A site for solving at least some of your technical problems...
Pages Specific to Linux
Bill Gates
The Linux Pages
Attack by ZmEu
Who is ZmEu?
The name Zmeu (no capital E) is the name of a fantastic creature of Romania. There are so many stories that there isn't a clear understanding of what it is... but it is human like, can spit fire and wants to marry young women.
If you're wondering, it is generally a bad guy.
ZmEu Attack
Today, I noticed a lot of traffic on one of my servers. Looking into what was happening, I immediately found out that an attacker was looking for a loophole in that system. That attack was being performed from China.
I checked another server, and sure enough, that other server was being attacked as well.
I quickly added some code to our modsecurity to block further testing of our systems. Not that there are any holes, but it uses a lot of CPU time to generate 1,000's of totally useless pages when we could instead turn them back right at the gate.
The system returned one of the following errors:
302 (redirect)
400 Bad Request
404 Page Not Found
The problem is the 404. Obviously, they won't be able to hack the system because they get a 404, but it requires quite some work to generate the 404 page... And if we know that it is not necessary because it is an attack, then we should just return 400 and be done with it.
The 302 was not followed. Interesting since they are trying to break in and a 302 could sound like it might work! Ah! Except that the 302 happens because the server sends them to an HTTPS which apparently they would not have been able to handle.
modsecurity2 Additions
I added a rule to modsecurity that looks like this:
SecRule REQUEST_URI "@rx (?i)\/(php-?My-?Admin[^\/]*|mysqlmanager |myadmin|pma2005|pma\/scripts|w00tw00t[^\/]+)\/" "severity:alert,id:'0000013',deny,log,status:400, msg:'Unacceptable folder.',severity:'2'"
WARNING: You cannot really cut the lines that way... Use a \ and don't cut strings. This is for better, easier to read HTML display.
If you are using phpMyAdmin, then you'll want to add another rule to skip this one. That other rule should check your IP and when you get a perfect match, use "skipAfter:0000013".
The message is what is logged in your mod_debug file. It can be anything you want.
Run /etc/init.d/apache2 reload to run with the new rule.
The rule I present here is "limited", yours may include more folders as seen in the attack logs. You could also limit the agent and refuse any ZmEu whatnot to connect to your server.
Attack Logs
I pasted the attack logs below cleaning up a few things so it does not look as large as it would otherwise be.
Notes:
- We have two IP addresses: 69.55.233.22 and 69.55.233.23. The robot seems to have been testing with both IPs even though they used the same domain name (which is wrong, that domain name is only attached to one specific IP address!)
- They tried many entries in upper and lower case (i.e. myPhpAdmin and myphpadmin,) which is a good idea since a Unix system will only recognize the correct case...
- Note that for myPhpAdmin they checked all sorts of versions, in other words, whatever version you have there is probably a hack for it... I strongly suggest that you use a specific port if you use that silly tool and close the port to anyone by you (i.e. http://www.example.com:8881/myPhpAdmin and block 8881 in your firewall to all but your static IP address)
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" "69.55.233.22" "ZmEu" GET /scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" "69.55.233.23" "ZmEu" GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /admin/pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 302 20 "69.55.233.22" "ZmEu" GET /admin/pma/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /db/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /db/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /dbadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /dbadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /myadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /myadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /mysql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpmyadmin1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpmyadmin1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpmyadmin2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpmyadmin2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /web/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /web/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /p/m/a/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /php-myadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /phpmy-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /webadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /php-myadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /sqlweb/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /phpmy-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /webadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /sqlweb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysql-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu" GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu" GET /mysql-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
Update 2010-09-19
In the last 3 days I have got many hits from various IP addresses, all happening very fast and all three hitting 3 pages, two of which had a wrong 'index.php' at the end (which is ignored by Drupal, but should never be there since Drupal uses index.php?q=/path/ and not /path/index.php).
There is an example:
GET /aggregator/categories/2%20%20/index.php HTTP/1.1" 200 55765 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /aggregator/categories/index.php HTTP/1.1" 404 73041 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /index.php HTTP/1.1" 200 62789 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /aggregator/index.php HTTP/1.1" 200 72023 "linux.m2osw.com" "-" "Mozilla/5.0"
Notice the double space after the /2 on the first line!
As you can see, it pretends to be Mozilla and it puts a clean referrer. Yet, from index.php you cannot get to any of those other 3 entries.
