DigitalOcean – There are some sharks out there!

I recently was setting up a quick proof-of-concept CodeIgniter prototype on a fresh DigitalOcean droplet and noticed quite a lot of activity in my log files. It seemed like someone (or some bot) was scanning my app for potential vulnerabilities and attack vectors! Yikes!

The Log File

Here’s a sample from the log file, with normal DEBUG log messages being omitted:


ERROR - 2014-07-22 19:53:17 --> 404 Page Not Found --> _PHPMYADMIN
ERROR - 2014-07-22 19:54:34 --> 404 Page Not Found --> _pHpMyAdMiN
ERROR - 2014-07-22 19:55:51 --> 404 Page Not Found --> _phpmyadmin
ERROR - 2014-07-22 19:59:35 --> 404 Page Not Found --> administrator
ERROR - 2014-07-22 20:00:13 --> 404 Page Not Found --> adminmysql
ERROR - 2014-07-22 20:01:30 --> 404 Page Not Found --> admn
ERROR - 2014-07-22 20:02:15 --> 404 Page Not Found --> admin
ERROR - 2014-07-22 20:02:45 --> 404 Page Not Found --> bbs
ERROR - 2014-07-22 20:07:19 --> 404 Page Not Found --> cpdbadmin
ERROR - 2014-07-22 20:08:41 --> 404 Page Not Found --> database
ERROR - 2014-07-22 20:10:42 --> 404 Page Not Found --> dbadm
ERROR - 2014-07-22 20:11:23 --> 404 Page Not Found --> dbsql
ERROR - 2014-07-22 20:12:43 --> 404 Page Not Found --> forum
ERROR - 2014-07-22 20:14:05 --> 404 Page Not Found --> httpdocs
ERROR - 2014-07-22 20:18:48 --> 404 Page Not Found --> php-my-admin
ERROR - 2014-07-22 20:20:08 --> 404 Page Not Found --> php
/*  
******************************************************************
NOTE: notice how 'phpmyadmin' is missing!  
See why later in this blog post
******************************************************************
*/
ERROR - 2014-07-22 20:21:29 --> 404 Page Not Found --> phpAdmin
ERROR - 2014-07-22 20:25:32 --> 404 Page Not Found --> phpMyAdmin-2.10.0
ERROR - 2014-07-22 20:26:13 --> 404 Page Not Found --> phpMyAdmin-2.10.1.0
ERROR - 2014-07-22 20:27:35 --> 404 Page Not Found --> phpMyAdmin-2.11.0.0
ERROR - 2014-07-22 20:28:16 --> 404 Page Not Found --> phpMyAdmin-2.11.1-all-languages
ERROR - 2014-07-22 20:31:38 --> 404 Page Not Found --> phpMyAdmin-2.11.10
ERROR - 2014-07-22 20:35:02 --> 404 Page Not Found --> phpMyAdmin-2.11.2
ERROR - 2014-07-22 20:35:43 --> 404 Page Not Found --> phpMyAdmin-2.11.3-all-languages
ERROR - 2014-07-22 20:42:28 --> 404 Page Not Found --> phpMyAdmin-2.11.5.1
ERROR - 2014-07-22 20:43:08 --> 404 Page Not Found --> phpMyAdmin-2.11.5.2
ERROR - 2014-07-22 20:45:11 --> 404 Page Not Found --> phpMyAdmin-2.11.6.0-english
ERROR - 2014-07-22 20:49:14 --> 404 Page Not Found --> phpMyAdmin-2.11.7.1-all-languages
ERROR - 2014-07-22 20:49:54 --> 404 Page Not Found --> phpMyAdmin-2.11.7.1-english
ERROR - 2014-07-22 20:56:37 --> 404 Page Not Found --> phpMyAdmin-2.11.9.0
ERROR - 2014-07-22 20:57:17 --> 404 Page Not Found --> phpMyAdmin-2.11.9.1-all-languages
ERROR - 2014-07-22 20:57:58 --> 404 Page Not Found --> phpMyAdmin-2.11.9.1-english
ERROR - 2014-07-22 21:00:39 --> 404 Page Not Found --> phpMyAdmin-2.11.9.2
ERROR - 2014-07-22 21:02:40 --> 404 Page Not Found --> phpMyAdmin-2.11.9.3
ERROR - 2014-07-22 21:05:20 --> 404 Page Not Found --> phpMyAdmin-2.11.9.5-all-languages
