A simple bit of bash scripting through the httpd access.log files to determine counts of URLs that have been accessed as well as the ip address that they have been accessed from.
count | url 24 | / 10 | /phpMyAdmin/scripts/setup.php 9 | /rom-0 9 | /pma/scripts/setup.php 8 | /myadmin/scripts/setup.php
A large amount of the attempts were variations on php my admin access.
Access per ip address was totalled up and then sorted. I then looked up the location of the IP as below.
count | location 23 | Moscow, Russia 9 | Khakiv, Ukraine 7 | London, England 5 | Radomsko, Poland 4 | Nowe Skalmierzyce, Poland
As opposed to the sshd access logs, which mostly seem to originate in China, the http access seems to come from Eastern Europe sort of area.Tags: infosec