I blocked this one in a similar using modsecurity2 with the following rule:
SecRule REQUEST_URI "@rx \/aggregator\/(?:[^/]+\/)*index\.php$" "severity:alert,id:'0000008',exec:/usr/loccal/bin/start-lockout"
The rule captures any path that starts with aggregator and includes index.php at the end. If that happens it is a robot. Therefore it gets blocked (the start-lockout process adds their IP address to the firewall, automatically.) The following is the list that got caught within 1h.
pkts source IP 28 174.143.33.218 48 209.240.96.35 32 202.160.120.220 28 174.139.12.170 27 208.115.101.50 52 216.12.222.154 48 74.86.154.37 50 207.178.136.143 2 91.186.11.81 46 178.32.40.3 2 74.63.10.96 2 67.225.164.101 8 59.120.145.13 50 64.9.53.20 ----- 437 packets blocked.
Note that the firewall blocked 423 packets plus 14 addresses is 437 packets that did not make a return trip. Yes. These addresses include things that seem legitimate... I'm not too sure why this happens, but I suspect that someone's server was compromised and the IP address is used by the hacker...
Ping this!
Terms of Site Index
- ChangeDisplaySettings
Function used to change the display settings under MS-Windows. - Gb
Giga bytes--these days, the common measure for memory and disk space. It changed in the last 20 years from Kb (Kilo bytes) to Mb (Mega bytes) and to Gb. With disks, we are close to Tb (Tera bytes) and some people talk about Pb (Peta bytes).
- RAID
Redundant Array of Independent Disks most often used to have your data duplicated between multiple disks for safety and fast access.
- shareware
- stack
Copyright © 2012 by Alexis Wilke
See the License for more info
The Linux Page newsletter
Theme and hosting by Made to Order Software Corp
My logs lists this IP -
My logs lists this IP - 218.78.209.241
Interesting, it's not listed...
I checked with dig and the IP you mentioned is not recognized as anyone's IP. Some hackers use those IPs that should be black listed by ISPs but somehow aren't... That way, it's much harder to track them down since no one claims owning those IPs.
# dig -x 218.78.209.241
; <<>> DiG 9.4.2-P2 <<>> -x 218.78.209.241
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44082
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;241.209.78.218.in-addr.arpa. IN PTR
;; Query time: 362 msec
;; SERVER: 206.13.31.12#53(206.13.31.12)
;; WHEN: Sat Sep 4 22:42:55 2010
;; MSG SIZE rcvd: 45
We're getting hit with this right now, but yet another ip
10.104.63.192
..again unregistered.
Bogus net
Addresses that start with 10.x.x.x are reserved for local networks. If you are not using them, you can block them on your firewall.
When you look in your BIND folder, generally named.conf.options, you find the following list:
acl bogusnets {
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
All of those can be blocked 100% except for the few that you use for your network (Intranet). Most people use the 192.168.x.x network. All the others can be shut down.
If you use iptables, then the following will do:
iptables -A bad_tcp_packets -i eth2 -s 10.0.0.0/8 -j DROP
iptables -A bad_tcp_packets -i eth2 -s 172.16.0.0/12 -j DROP
You can add all the bogus networks you want in a similar way.
Thank you for the info!
Alexis Wilke
Try MaxMind GeoIP search
http://www.maxmind.com/app/locate_demo_ip
According to MaxMind, 218.78.209.241, belongs to an ISP in Shanghai, China.
more IP-s
my web server was exploited this morning,
I check the logs for string: w00tw00t
this is what I found:
62.112.194.132
202.201.14.232
88.191.39.161
88.191.39.161
81.0.199.65
78.46.40.163
78.46.40.163
67.19.202.114
67.19.202.114
78.110.161.11
64.29.139.254
209.217.106.3
209.217.106.3
121.242.207.140
121.242.207.140
85.158.253.153
85.158.253.153
202.201.14.232
173.236.13.58
93.182.137.2
201.116.227.194
62.149.202.70
216.14.84.212
216.14.84.212
211.181.102.144
70.84.219.250
72.1.100.236
I found some from your list
I found some from your list and some more:
62.112.194.132
85.158.253.153
91.192.194.216
121.242.207.140
201.116.227.194
208.109.154.147
211.181.102.144
109.104.76.142
173.236.13.58
202.201.14.232
209.217.106.3
216.14.84.212
62.149.202.70
64.29.139.254
67.19.202.114
70.84.219.250
71.6.165.142
72.1.100.236
78.110.161.11
78.46.40.163
81.0.199.65
81.28.196.116
87.230.54.108
88.191.39.161
93.182.137.2
I deleted double entries.