ERROR - 2014-07-22 21:06:42 --> 404 Page Not Found --> phpMyAdmin-2.2.3
ERROR - 2014-07-22 21:08:41 --> 404 Page Not Found --> phpMyAdmin-2.3.1
ERROR - 2014-07-22 21:12:44 --> 404 Page Not Found --> phpMyAdmin-2.3.7
ERROR - 2014-07-22 21:14:05 --> 404 Page Not Found --> phpMyAdmin-2.3.9
ERROR - 2014-07-22 21:14:45 --> 404 Page Not Found --> phpMyAdmin-2.4.0
ERROR - 2014-07-22 21:18:46 --> 404 Page Not Found --> phpMyAdmin-2.4.6
ERROR - 2014-07-22 21:22:47 --> 404 Page Not Found --> phpMyAdmin-2.5.2
ERROR - 2014-07-22 21:25:27 --> 404 Page Not Found --> phpMyAdmin-2.5.5-rc1
ERROR - 2014-07-22 21:26:06 --> 404 Page Not Found --> phpMyAdmin-2.5.5-rc1config
ERROR - 2014-07-22 21:28:07 --> 404 Page Not Found --> phpMyAdmin-2.5.6-rc1
ERROR - 2014-07-22 21:30:46 --> 404 Page Not Found --> phpMyAdmin-2.5.7
ERROR - 2014-07-22 21:32:06 --> 404 Page Not Found --> phpMyAdmin-2.5.9
ERROR - 2014-07-22 21:34:07 --> 404 Page Not Found --> phpMyAdmin-2.6.0-beta1
ERROR - 2014-07-22 21:36:07 --> 404 Page Not Found --> phpMyAdmin-2.6.0-pl2
ERROR - 2014-07-22 21:36:47 --> 404 Page Not Found --> phpMyAdmin-2.6.0-pl3
ERROR - 2014-07-22 21:37:28 --> 404 Page Not Found --> phpMyAdmin-2.6.0-rc1
ERROR - 2014-07-22 21:38:47 --> 404 Page Not Found --> phpMyAdmin-2.6.0-rc3
ERROR - 2014-07-22 21:39:28 --> 404 Page Not Found --> phpMyAdmin-2.6.0
ERROR - 2014-07-22 21:43:29 --> 404 Page Not Found --> phpMyAdmin-2.6.1
ERROR - 2014-07-22 21:44:09 --> 404 Page Not Found --> phpMyAdmin-2.6.2-beta1
ERROR - 2014-07-22 21:46:49 --> 404 Page Not Found --> phpMyAdmin-2.6.3-pl1
ERROR - 2014-07-22 21:47:30 --> 404 Page Not Found --> phpMyAdmin-2.6.3-rc1
ERROR - 2014-07-22 21:48:50 --> 404 Page Not Found --> phpMyAdmin-2.6.4-pl1
ERROR - 2014-07-22 21:50:09 --> 404 Page Not Found --> phpMyAdmin-2.6.4-pl3
ERROR - 2014-07-22 21:52:08 --> 404 Page Not Found --> phpMyAdmin-2.6.4
ERROR - 2014-07-22 21:53:28 --> 404 Page Not Found --> phpMyAdmin-2.6.6
ERROR - 2014-07-22 21:54:49 --> 404 Page Not Found --> phpMyAdmin-2.6.8
ERROR - 2014-07-22 21:56:49 --> 404 Page Not Found --> phpMyAdmin-2.7.0-pl1
ERROR - 2014-07-22 21:57:28 --> 404 Page Not Found --> phpMyAdmin-2.7.0-pl2
ERROR - 2014-07-22 21:58:48 --> 404 Page Not Found --> phpMyAdmin-2.7.0
ERROR - 2014-07-22 21:59:27 --> 404 Page Not Found --> phpMyAdmin-2.7.1
ERROR - 2014-07-22 22:00:08 --> 404 Page Not Found --> phpMyAdmin-2.7.2
ERROR - 2014-07-22 22:00:48 --> 404 Page Not Found --> phpMyAdmin-2.7.3
ERROR - 2014-07-22 22:02:07 --> 404 Page Not Found --> phpMyAdmin-2.7.5
ERROR - 2014-07-22 22:03:10 --> 404 Page Not Found --> cgi-bin
ERROR - 2014-07-22 22:03:10 --> 404 Page Not Found --> cgi-bin
ERROR - 2014-07-22 22:03:10 --> 404 Page Not Found --> cgi-bin
ERROR - 2014-07-22 22:03:10 --> 404 Page Not Found --> cgi-bin
ERROR - 2014-07-22 22:03:11 --> 404 Page Not Found --> cgi-bin
ERROR - 2014-07-22 22:04:47 --> 404 Page Not Found --> phpMyAdmin-2.7.9
ERROR - 2014-07-22 22:06:07 --> 404 Page Not Found --> phpMyAdmin-2.8.0-rc1
ERROR - 2014-07-22 22:06:47 --> 404 Page Not Found --> phpMyAdmin-2.8.0-rc2
ERROR - 2014-07-22 22:07:26 --> 404 Page Not Found --> phpMyAdmin-2.8.0.1
ERROR - 2014-07-22 22:08:46 --> 404 Page Not Found --> phpMyAdmin-2.8.0.3
