1 23 45
18.104.22.168 - - [31/Oct/2013:01:53:23 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 22.214.171.124 - - [31/Oct/2013:01:53:24 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226126.96.36.199 - - [31/Oct/2013:01:53:24 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 219 188.8.131.52 - - [31/Oct/2013:01:53:24 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 223184.108.40.206 - - [31/Oct/2013:01:53:24 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 223
is typical. Although from December there appeared a 'new' bot that tried hundreds of PHP (and other stuff) vulnerabilities and lasted over 5 minutes.
So I got fed-up with this using my bandwidth, so coded a short script using the excellent IPSET add-on for IPTABLES.
I tail the httpd access_log and as soon as one of these requests come in, add the IP to the ipset group which is dropped immediately
Now, something strange has happened. After running this for 3 days, these 'scans' have dropped from two to three every 2 hours, to almost ZERO in the last 24 hours... this leads me to believe the infected machines running these bots must report back to 'bot control centre' and flag the bot network to drop my IP as it is unresponsive and a waste of resource. Google doesn't reveal much on this issue.
Anyway, I wish I done this ages ago.