I hope it's helpful.
greetinx from Germany
Another one
Got hit by this on 26/09/10 - 27/09/10 by:
184.72.140.28
resolves to:
ec2-184-72-140-28.compute-1.amazonaws.com
have logged with Amazon cloud abuse team (do an IP whois to get url)
Re: Another one
## my mask numbers
the source ip was : 72.167.161.46
owners have been notified
date nov 21 2010 around 10am pacific time zone x
get this and string of other requests followed
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: ##.##.##.##
Connection: Close
?
Re: Another one
46.137.113.245 resolves to ec2-46-137-113-245.eu-west-1.compute.amazonaws.com
Re: Attack by ZmEu
Using modsecurity is a CPU loading unnecessary.
Best way is to create a jail in fail2ban that block packets before reaching Apache.
Ex:
[apache-bad]
enabled = false
port = http,https
filter = apache-bad
logpath = /var/log/apache*/*access.log
maxretry = 3
findtime = 5
bantime = 14400
and apache-bad in filter.d :
failregex = .*(admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|)
-.*"POST .*(admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|)
Re: Attack by ZmEu
Note that modsecurity is useful for many other things, and it is possible to block the IP address of users attacking you in this or any other way so the CPU load goes way down (and the transfer bandwidth that comes with it.)
Re: Attack by ZmEu
Over time the attacks on our servers have been dropping off. I'd like to think I have something to do with that. First: the word "admin" does not exist on our servers - mv admin Hf826csla997% (hack that subdir AH)
Second:
Htaccess contains:
ErrorDocument 403 /403.php
order allow,deny
deny from nn.0.0.0/8
And my 403.php checks the first octet of the IP and redirects the hack to the correct place they should try to hack: IE .. refresh' content='0;url=http://www.ripe.net/$u[2]/$u[3]/$u[4]/$u[5]' or apnic.net
"I" can't do anything to the hackers - the Admin's at Ripe can :-)
Re: Attack by ZmEu
Interesting method... I wonder what ripe.net does about such requests. 8-)
Note that I think these go in wave. So the hackers find a set of working URLs, and they run ZmEu or some other hack on them. Once the set was exhausted, they gather another load of URLs...
This being said ZmEu is just one of the many hacks that can attack your server. When you are PCI Compliant, you know of a really large number of requests that can be stopped first hand by Apache settings (such as denying an IP address, a folder, a file, etc.) or extensions such as modsecurity. In my case, I also block many IPs at the level of the firewall. This is good because it uses nearly no resources. (When you can avoid running Apache, modsecurity, or whatever CMS you're running... you save a lot of CPU, Disk I/O, etc.)
Thank you for the info.
Alexis
Re: Attack by ZmEu
I don't watch for ZmEu. I do watch for - /admin/myphpadmin, .../forgotten_password.php... I've made a list of about 20+ which all exist on my server: ln -s [xx] 403.php
..what ripe.net does... My hope is they check their logs like we do - except they may take the tack "Nobody would dare ... therefore we don't need to." My hope is the Ripe Admin says "WTF? ....".
grep deny .htaccess | wc = 61 and most are x.0.0.0/8 because I'm 1 of nnn on the shared server - so iptables in not in the cards. One other little script I run on selected IP's: forever { echo 'rand(alphanum)[1000x]'; usleep 10000; } Won't stop them but should slow them down - LaBrea....
Re: Attack by ZmEu
Why not just redirect it back to their IP? That'd be funny for them. :D
Re: Attack by ZmEu
ripe.net? Why? Send them back to China, then they will find out the meaning of pain.
Re: Attack by ZmEu
(1) It's a waste of your time and bandwidth;
(2) They're not all from China;
(3) It is not going to do anything to their server unless you launch a real attack.
Re: Attack by ZmEu
i'm currently getting bombarded with "w00tw00t.at.blackhats.romanian.anti-sec" followed by tons of requests for /setup.php's just like above..