ERROR - 2014-07-22 22:09:25 --> 404 Page Not Found --> phpMyAdmin-2.8.0.4
ERROR - 2014-07-22 22:11:28 --> 404 Page Not Found --> phpMyAdmin-2.8.1
ERROR - 2014-07-22 22:12:06 --> 404 Page Not Found --> phpMyAdmin-2.8.2.1
ERROR - 2014-07-22 22:16:05 --> 404 Page Not Found --> phpMyAdmin-2.8.4
ERROR - 2014-07-22 22:17:24 --> 404 Page Not Found --> phpMyAdmin-2.8.6
ERROR - 2014-07-22 22:18:04 --> 404 Page Not Found --> phpMyAdmin-2.8.7
ERROR - 2014-07-22 22:20:05 --> 404 Page Not Found --> phpMyAdmin-2.9.0-rc1
ERROR - 2014-07-22 22:22:43 --> 404 Page Not Found --> phpMyAdmin-2.9.1
ERROR - 2014-07-22 22:23:24 --> 404 Page Not Found --> phpMyAdmin-2.9.2
ERROR - 2014-07-22 22:24:43 --> 404 Page Not Found --> phpMyAdmin-3.0.0-rc1-english
ERROR - 2014-07-22 22:25:23 --> 404 Page Not Found --> phpMyAdmin-3.0.0.0-all-languages
ERROR - 2014-07-22 22:28:43 --> 404 Page Not Found --> phpMyAdmin-3.0.1.0
ERROR - 2014-07-22 22:29:22 --> 404 Page Not Found --> phpMyAdmin-3.0.1.1
ERROR - 2014-07-22 22:30:01 --> 404 Page Not Found --> phpMyAdmin-3.0.2.0
ERROR - 2014-07-22 22:33:20 --> 404 Page Not Found --> phpMyAdmin-3.1.1.0-english
ERROR - 2014-07-22 22:34:38 --> 404 Page Not Found --> phpMyAdmin-3.1.2.0-all-languages
ERROR - 2014-07-22 22:35:15 --> 404 Page Not Found --> phpMyAdmin-3.1.2.0-english
ERROR - 2014-07-22 22:38:18 --> 404 Page Not Found --> phpMyAdmin-3.4.3.1-all-languages
ERROR - 2014-07-22 22:39:31 --> 404 Page Not Found --> phpMyAdmin-3.4.3.1
ERROR - 2014-07-22 22:41:21 --> 404 Page Not Found --> phpMyAdmin1
ERROR - 2014-07-22 22:41:59 --> 404 Page Not Found --> phpMyAdmin2
ERROR - 2014-07-22 22:43:49 --> 404 Page Not Found --> phpadmin
ERROR - 2014-07-22 22:44:25 --> 404 Page Not Found --> phpdb
ERROR - 2014-07-22 22:45:02 --> 404 Page Not Found --> phpldapadmin
ERROR - 2014-07-22 22:46:16 --> 404 Page Not Found --> phpmanager
ERROR - 2014-07-22 22:47:30 --> 404 Page Not Found --> phpmy
ERROR - 2014-07-22 22:50:34 --> 404 Page Not Found --> phpmyadmin2
ERROR - 2014-07-22 22:51:11 --> 404 Page Not Found --> phpmyadmin3
ERROR - 2014-07-22 22:52:26 --> 404 Page Not Found --> pma2006
ERROR - 2014-07-22 22:53:03 --> 404 Page Not Found --> pma2007
ERROR - 2014-07-22 22:53:40 --> 404 Page Not Found --> pma2008
ERROR - 2014-07-22 22:54:16 --> 404 Page Not Found --> pmadmin
ERROR - 2014-07-22 22:56:08 --> 404 Page Not Found --> sqladmin
ERROR - 2014-07-22 22:56:44 --> 404 Page Not Found --> sqlmanager
ERROR - 2014-07-22 22:57:22 --> 404 Page Not Found --> sqlweb
ERROR - 2014-07-22 22:57:58 --> 404 Page Not Found --> typo3
ERROR - 2014-07-22 22:58:35 --> 404 Page Not Found --> vhcs2
ERROR - 2014-07-22 22:59:11 --> 404 Page Not Found --> web
ERROR - 2014-07-22 22:59:48 --> 404 Page Not Found --> web
ERROR - 2014-07-22 23:02:52 --> 404 Page Not Found --> wp-content
ERROR - 2014-07-22 23:03:28 --> 404 Page Not Found --> wp-phpmyadmin
ERROR - 2014-07-22 23:04:04 --> 404 Page Not Found --> wp-phpmyadmin
ERROR - 2014-07-22 23:04:42 --> 404 Page Not Found --> xampp
ERROR - 2014-07-22 23:42:36 --> 404 Page Not Found --> pma
ERROR - 2014-07-22 23:42:37 --> 404 Page Not Found --> myadmin
ERROR - 2014-07-22 23:42:37 --> 404 Page Not Found --> MyAdmin

