Hi,

Recently, my web server running on Red Hat generates a lot of high CPU usage and I have check both the apache access and error log and found out there is some unknown IP requesting access to certain phpmyadmin directories.

I have researched and found out it might be related to ZMEU Attack @ http://linux.m2osw.com/zmeu-attack .

However, what ponder me was how is it possible for a public user to find my web server when my web server is set to restricted outbound traffic i.e. public are not able to access to the intranet site as this server is only accessible within the private network.

Although my web server is able to access the internet as it require SMTP to send out email and other stuff, so I am not sure what causes this to be happened.

Is there a way to check the system log for outbound traffic or what scripts (I am using PHP) that trigger to allow outside user to find this web server?

Please advise on the troubleshooting steps.

Thank you for reading

you have an IP address or domain and some bot is just spamming it with random requests looking for an open/insecure installation of phpMyAdmin. what exactly are you trying to figure out?

I need to figure out which script or process that allows outside user to send request to my server cos my server by default is not accessible by public.

well, obviously it is. if you're running a web server and have a firewall that has port 80 (or whatever port your web server is running on) open, then your server is accessible by the public.

PHP does not open ports, and neither does Apache. IIS may or may not have opened a port (I don't use IIS). you'd have to have opened them yourself, or at least not closed them.

My server previously was configured in a way that is not accessible by public. Only recently the log started to generate the above-mentioned error which public is able to send spam request.

I am not sure how it does that, is it because of virus? As you mentioned that php/apache script can't open port but i'm not sure whether does the php script itself can do any other harmful things if it is planted on the server and execute it?

As I have downloaded some php sample scripts from the net so I am not sure whether is it caused by malicious script?

Please advise.

this most likely has nothing to do with PHP or Apache. turn off outbound traffic from the port Apache is running on, either in your router or firewall settings.

i see, as i thought it is caused by the php sample files that i downloaded online. Nevertheless, thanks for your advise.