SpiderLabs Blog

[Honeypot Alert] Extensive 'setup.php' Scanning Detected

January 12, 2012 5 minutes read Ryan Barnett

The SpiderLabs Research Team has identified an extensive scanning campaign which aims to enumerate the "setup.php" pages from a vast number of blogging and CMS applications. Below are the probes that we saw on our web honeypots today:

GET /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1GET /admin/mysql/scripts/setup.php HTTP/1.1GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1GET //admin/pma/scripts/setup.php HTTP/1.1GET /admin/pma/scripts/setup.php HTTP/1.1GET /_admin/scripts/setup.php HTTP/1.1GET //admin/scripts/setup.php HTTP/1.1GET /admin/scripts/setup.php HTTP/1.1GET admin/scripts/setup.php HTTP/1.1GET //admm/scripts/setup.php HTTP/1.1GET /admm/scripts/setup.php HTTP/1.1GET //admn/scripts/setup.php HTTP/1.1GET /admn/scripts/setup.php HTTP/1.1GET /backup/phpmyadmin/scripts/setup.php HTTP/1.1GET /backup/phpMyAdmin/scripts/setup.php HTTP/1.1GET /bkup/phpmyadmin/scripts/setup.php HTTP/1.1GET /bkup/phpMyAdmin/scripts/setup.php HTTP/1.1GET /cpadmindb/scripts/setup.php HTTP/1.1GET /cpadmin/scripts/setup.php HTTP/1.1GET /cpanelmysql/scripts/setup.php HTTP/1.1GET /cpdbadmin/scripts/setup.php HTTP/1.1GET /cpphpmyadmin/scripts/setup.php HTTP/1.1GET //databaseadmin/scripts/setup.php HTTP/1.1GET /databaseadmin/scripts/setup.php HTTP/1.1GET //dbadmin/scripts/setup.php HTTP/1.1GET /dbadmin/scripts/setup.php HTTP/1.1GET //db/scripts/setup.php HTTP/1.1GET /db/scripts/setup.php HTTP/1.1GET //myadmin/scripts/setup.php HTTP/1.1GET /myadmin/scripts/setup.php HTTP/1.1GET /MyAdmin/scripts/setup.php HTTP/1.1GET /mysqladminconfig/scripts/setup.php HTTP/1.1GET //mysql-admin/scripts/setup.php HTTP/1.1GET //mysqladmin/scripts/setup.php HTTP/1.1GET /mysql-admin/scripts/setup.php HTTP/1.1GET /mysqladmin/scripts/setup.php HTTP/1.1GET /MySQLAdmin/scripts/setup.php HTTP/1.1GET //mysqlmanager/scripts/setup.php HTTP/1.1GET /mysqlmanager/scripts/setup.php HTTP/1.1GET //mysql/scripts/setup.php HTTP/1.1GET //phpadmin/scripts/setup.php HTTP/1.1GET /phpadmin/scripts/setup.php HTTP/1.1GET //phpmanager/scripts/setup.php HTTP/1.1GET /phpmanager/scripts/setup.php HTTP/1.1GET /phpm/scripts/setup.php HTTP/1.1GET /phpmyadmin/%0Dscripts/setup.php HTTP/1.1GET //phpmyadmin1/scripts/setup.php HTTP/1.1GET /phpmyadmin1/scripts/setup.php HTTP/1.1GET /phpMyAdmin1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1GET //phpmyadmin2/scripts/setup.php HTTP/1.1GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1GET /_phpmyadmin/scripts/setup.php HTTP/1.1GET //php-my-admin/scripts/setup.php HTTP/1.1GET //php-myadmin/scripts/setup.php HTTP/1.1GET //phpmy-admin/scripts/setup.php HTTP/1.1GET //phpmyadmin/scripts/setup.php HTTP/1.1GET /php-my-admin/scripts/setup.php HTTP/1.1GET /php-myadmin/scripts/setup.php HTTP/1.1GET /phpmy-admin/scripts/setup.php HTTP/1.1GET /phpmyadmin/scripts/setup.php HTTP/1.1GET /_phpMyAdmin/scripts/setup.php HTTP/1.1GET //phpMyAdmin/scripts/setup.php HTTP/1.1GET /phpMyAdmin/scripts/setup.php HTTP/1.1GET /pHpMyAdMiN/scripts/setup.php HTTP/1.1GET /PHPMYADMIN/scripts/setup.php HTTP/1.1GET /phpMyAdmi/scripts/setup.php HTTP/1.1GET /phpmyad/scripts/setup.php HTTP/1.1GET /phpMyAds/scripts/setup.php HTTP/1.1GET /phpmyad-sys/scripts/setup.php HTTP/1.1GET /phpmya/scripts/setup.php HTTP/1.1GET /phpMyA/scripts/setup.php HTTP/1.1GET /phpmy/scripts/setup.php HTTP/1.1GET /php/scripts/setup.php HTTP/1.1GET //pma2005/scripts/setup.php HTTP/1.1GET /pma2005/scripts/setup.php HTTP/1.1GET //PMA2005/scripts/setup.php HTTP/1.1GET /PMA2005/scripts/setup.php HTTP/1.1GET //p/m/a/scripts/setup.php HTTP/1.1GET //pma/scripts/setup.php HTTP/1.1GET /p/m/a/scripts/setup.php HTTP/1.1GET /pma/scripts/setup.php HTTP/1.1GET /~/PMA/scripts/setup.php HTTP/1.1GET /PMA/scripts/setup.php HTTP/1.1GET /roundcube/scripts/setup.php HTTP/1.1GET //scripts/setup.php HTTP/1.1GET /scripts/setup.php HTTP/1.1GET /sl2/data/scripts/setup.php HTTP/1.1GET /sqladmin/scripts/setup.php HTTP/1.1GET //sqlmanager/scripts/setup.php HTTP/1.1GET /sqlmanager/scripts/setup.php HTTP/1.1GET /sql/scripts/setup.php HTTP/1.1GET //sqlweb/scripts/setup.php HTTP/1.1GET /sqlweb/scripts/setup.php HTTP/1.1GET /SSLMySQLAdmin/scripts/setup.php HTTP/1.1GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1GET /vhcs2/tools/pma/scripts/setup.php HTTP/1.1GET //webadmin/scripts/setup.php HTTP/1.1GET /webadmin/scripts/setup.php HTTP/1.1GET //webdb/scripts/setup.php HTTP/1.1GET /webdb/scripts/setup.php HTTP/1.1GET /web/phpmyadmin/scripts/setup.php HTTP/1.1GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1GET //web/scripts/setup.php HTTP/1.1GET /web/scripts/setup.php HTTP/1.1GET //websql/scripts/setup.php HTTP/1.1GET /websql/scripts/setup.php HTTP/1.1GET /wp-content/plugins/wp-phpmyadmin/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1GET /wp-phpmyadmin/scripts/setup.php HTTP/1.1GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1

Here are the two different User-Agent strings used in the probes:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]User-Agent: Opera

There were no follow-up exploit attempts with this scanning which leads us to believe either:

Since all of these requests resulted in 404 Not Found status codes, the target application was not present so an actual attack was not executed, or
This is merely an enumeration scanning exercise where the attacker(s) are mapping out possible future targets. When a new vulnerability is found within one of these application in the future, the attacker can simplly consult their own list of possible targets.

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Experiencing a security breach?

Experiencing a security breach?

[Honeypot Alert] Extensive 'setup.php' Scanning Detected

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

The Invisible Battleground: Essentials of EASM

Fake Dialog Boxes to Make Malware More Convincing

Stay Informed

Sign up to receive the latest
security news and trends straight
to your inbox from Trustwave.

Experiencing a security breach?

Experiencing a security breach?

[Honeypot Alert] Extensive 'setup.php' Scanning Detected

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

The Invisible Battleground: Essentials of EASM

Fake Dialog Boxes to Make Malware More Convincing

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from Trustwave.

Sign up to receive the latest
security news and trends straight
to your inbox from Trustwave.