how do you actually detect the hack?
Mike
December 19, 2008
I run custom visitor tracking software and I noticed it in my reports.
Nat
December 19, 2008