I see nobody has mentioned that if they for some reason suspected/knew that server was the SR server (how? that is another question) then getting access to PHPmyadmin might have been almost as good as getting root access to the box..
http://www.cvedetails.com/vuln...
The screenshot in the article does not indicate exactly what version of PHPmyadmin was used, so we do now know if they used a known security hole or not to get at it. And we can only guess how they knew that they should visit that IP in the first place.
It could of course be that someone (NSA?) scanning the internets for
/phpmyadmin/ found that it was exploitable and looked at what was there and noticed it was the SR. Who knows.
One thing we can know for sure is that anyone who has a public-facing webserver can grep for
/phpmyadmin/ in their log (regardless of what is actually there) and see dozens and dozens of access attempts daily.