phpMyAdmin seems to be at the top of the list for this particular scan, along with some other common directories for WordPress and other popular PHP-based applications. In my particular case, I had left phpMyAdmin as its default URL (http://someipaddress/phpmyadmin), but had enough sense to put it behind Apache-enabled HTTP user authentication with a strong user/password combination. Woohoo, crisis averted!

If this initial scan had detected a publicly-available phpMyAdmin installation, it would be safe to assume that a brute force attack would then be performed. It does not take a lot of skill to perform this attack, as freely available software such as Selenium WebDriver and iMacros could be used to automate the process of guessing user/password combinations. Considering that many inexperienced developers use simple-to-guess passwords with default user names, this type of scan and attack is probably very successful.

TIP: You can learn to implement basic HTTP user authentication in this DigitalOcean tutorial, even if you are not using DigitalOcean as your hosting provider.
TIP: Selenium WebDriver and iMacros are both robust, industry-standard tools for automating repetitive tasks and testing your web apps. Check ’em out and have fun!

A compromised site is an excellent tool for someone looking to partake in the shadier activities of the Internet. For instance, a hacker with access to your databases could insert some malicious JavaScript into blog posts, infecting each and every one of your site visitors via the latest Flash/Java vulnerability. A poorly-secured FTP server could easily be hijacked to temporarily store illegal content. WordPress sites are routinely scanned for default logins and turned into a tool for DDoS attacks and large-scale spamming.

Security, Security, Security to C.Y.A!

A discovery like this in your log files can be a little unnerving. Most developers create websites and online services with the intention of building a useful tool or website, focusing mainly on the implementation and design. Often, rushed projects that are way past projected deadlines have huge flaws If you have spent a significant amount of time building websites, you will eventually come to find that public-facing services will attract hackers, spammers, botnets, trolls, and other malicious activity. A compromised website or service can quickly spell disaster for you, your users, and your clients! Securing your online applications and websites is commonly heard from experienced developers; heed this warning or pay the price for ignoring this valuable advice.

Security should be a top priority on your to-do list when you are putting ANYTHING online. Once it’s public, you are exposing your application to a world filled with people and programs that may not have your best interests at heart.

Why mention Digital Ocean?

Companies like DigitalOcean, Heroku, OpenShift by Red Hat, and others offer web hosting with ridiculously low pricing and low contractual commitment. I prefer to use these services for simple prototypes and testing/learning, but they do not offer the same safeguards and monitoring that managed hosting provides (or costs).

Digital Ocean has a large block of IP addresses that are reused over and over as users sign up, create droplets, and destroy them. From a business standpoint, it makes sense to reuse these addresses. It also makes sense to target these IP addresses when looking for vulnerable applications, as the barebones configuration and human nature to be lazy (and not implement strong security measures) means a high probability of scans/attacks being successful.

NOTE: I do not receive any money directly from DigitalOcean (an ad might pop up on the ‘ol Adsense), I just like the service they provide. Also, I got like 5 t-shirts from a Meetup they sponsored a while back, so I figured I should give them a shout out 🙂

Closing Notes, Lessons Learned

DigitalOcean is a great way to learn and experiment, but the waters can be treacherous! Make sure you make security a priority and lock down your apps.

*** Until next time, happy coding! ***