[Honeypot Alert] Extensive 'setup.php" Scanning Detected

The SpiderLabs Research Team has identified an extensive scanning campaign which aims to enumerate the "setup.php" pages from a vast number of blogging and CMS applications. Below are the probes that we saw on our web honeypots today:

GET /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1GET /admin/mysql/scripts/setup.php HTTP/1.1GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1GET //admin/pma/scripts/setup.php HTTP/1.1GET /admin/pma/scripts/setup.php HTTP/1.1GET /_admin/scripts/setup.php HTTP/1.1GET //admin/scripts/setup.php HTTP/1.1GET /admin/scripts/setup.php HTTP/1.1GET admin/scripts/setup.php HTTP/1.1GET //admm/scripts/setup.php HTTP/1.1GET /admm/scripts/setup.php HTTP/1.1GET //admn/scripts/setup.php HTTP/1.1GET /admn/scripts/setup.php HTTP/1.1GET /backup/phpmyadmin/scripts/setup.php HTTP/1.1GET /backup/phpMyAdmin/scripts/setup.php HTTP/1.1GET /bkup/phpmyadmin/scripts/setup.php HTTP/1.1GET /bkup/phpMyAdmin/scripts/setup.php HTTP/1.1GET /cpadmindb/scripts/setup.php HTTP/1.1GET /cpadmin/scripts/setup.php HTTP/1.1GET /cpanelmysql/scripts/setup.php HTTP/1.1GET /cpdbadmin/scripts/setup.php HTTP/1.1GET /cpphpmyadmin/scripts/setup.php HTTP/1.1GET //databaseadmin/scripts/setup.php HTTP/1.1GET /databaseadmin/scripts/setup.php HTTP/1.1GET //dbadmin/scripts/setup.php HTTP/1.1GET /dbadmin/scripts/setup.php HTTP/1.1GET //db/scripts/setup.php HTTP/1.1GET /db/scripts/setup.php HTTP/1.1GET //myadmin/scripts/setup.php HTTP/1.1GET /myadmin/scripts/setup.php HTTP/1.1GET /MyAdmin/scripts/setup.php HTTP/1.1GET /mysqladminconfig/scripts/setup.php HTTP/1.1GET //mysql-admin/scripts/setup.php HTTP/1.1GET //mysqladmin/scripts/setup.php HTTP/1.1GET /mysql-admin/scripts/setup.php HTTP/1.1GET /mysqladmin/scripts/setup.php HTTP/1.1GET /MySQLAdmin/scripts/setup.php HTTP/1.1GET //mysqlmanager/scripts/setup.php HTTP/1.1GET /mysqlmanager/scripts/setup.php HTTP/1.1GET //mysql/scripts/setup.php HTTP/1.1GET //phpadmin/scripts/setup.php HTTP/1.1GET /phpadmin/scripts/setup.php HTTP/1.1GET //phpmanager/scripts/setup.php HTTP/1.1GET /phpmanager/scripts/setup.php HTTP/1.1GET /phpm/scripts/setup.php HTTP/1.1GET /phpmyadmin/%0Dscripts/setup.php HTTP/1.1GET //phpmyadmin1/scripts/setup.php HTTP/1.1GET /phpmyadmin1/scripts/setup.php HTTP/1.1GET /phpMyAdmin1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1GET //phpmyadmin2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1GET /_phpmyadmin/scripts/setup.php HTTP/1.1GET //php-my-admin/scripts/setup.php HTTP/1.1GET //php-myadmin/scripts/setup.php HTTP/1.1GET //phpmy-admin/scripts/setup.php HTTP/1.1GET //phpmyadmin/scripts/setup.php HTTP/1.1GET /php-my-admin/scripts/setup.php HTTP/1.1GET /php-myadmin/scripts/setup.php HTTP/1.1GET /phpmy-admin/scripts/setup.php HTTP/1.1GET /phpmyadmin/scripts/setup.php HTTP/1.1GET /_phpMyAdmin/scripts/setup.php HTTP/1.1GET //phpMyAdmin/scripts/setup.php HTTP/1.1GET /phpMyAdmin/scripts/setup.php HTTP/1.1GET /pHpMyAdMiN/scripts/setup.php HTTP/1.1GET /PHPMYADMIN/scripts/setup.php HTTP/1.1GET /phpMyAdmi/scripts/setup.php HTTP/1.1GET /phpmyad/scripts/setup.php HTTP/1.1GET /phpMyAds/scripts/setup.php HTTP/1.1GET /phpmyad-sys/scripts/setup.php HTTP/1.1GET /phpmya/scripts/setup.php HTTP/1.1GET /phpMyA/scripts/setup.php HTTP/1.1GET /phpmy/scripts/setup.php HTTP/1.1GET /php/scripts/setup.php HTTP/1.1GET //pma2005/scripts/setup.php HTTP/1.1GET /pma2005/scripts/setup.php HTTP/1.1GET //PMA2005/scripts/setup.php HTTP/1.1GET /PMA2005/scripts/setup.php HTTP/1.1GET //p/m/a/scripts/setup.php HTTP/1.1GET //pma/scripts/setup.php HTTP/1.1GET /p/m/a/scripts/setup.php HTTP/1.1GET /pma/scripts/setup.php HTTP/1.1GET /~/PMA/scripts/setup.php HTTP/1.1GET /PMA/scripts/setup.php HTTP/1.1GET /roundcube/scripts/setup.php HTTP/1.1GET //scripts/setup.php HTTP/1.1GET /scripts/setup.php HTTP/1.1GET /sl2/data/scripts/setup.php HTTP/1.1GET /sqladmin/scripts/setup.php HTTP/1.1GET //sqlmanager/scripts/setup.php HTTP/1.1GET /sqlmanager/scripts/setup.php HTTP/1.1GET /sql/scripts/setup.php HTTP/1.1GET //sqlweb/scripts/setup.php HTTP/1.1GET /sqlweb/scripts/setup.php HTTP/1.1GET /SSLMySQLAdmin/scripts/setup.php HTTP/1.1GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1GET /vhcs2/tools/pma/scripts/setup.php HTTP/1.1GET //webadmin/scripts/setup.php HTTP/1.1GET /webadmin/scripts/setup.php HTTP/1.1GET //webdb/scripts/setup.php HTTP/1.1GET /webdb/scripts/setup.php HTTP/1.1GET /web/phpmyadmin/scripts/setup.php HTTP/1.1GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1GET //web/scripts/setup.php HTTP/1.1GET /web/scripts/setup.php HTTP/1.1GET //websql/scripts/setup.php HTTP/1.1GET /websql/scripts/setup.php HTTP/1.1GET /wp-content/plugins/wp-phpmyadmin/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1GET /wp-phpmyadmin/scripts/setup.php HTTP/1.1GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1

Here are the two different User-Agent strings used in the probes:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]User-Agent: Opera

There were no follow-up exploit attempts with this scanning which leads us to believe either:

  1. Since all of these requests resulted in 404 Not Found status codes, the target application was not present so an actual attack was not executed, or
  2. This is merely an enumeration scanning exercise where the attacker(s) are mapping out possible future targets. When a new vulnerability is found within one of these application in the future, the attacker can simplly consult their own list of possible targets.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.