IP where this is coming from (174.133.159.74) is located in houston, texas and has 8 questionable sounding hosts on that ip.. hijacked server?!
http://www.ip-adress.com/reverse_ip/174.133.159.74
the interesting thing is.. this was logged on my homeserver, which i just set up and got online yesterday O_o
Re: Attack by ZmEu
Think about it. They were kind enough to provide a useragent. Just block the useragent. Get a big list of bad useragents, and block them all. :)
Re: Attack by ZmEu
Yes. Like Yahoo! bot. Now I'm okay, but for some time I had to block it because when one connection was too slow to respond, they would not wait. Instead, they would try again, and again, and again... killing the Apache server in the process!
Pingback
[...] enchurrada de Web scanners disponÃveis na internet e o infeliz do ZmEu bot acabam tornando a vida dos nossos servidores Web um [...]
postfix down
A year ago this bitch put on of my server down with postfix trying to send my user:password repeat xxx times on the mail in the queue...
Still this year i stop using Ubuntu and tweaking server too much (Server X...)and prefer a Debian stable. A must have for serious production purpose.
Pingback
[...] http://linux.m2osw.com/zmeu-attack [...]
Re: Pingback
For reference, the Pingback link reference two other pages:
http://www.philriesch.com/articles/2010/07/getting-a-little-sick-...
http://ensourced.wordpress.com/2011/02/25/zmeu-attacks-some-basic...
Re: Attack by ZmEu
In this day of the "cloud" doesn't anybody have the time to create a dummy server that when the woot.blackhacks or whatever request a phpmyadmin conf file they get some of their own business back? Why not post a dummy site, with dummy configs with some scripts that just wreak havoc on their end? ISE.
Re: Attack by ZmEu
Hi eggmatters,
First of all, thank you for posting about your idea.
The cloud is not specifically what is necessary to attack back, also attacking back means war which is not automatically what you want and finally, most of us do not have the time... 8-)
This being said, the computers used for such attacks are often themselves servers that were attacked and of which the protections were penetrated. Thus attacking those is not wise (they are generally friendly, only the software added on their server is bad.)
Finally, it is not because ZmEu knows of a hack on your server that it has itself a flaw that you can easily make use of to break it...
Re: Attack by ZmEu
What I noticed on our EC2 servers is that it's spoofing the "healthcheck" load balancer machine, so not so easy to deny.
Pingback
[...] [...]
Re: Attack by ZmEu
This might be easier - stop them at the firewall, dead. On any machine, load balanced or not.
The IP addresses are spoofed, there is no 'they' - 'they' are just a bot, scanning for PMA openings. All of their hits have one thing in common - they all have "ZmEu" in them - so they're easy to stop.
This would be for machines running iptables.
http://fearelise.com/tech/server/using-iptables-to-block-bot-scan...
Re: Attack by ZmEu
There is always something new to learn! That --algo bm --string "ZmEu" is a good one and would indeed be the best way to block all the ZmEu attacks.
Did you notice any slow down using the string algo?
Re: Attack by ZmEu
Well - no, there's no slow down. Packets have to go through the "Raw" table anyway (it's their first stop). If you visit my site with a clear cache, notice the speed.
Another method is to redirect the ZmEu hit, but that still makes your web server work. My whole goal was to stop the hit before it even reached the web server.
There is a draw-back - it blocks ALL traffic containing the string - including outgoing...
So, I couldn't type ZmEu in or on my own page. To be able to put the string on the page, you have to put an empty tag (like italics or bold) between two letters (break the string). Like Zm<i></i>Eu - which shows up on the page normally.
That's the only drawback I've seen though.
If you use iptables, I can send you a great set of rules that's fast, efficient and auto-bans scans (ssh, http, https)... Send an email to the address I put in there, and I'll send it to ya and explain what the rules are - then you can post it, as an all around good security measure if you want!
I actually found your site listed in a post on the Jeep Forum. I figure it can't hurt to help a fellow Linux fan!!
Re: Attack by ZmEu
Ah! I ran into similar problems with modsecurity... it would block me from writing a script sample using shell or SQL commands!? I removed most of those rules because the CMS takes care of those problems automatically.
Now, it's certainly rare to post about ZmEu... 8-) So that's not too bad on that one. But I could imagine that such a protection directly in your firewall could get you in trouble once in a while. And at the raw level I'd bet they have no clue of what the User-Agent is.
