Phpmyadmin complains about permissions and open_basedir

Hello,

I was looking at the Apache error.log and found this errors

[Tue Sep 08 11:23:52.932017 2020] [proxy_fcgi:error] [pid 1018937:tid 139953027663616] [client 51.211.193.159:0] AH01071: Got error ‘PHP message: phpmyadmin: Failed to load /var/lib/phpmyadmin/config.inc.php Check group www-data has read access and open_basedir restrictions.’, referer: https://MY.SERVER.IP.ADDRESS:PORT/list/db/

I found many IP addresses from different countries that I don’t recognize. Most of them showing the message above and others are showing the following messages.

[Sun Sep 06 12:50:34.418678 2020] [proxy_fcgi:error] [pid 537933:tid 139953572927232] [client 195.54.160.21:0] AH01071: Got error ‘Primary script unknown’

[Fri Sep 11 14:14:11.742642 2020] [proxy_fcgi:error] [pid 1020200:tid 139953421924096] [client 5.188.210.227:47398] AH01071: Got error ‘Primary script unknown’, referer: https://www.google.com/

Please note that my sites are working OK and I didn’t notice any have loads on the server.

Are those real errors or hacking attempts and what should I do?

I appreciate your support.

Regards,
Nasser

Probaly just bots that scan around, can usualy be ignored.

Hello,

Thank you for support ScIT,

On one of the domains error.log that I used for wordpress and now I am using it for NextCloud I am getting those errors on dealy bases.

[Thu Sep 17 23:40:03.602918 2020] [proxy_fcgi:error] [pid 28380:tid 140230455641856] [client 159.65.184.79:0] AH01071: Got error ‘Primary script unknown’, referer: http://www.NEXTCLOUD.WEBSITE/wp-login.php
[Thu Sep 17 23:41:32.573580 2020] [proxy_fcgi:error] [pid 28381:tid 140230522783488] [client 47.89.18.138:0] AH01071: Got error ‘Primary script unknown’, referer: http://www.NEXTCLOUD.WEBSITE/wp-login.php
[Thu Sep 17 23:42:10.230650 2020] [proxy_fcgi:error] [pid 28380:tid 140230472427264] [client 132.148.154.8:0] AH01071: Got error ‘Primary script unknown’, referer: http://www.NEXTCLOUD.WEBSITE/wp-login.php

Please note that (/wp-login.php) is the default login page for wordpress. Are those also bots that scan around?

Sure they are - wordpress is a well known target of such bots.

Thanks a lot ScIT, I really appreciate your support.

wp-login is a prime candidate for a honeypot. I use IP Trap on a couple of servers to catch those idiots. :slight_smile:

You could set a custom rule in mod_security; combined with CSF, a distributed attack could be detected and all of them blocked permanently.

Hello,

Thank you AlwaysSkint for your support.

You just remind me to use CloudFlare Page Rule. I think its will do the trick.

[Sun Sep 20 09:32:35.362444 2020] [proxy_fcgi:error] [pid 505614:tid 140230480819968] [client XX.XXX.XXX.XX:0] AH01071: Got error ‘PHP message: phpmyadmin: Failed to load /var/lib/phpmyadmin/config.inc.php Check group www-data has read access and open_basedir restrictions.’

I found the same error with my own IP address what should I do on this case?

I appreciate the support.

Hello,

Update: The error below has stopped for 3 days since I have changed the default PhpMyAdmin Login URL.