pmafind
Friday, July 27th, 2007Ugh. Nobody seems to know what this thing is, though it seems to be some kind of PHP worm roving the internet looking for phpMyAdmin exploits. It appears to have been around since 2005 and searches for an exploit in the phpMyAuth class of older phpMyAdmin distributions.
I’ve seen it knock one of my servers on three seperate occasions; this from the first:
[05/Jul/2007:20:26:42 -0500] “GET /mysql-admin/main.php HTTP/1.0″ 404 280 “-” “pmafind”
[05/Jul/2007:20:26:42 -0500] “GET /phpMyAdmin-2.5.6/main.php HTTP/1.0″ 404 285 “-” “pmafind”
[05/Jul/2007:20:26:42 -0500] “GET /main.php HTTP/1.0″ 404 268 “-” “pmafind”
[05/Jul/2007:20:26:42 -0500] “GET /phpMyAdmin-2.5.1/main.php HTTP/1.0″ 404 285 “-” “pmafind”
[05/Jul/2007:20:26:42 -0500] “GET /phpMyAdmin-2.5.4/main.php HTTP/1.0″ 404 285 “-” “pmafind”
[05/Jul/2007:20:26:42 -0500] “GET /phpMyAdmin-2.2.3/main.php HTTP/1.0″ 404 285 “-” “pmafind”
[05/Jul/2007:20:26:42 -0500] “GET /phpMyAdmin-2.2.6/main.php HTTP/1.0″ 404 285 “-” “pmafind”
Interesting that it looks for specific versions of PHP. And odd that it announces itself by specifying a user-agent. (”Hi, worm here. Please let me in. Got a bit of infesting to do.”)
Deadmoo has a good, recent-ish post about it, though mostly Google just returns random posts and stats pages listing the pmafind referer. Where do these things come from?
