I'm working on writing a set of rules for fail2ban to make life a little more interesting for whoever is trying to bruteforce his way into my system. A good majority of the attempts tend to revolve around trying to get into phpinfo() via my webserver -as below
GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1
GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1
I'm wondering if there's any valid reason for a user to attempt to access phpinfo() via apache, since if not, i can simply use that, or more specifically the regex
GET //[^>]+=phpinfo\(\)
as a filter to eliminate these attacks
well - if you can execute phpinfo command this way [ via some vulnerability in php that evals code provided by url ] - it can be as well used to download some binary and execute it or maybe include code from remote server.
anyway - if i were you - i would not only take action seeing phpinfo in the url but also any 404-resulting requests to phpmyadmin / pma / other popular web scripts.
still - remember to scan regularly what software your users have installed to avoid outdated phpbbs/phpmyadmins and others. and secure your server - take a look here and here.