On the other hand, if you capture the IP address of the offensive robot on the first hit and add that to your firewall, automatically, then in effect you're doing the same thing as blocking in the firewall, it's just a bit more dynamic... and the blockage can be much smarter (i.e. know about the protocol.)
Re: Attack by ZmEu
Thank you for this well-commented experience. Last night, when investigating the logs of my ReadyNAS NV+, which I own since march 2011, I found quite some log-items of "visits" by ZmEu (among others! but that's another story). I googled the web and found this webpage. The content on this webpage helped me a lot! I am fairly new in Linux and learn every day. Not bad whith age of 65 :-). I saw that a lot of log-items listed on your webpage are identical to the ones I found in my logfiles. Thanks for the advises and also all the comments of other visitors. In this way I am able to understand how these infringements are done and also how I can tighten the security more. Two years ago I started to study and experiment with Linux when it was clear that Micro$oft wanted me to dump my nice HP desktop PC from 2006 because it was running XP. Now I run Ubuntu 10.04.3 LTS in dualboot and maybe I dump XP fully in the near future. Thanks guys! I come back to learn more and maybe I will be able to contribute something in the future. Deo Volente! Paul.
Re: Attack by ZmEu
Hi Deo,
Thank you for the nice words. My website is full of tricks for Linux. I hope you can find other useful things in connection with your Linux endeavor. Yes. Linux is much better than Windows.
Why did you choose 10.04 instead of 11.04 or 11.10?
Best,
Alexis
Re: Attack by ZmEu
Hey Alexis!
10.04 is pre-unity w/ Gnome 2 and is way easier to use, IMO.
Re: Attack by ZmEu
Also - Starting in 10.10, and in 11.04 there is a race condition that can cause errors on boot - which is a pain.
11.10 Took away the option to switch to Gnome, and is using a 1/2 Gnome3 backend.
In 10.10 onward, other applications are broken (especially totem w/ color and ff rw.).
There's resolutions online for all that - but in 10.04 nothing is broken and there's no 'forced unity'.
I wanted to note again on the article topic, blocking the ZmEu via IP is the longest way around spoofed IPs.
Stop them at the firewall with one line..
http://fearelise.com/tech/server/using-iptables-to-block-bot-scan...
It works for other bots too... :)
Re: Attack by ZmEu
Yeah... I'm running 11.04 at this time and it looks okay, for most everything, except for gVim which output is often garbage (it looks like there are many problems with compiz/3D/OpenGL). I could try without compiz though...
I tried 11.10 and it was much worse. They completely changed the UI for the worse and makes it close to unusable. Maybe with a little practice I'd come to like it somewhat, but I'm pretty sure that if they don't offer a proper UI bar as before, it won't be pleasing. So I'm waiting for 12.04 and hoping some people will have added a nice fully compatible small bar as before to that new UI environment. (we can always dream! the force be with me! 8-) )
I do agree that the string in the firewall is a better bet, although a ZmEu user could as easily change the name of his bot... if he were smart, he would use a name that you "cannot" block using a string (i.e. googlebot.)
Re: Attack by ZmEu
If you run any public webservers, you can really expect these probes from China.
They are looking to see if you are running any packages with known vulnerabilities,
like phpMyAdmin, wordpress.
The probes can be so intense at times that you will experience denial of service.
Our solution was to declare a 404 handler for missing pages that filters
for the known vulnerabilities that hackers are probing for. If any one
of these vulnerabilities is probed, the IP is immediately added to the
firewall. Networking will immediately block that IP, and the perp will not
be able to probe any other vulnerabilities.
Here is our solution. Not all required code is presented, but you should be
able to get the gist.
First, put a 404 handler in your web server for each site:
---------------------------------------------------------
ErrorDocument 404 "/cgi-bin/common/error.cgi?404"
---------------------------------------------------------
error.cgi looks like this:
