I was looking at my apache error_log and noticed this:

[Sun May 20 14:31:20 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/mysql-admin
[Sun May 20 14:31:20 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/phpMyAdmin2
[Sun May 20 14:31:20 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/webdb
[Sun May 20 14:31:20 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/phpMyAdmin2
[Sun May 20 14:31:20 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/mysqladmin
[Sun May 20 14:31:20 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/phpMyAdmin-2
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/phpMyAdmin2
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/php-my-admin
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/admin
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/php-my-admin
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/store
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/shop
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/phpMyAdmin-2
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/admin
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/admin
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/webshop
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/php-my-admin
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/store
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/store
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/start
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/shop
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/shop
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/order
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/webshop
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/webshop
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/catalog
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/start
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/start
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/order
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/order
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/boutique
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/catalog
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/boutique
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/os
[Sun May 20 14:31:21 2007] [error] [client 70.87.179.114] File does not exist: /var/www/html/oscommerce

The IP resolves to 72.b3.5746.static.theplanet.com -- another The Planet account. Is this a script looking to exploit vulnerabilities or just some internal check to protect against such attacks?

I haven't ever herd of an internal vulnerability checking system. I would suggest emailing the logs to abuse@theplanet.com and let them sort it out.

Will do, thanks.

phpmyadmin has had a lot of holes in the past and its not uncommon to have them scanning for installs. As suggested above contact abuse so they can get them to stop the scanning.

I'm not sure that this is a routine check. I've monitored my Apache log and recently noticed many similar attempts from many different IP's, including:

64.71.224.125 (Webhosting.Net)
72.54.195.194 (CBEYOND COMMUNICATIONS)
216.253.4.18 (Xspedius Communications Co.)
85.159.68.138 (Cakiroglu Bilgisayar Tarim Turizm Gida San ve Tic (Turkey))
140.88.126.22 (Bethel College)
72.54.195.194 (CBEYOND COMMUNICATIONS)
204.186.159.226 (PenTeleData)
202.248.97.74 (Fujitsu Limited)

Given the range of IP's, it looks malicious to me.

Also, given that Fujitsu is among them, I wonder if it is being initiated by a bot on an infected machine...?

Is anyone aware of such malware?

We never said it was a routine scan. But it is very common for a compromised server to scan for more vulnerable servers. This is why we suggested the original thread starter contact abuse@theplanet.com, so we could get all the necessary information to start an investigation.

This is not a The Planet bot or scan it is a customer of the planet with a compromised box or intentional scan... see the whois:

whois 70.87.179.114
[Querying whois.arin.net]
[Redirected to rwhois.theplanet.com:4321]
[Querying rwhois.theplanet.com]
[rwhois.theplanet.com]
%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:THEPLANET-BLK-13
network:Auth-Area:70.84.0.0/14
network:Network-Name:TPIS-BLK-70-87-179-0
network:IP-Network:70.87.179.112/29
network:IP-Network-Block:70.87.179.112 - 70.87.179.119
network:Organization-Name:j c taxi and tour
network:Organization-City:HONOLULU
network:Organization-State:HI
network:Organization-Zip:96826
network:Organization-Country:US
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20070629
network:Updated:20070629