Forum Topic: people looking for /scripts and /phpmyadmin
They also look for /wp-content, /wp-admin, etc.
First of all, sometimes the phpmyadmin request has a referer: my own site, with a long, nasty-looking URL (i.e., http://site.com/phpmyadmin/www.phpmyadmin.com/phpmyadmin or something to that effect). I googled “spoof referer” and saw that people can easily do this, but still I have no idea if that’s really the case.
With their looking for /wp-whatever, the answer is pretty obvious, i.e., someone is looking for a vulnerability. Funny, thus far all confusing/questionable people seem to be in France or Russia based on ip lookups.
The /scripts search is interesting, I’ve tried googling about this but haven’t found anything yet. Are they looking for free JS plugins or what? :)
Anyway I haven’t done anything yet because I really need to just re-read the book from cover to cover again. I don’t want to make dumb newbie mistakes that send out all these “come and get me” vibes.
1 Reply to “people looking for /scripts and /phpmyadmin”
Yes it’s trivial to spoof the referrer, user agent, and other details of the request. This is why it’s optimal to filter based activity rather than identity.
/scripts is just another string to check that they’ve added to the scans.. it may be a first step in some exploit, or it could reveal other available locations to scan, and so forth. There is a bottomless supply of such odd requests, and most are safely ignored as they pose no real threat (other than wasting resources and being a nuisance in general).
I’m thinking that scripts directory is checked to see if views are enabled; if so, chances are it will be investigated further.. The question is do you bother blocking such odd requests, or let the server respond with a simple 404 Not Found?