---------------------------------------------------------
#!/usr/bin/perl
#
# Copyright 2009 Software Toolz, Inc. - Atlanta, Georgia
#
# All rights reserved worldwide. This program may not be reproduced,
# transmitted, transcribed, stored in a retrieval system or translated in
# any human or computer language, in any form without the express written
# permission of Software Toolz, Inc.
#
# 404 catcher for all non-personals sites
# uses orders.ipblock to record blocks
#
use File::Basename;
use Sys::Hostname;
use lib '/home/common/shared/perl';
require 'syms2.pl';
use libcsub;
use libproj;
require 'badrqst.pl';
&prog_init;
&look_rqst;
&prog_exit;
### End
sub look_rqst
{
my ($fn,@parts,$fext,$buf,@msg);
my ($me) = basename($0);
if ("$ARGV[0]" eq '404')
{
&logmsg('W',"404 request: $ENV{'REQUEST_URI'}");
$fn = basename("$ENV{'REQUEST_URI'}");
if ("$fn" eq 'favicon.ico' or
"$fn" eq 'robots.txt' or
"$fn" eq 'crossdomain.xml' or
"$fn" eq 'wpad.dat') { &prog_exit; }
(@parts) = split /\./,$fn;
$fext = lc($parts[$#parts]);
if ("$fext" eq 'jpg')
{
print "Content-type: image/jpeg\n\n";
open IMG,"
Error
Missing Page
Request: $ENV{REQUEST_URI}
Referrer: $ENV{HTTP_REFERER}
Server: $ENV{SERVER_NAME}
EOT_SHOW_THEM
}
}
else
{
&logmsg('W',"Argument not handled: $ARGV[0]");
}
}
sub prog_init
{
my ($sig);
#&logset('MSG_OPT_ELEVEL','MOST');
&logset('MSG_OPT_PREFIX',"$PREFIX");
&logmsg('B',"$0 @ARGV");
foreach $sig (keys %SIG)
{
if ("$sig" ne 'CHLD' and "$sig" ne 'CLD') { $SIG{$sig} = \&prog_exit; }
}
}
sub prog_exit
{
local($sig) = @_;
my (undef,$filename,$line) = caller;
my ($fn) = basename($filename);
&logmsg('W',"Signal: $sig ($fn/$line)")
if $sig;
&logmsg('Z','End');
exit;
}
---------------------------------------------------------
badrqst.pl looks like this:
---------------------------------------------------------
#
# Copyright 2009 Software Toolz, Inc. - Atlanta, Georgia
#
# All rights reserved worldwide. This program may not be reproduced,
# transmitted, transcribed, stored in a retrieval system or translated in
# any human or computer language, in any form without the express written
# permission of Software Toolz, Inc.
#
use DBI;
use Sys::Hostname;
use lib '/home/common/shared/perl';
use liborder;
sub badrqst
{
my ($timestr) = ¤timestr;
my ($spoolfile) = "/usr/local/spool/badrqst.DAT";
my (@node) = split /\./,hostname();
my ($probe);
$probe = &chk_probe;
# spool the row for the database for the 404 daily report
open DATA,">>$spoolfile";
print DATA "$ENV{SERVER_NAME}\t$ENV{REQUEST_URI}\t$ENV{HTTP_REFERER}\t$ENV{REMOTE_ADDR}\t$node[0]\t$timestr\t$probe\n";
close DATA;
chmod 0666,"$spoolfile";
&logmsg('W',"Missing page referer=$ENV{HTTP_REFERER}, request=$ENV{REQUEST_URI}, cookies=$ENV{HTTP_COOKIE}, agent=$ENV{HTTP_USER_AGENT}, probe=$probe");
return $probe;
}
sub hack
{
my ($timestr) = ¤timestr;
my ($spoolfile) = '/usr/local/spool/hack.DAT';
my ($rows,$rc);
my ($host) = hostname;
my ($errlevel) = 'I';
&trick_hacker;
$rc = system("suexec ipblock.sh $ENV{REMOTE_ADDR}");
if ($rc != 0) { $errlevel = 'E'; }
&logmsg("$errlevel","Add block: $ENV{REMOTE_ADDR}, $rc");
# this queues the row for the database for the blocked IPs
open DATA,">>$spoolfile";
print DATA "$ENV{REMOTE_ADDR}\t$ENV{SERVER_NAME}\t$timestr\t$ENV{REQUEST_URI}\n";
close DATA;
chmod 0666,"$spoolfile";
&logmsg('W',"Hack attempt referer=$ENV{HTTP_REFERER}, remote=$ENV{REMOTE_ADDR}, request=$ENV{REQUEST_URI}, server=$ENV{SERVER_NAME}, cookies=$ENV{HTTP_COOKIE}, agent=$ENV{HTTP_USER_AGENT}");
return 'Y';
}
