[Honeypot Alert] Extensive 'setup.php' Scanning Detected
The SpiderLabs Research Team has identified an extensive scanning campaign which aims to enumerate the "setup.php" pages from a vast number of blogging and CMS applications. Below are the probes that we saw on our web honeypots today:
GET /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1GET /admin/mysql/scripts/setup.php HTTP/1.1GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1GET //admin/pma/scripts/setup.php HTTP/1.1GET /admin/pma/scripts/setup.php HTTP/1.1GET /_admin/scripts/setup.php HTTP/1.1GET //admin/scripts/setup.php HTTP/1.1GET /admin/scripts/setup.php HTTP/1.1GET admin/scripts/setup.php HTTP/1.1GET //admm/scripts/setup.php HTTP/1.1GET /admm/scripts/setup.php HTTP/1.1GET //admn/scripts/setup.php HTTP/1.1GET /admn/scripts/setup.php HTTP/1.1GET /backup/phpmyadmin/scripts/setup.php HTTP/1.1GET /backup/phpMyAdmin/scripts/setup.php HTTP/1.1GET /bkup/phpmyadmin/scripts/setup.php HTTP/1.1GET /bkup/phpMyAdmin/scripts/setup.php HTTP/1.1GET /cpadmindb/scripts/setup.php HTTP/1.1GET /cpadmin/scripts/setup.php HTTP/1.1GET /cpanelmysql/scripts/setup.php HTTP/1.1GET /cpdbadmin/scripts/setup.php HTTP/1.1GET /cpphpmyadmin/scripts/setup.php HTTP/1.1GET //databaseadmin/scripts/setup.php HTTP/1.1GET /databaseadmin/scripts/setup.php HTTP/1.1GET //dbadmin/scripts/setup.php HTTP/1.1GET /dbadmin/scripts/setup.php HTTP/1.1GET //db/scripts/setup.php HTTP/1.1GET /db/scripts/setup.php HTTP/1.1GET //myadmin/scripts/setup.php HTTP/1.1GET /myadmin/scripts/setup.php HTTP/1.1GET /MyAdmin/scripts/setup.php HTTP/1.1GET /mysqladminconfig/scripts/setup.php HTTP/1.1GET //mysql-admin/scripts/setup.php HTTP/1.1GET //mysqladmin/scripts/setup.php HTTP/1.1GET /mysql-admin/scripts/setup.php HTTP/1.1GET /mysqladmin/scripts/setup.php HTTP/1.1GET /MySQLAdmin/scripts/setup.php HTTP/1.1GET //mysqlmanager/scripts/setup.php HTTP/1.1GET /mysqlmanager/scripts/setup.php HTTP/1.1GET //mysql/scripts/setup.php HTTP/1.1GET //phpadmin/scripts/setup.php HTTP/1.1GET /phpadmin/scripts/setup.php HTTP/1.1GET //phpmanager/scripts/setup.php HTTP/1.1GET /phpmanager/scripts/setup.php HTTP/1.1GET /phpm/scripts/setup.php HTTP/1.1GET /phpmyadmin/%0Dscripts/setup.php HTTP/1.1GET //phpmyadmin1/scripts/setup.php HTTP/1.1GET /phpmyadmin1/scripts/setup.php HTTP/1.1GET /phpMyAdmin1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1GET //phpmyadmin2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1GET /_phpmyadmin/scripts/setup.php HTTP/1.1GET //php-my-admin/scripts/setup.php HTTP/1.1GET //php-myadmin/scripts/setup.php HTTP/1.1GET //phpmy-admin/scripts/setup.php HTTP/1.1GET //phpmyadmin/scripts/setup.php HTTP/1.1GET /php-my-admin/scripts/setup.php HTTP/1.1GET /php-myadmin/scripts/setup.php HTTP/1.1GET /phpmy-admin/scripts/setup.php HTTP/1.1GET /phpmyadmin/scripts/setup.php HTTP/1.1GET /_phpMyAdmin/scripts/setup.php HTTP/1.1GET //phpMyAdmin/scripts/setup.php HTTP/1.1GET /phpMyAdmin/scripts/setup.php HTTP/1.1GET /pHpMyAdMiN/scripts/setup.php HTTP/1.1GET /PHPMYADMIN/scripts/setup.php HTTP/1.1GET /phpMyAdmi/scripts/setup.php HTTP/1.1GET /phpmyad/scripts/setup.php HTTP/1.1GET /phpMyAds/scripts/setup.php HTTP/1.1GET /phpmyad-sys/scripts/setup.php HTTP/1.1GET /phpmya/scripts/setup.php HTTP/1.1GET /phpMyA/scripts/setup.php HTTP/1.1GET /phpmy/scripts/setup.php HTTP/1.1GET /php/scripts/setup.php HTTP/1.1GET //pma2005/scripts/setup.php HTTP/1.1GET /pma2005/scripts/setup.php HTTP/1.1GET //PMA2005/scripts/setup.php HTTP/1.1GET /PMA2005/scripts/setup.php HTTP/1.1GET //p/m/a/scripts/setup.php HTTP/1.1GET //pma/scripts/setup.php HTTP/1.1GET /p/m/a/scripts/setup.php HTTP/1.1GET /pma/scripts/setup.php HTTP/1.1GET /~/PMA/scripts/setup.php HTTP/1.1GET /PMA/scripts/setup.php HTTP/1.1GET /roundcube/scripts/setup.php HTTP/1.1GET //scripts/setup.php HTTP/1.1GET /scripts/setup.php HTTP/1.1GET /sl2/data/scripts/setup.php HTTP/1.1GET /sqladmin/scripts/setup.php HTTP/1.1GET //sqlmanager/scripts/setup.php HTTP/1.1GET /sqlmanager/scripts/setup.php HTTP/1.1GET /sql/scripts/setup.php HTTP/1.1GET //sqlweb/scripts/setup.php HTTP/1.1GET /sqlweb/scripts/setup.php HTTP/1.1GET /SSLMySQLAdmin/scripts/setup.php HTTP/1.1GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1GET /vhcs2/tools/pma/scripts/setup.php HTTP/1.1GET //webadmin/scripts/setup.php HTTP/1.1GET /webadmin/scripts/setup.php HTTP/1.1GET //webdb/scripts/setup.php HTTP/1.1GET /webdb/scripts/setup.php HTTP/1.1GET /web/phpmyadmin/scripts/setup.php HTTP/1.1GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1GET //web/scripts/setup.php HTTP/1.1GET /web/scripts/setup.php HTTP/1.1GET //websql/scripts/setup.php HTTP/1.1GET /websql/scripts/setup.php HTTP/1.1GET /wp-content/plugins/wp-phpmyadmin/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1GET /wp-phpmyadmin/scripts/setup.php HTTP/1.1GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1
Here are the two different User-Agent strings used in the probes:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]User-Agent: Opera
There were no follow-up exploit attempts with this scanning which leads us to believe either:
- Since all of these requests resulted in 404 Not Found status codes, the target application was not present so an actual attack was not executed, or
- This is merely an enumeration scanning exercise where the attacker(s) are mapping out possible future targets. When a new vulnerability is found within one of these application in the future, the attacker can simplly consult their own list of possible targets.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.