I have three honeypots looking for web attacks/scans and lately all three of them detected scans looking for sqlmanager (mysqlmanager). It is the first time I see them looking for it and I couldn’t find any reference to new vulnerabilities related to it. I changed my honeypots to respond successfully to these scans to be able to see what the exploits are all about.
Received From: hn1->/var/log/httpd/error_log
Rule: 30114 fired (level 10) -> "Multiple attempts to access non-existent files (web scan) from same source."
Portion of the log(s):
[Mon May 28 15:56:00 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/p
[Mon May 28 15:56:00 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/mysqlmanager
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/sqlmanager
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/pma2006
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/PMA2006
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/dbadmin
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/admin
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/PMA
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/web
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/db
–END OF NOTIFICATION
Any ideas out there? Did I miss something?