Phpmyadmin complains about permissions and open_basedir

Nasser · September 20, 2020, 7:14am

Hello,

I was looking at the Apache error.log and found this errors

[Tue Sep 08 11:23:52.932017 2020] [proxy_fcgi:error] [pid 1018937:tid 139953027663616] [client 51.211.193.159:0] AH01071: Got error ‘PHP message: phpmyadmin: Failed to load /var/lib/phpmyadmin/config.inc.php Check group www-data has read access and open_basedir restrictions.’, referer: https://MY.SERVER.IP.ADDRESS:PORT/list/db/

I found many IP addresses from different countries that I don’t recognize. Most of them showing the message above and others are showing the following messages.

[Sun Sep 06 12:50:34.418678 2020] [proxy_fcgi:error] [pid 537933:tid 139953572927232] [client 195.54.160.21:0] AH01071: Got error ‘Primary script unknown’

[Fri Sep 11 14:14:11.742642 2020] [proxy_fcgi:error] [pid 1020200:tid 139953421924096] [client 5.188.210.227:47398] AH01071: Got error ‘Primary script unknown’, referer: https://www.google.com/

Please note that my sites are working OK and I didn’t notice any have loads on the server.

Are those real errors or hacking attempts and what should I do?

I appreciate your support.

Regards,
Nasser

Raphael · September 20, 2020, 7:22am

Probaly just bots that scan around, can usualy be ignored.

Nasser · September 20, 2020, 7:39am

Hello,

Thank you for support ScIT,

On one of the domains error.log that I used for wordpress and now I am using it for NextCloud I am getting those errors on dealy bases.

[Thu Sep 17 23:40:03.602918 2020] [proxy_fcgi:error] [pid 28380:tid 140230455641856] [client 159.65.184.79:0] AH01071: Got error ‘Primary script unknown’, referer: http://www.NEXTCLOUD.WEBSITE/wp-login.php
[Thu Sep 17 23:41:32.573580 2020] [proxy_fcgi:error] [pid 28381:tid 140230522783488] [client 47.89.18.138:0] AH01071: Got error ‘Primary script unknown’, referer: http://www.NEXTCLOUD.WEBSITE/wp-login.php
[Thu Sep 17 23:42:10.230650 2020] [proxy_fcgi:error] [pid 28380:tid 140230472427264] [client 132.148.154.8:0] AH01071: Got error ‘Primary script unknown’, referer: http://www.NEXTCLOUD.WEBSITE/wp-login.php

Please note that (/wp-login.php) is the default login page for wordpress. Are those also bots that scan around?

Raphael · September 20, 2020, 7:50am

Sure they are - wordpress is a well known target of such bots.

Nasser · September 20, 2020, 8:01am

Thanks a lot ScIT, I really appreciate your support.

AlwaysSkint · September 20, 2020, 10:03am

wp-login is a prime candidate for a honeypot. I use IP Trap on a couple of servers to catch those idiots.

You could set a custom rule in mod_security; combined with CSF, a distributed attack could be detected and all of them blocked permanently.

Nasser · September 20, 2020, 10:38am

Hello,

Thank you AlwaysSkint for your support.

You just remind me to use CloudFlare Page Rule. I think its will do the trick.

[Sun Sep 20 09:32:35.362444 2020] [proxy_fcgi:error] [pid 505614:tid 140230480819968] [client XX.XXX.XXX.XX:0] AH01071: Got error ‘PHP message: phpmyadmin: Failed to load /var/lib/phpmyadmin/config.inc.php Check group www-data has read access and open_basedir restrictions.’

I found the same error with my own IP address what should I do on this case?

I appreciate the support.

Nasser · September 24, 2020, 10:22pm

Hello,

Update: The error below has stopped for 3 days since I have changed the default PhpMyAdmin Login URL.

user7632726 · April 16, 2021, 2:35am

@Nasser,

Thanks for posting this question and your last post to say that you found the solution. Can you provide the steps for how you changed the default login URL. I am new to HestiaCP (just migrated from VestaCP yesterday) and I was just checking the logs to see how things are going.

I have a fresh install of HestiaCP and I am seeing these same errors (PHPmyadmin failed to load config.inc.php due to open_basedir restrictions).

These are popping up in the /var/log/apache2/domains/srv01.mainsitename.com.error.log for the Hestia control panel site. It happens whenever I log into and launch phpmyadmin, not some annoying bot.

How did you fix the issue? Also, since this is a fresh install, it seems this should be addressed in the installation process. Is it because the URL is not configured properly and that’s why the warning is happening. @Raphael , is this something that could be addressed during the installation to avoid this. I’m not sure if its a bug, issue in configuration, or something that should just be left alone.

Thanks!

eris · April 16, 2021, 7:36am

Please open new topic and do not update 9 months old topics