# these are probes for vulnerabilities
sub chk_probe
{
# hackers have not been sending a referring URL
if ("$ENV{HTTP_REFERER}") { return 'N'; }
length("$ENV{REQUEST_URI}") > 128
and return &hack;
$ENV{REQUEST_URI} =~ /phpmyadmin/i
and return &hack;
$ENV{REQUEST_URI} =~ /\.\.\/|\|/
and return &hack;
$ENV{REQUEST_URI} =~ /README/
and return &hack;
$ENV{REQUEST_URI} =~ /administrator\/index.php/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/admin/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/w00tw00t\.at\.blackhats\.romanian\.anti-sec/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/_vti_bin/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/MSOffice/
and return &hack;
$ENV{REQUEST_URI} =~ /scripts\/setup.php/
and return &hack;
$ENV{REQUEST_URI} =~ /pshwork\.net/
and return &hack;
$ENV{REQUEST_URI} =~ /\/includes\/session.php/
and return &hack;
$ENV{REQUEST_URI} =~ /\/awstat/
and return &hack;
$ENV{REQUEST_URI} =~ /\/phpalbum/i
and return &hack;
$ENV{REQUEST_URI} =~ /\/muieblackcat/
and return &hack;
$ENV{REQUEST_URI} =~ /\+iframesrc\+/
and return &hack;
$ENV{REQUEST_URI} =~ /\/\[object\]/
and return &hack;
$ENV{REQUEST_URI} =~ /\/fckeditor\//i
and return &hack;
$ENV{REQUEST_URI} =~ /^\/mysql/i
and return &hack;
$ENV{REQUEST_URI} =~ /\/bitfield_vbseo.xml/
and return &hack;
$ENV{REQUEST_URI} =~ /\/wp-login\.php\//
and return &hack;
$ENV{REQUEST_URI} =~ /ajaxfilemanager\//i
and return &hack;
$ENV{REQUEST_URI} =~ /\/vbseocp.php/i
and return &hack;
$ENV{REQUEST_URI} =~ /\/mobiquo\/tapatalkdetect\.js/
and return &hack;
return 'N';
}
# response to a known hacker probe
sub trick_hacker
{
my ($buf);
print "Content-type: text/html\n\n";
open HTML,")
{
$buf =~ s/#REMOTE#/$ENV{'REMOTE_ADDR'}/g;
$buf =~ s/#REASON#/Unauthorized Access/g;
print "$buf";
}
close HTML;
return;
}
1;
---------------------------------------------------------
The IP is inserted into a MySQL table that looks like this:
---------------------------------------------------------
-----------------------------------------------------------------------------
Count Field Type Null Key Default Extra
----- ------- ------------- ---- --- ------- -----
0 server varchar(40) NO NULL
1 url varchar(255) NO NULL
2 referer varchar(255) YES NULL
3 remote varchar(32) NO NULL
4 node varchar(16) YES NULL
5 datim datetime YES NULL
6 probe enum('Y','N') YES N
----- ------- ------------- ---- --- ------- -----
-----------------------------------------------------------------------------
This table is used to block the IP only once and also to remove the block
5 days later.
---------------------------------------------------------
The ipblock.sh script called from the Perl script above looks like this:
#
# Copyright 2011 Software Toolz, Inc. - Atlanta, Georgia
#
# All rights reserved worldwide. This program may not be reproduced,
# transmitted, transcribed, stored in a retrieval system or translated in
# any human or computer language, in any form without the express written
# permission of Software Toolz, Inc.
#
ME=`basename $0`
LOGFILE=/var/tmp/$ME.$$.log.tmp
logmsg $0 B -p=$$ "$0 $*"
. mustbe root
IP=$1
DEL=$2
MASK='XX\.XX\.XXX\.'
if [ -z "$IP" ]
then
logmsg $0 E -p=$$ "$0 [del]"
logmsg $0 Z -p=$$
exit 1
fi
. dbhost.sh
HOST=`hostname`
if [ "$DEL" ]
then
FLAG='-D'
else
FLAG='-I'
if [ `echo "$IP" | egrep "^$MASK"` ]
then
logmsg $0 E -p=$$ "($ME/$LINENO) Our own address: $IP"
logmsg $0 Z -p=$$
exit 1
fi
mysql orders\
$DBHOST $DBUSER $DBPASS\
--exec="insert into ipblock\
values\
(\"$IP\",now(),\"$HOST\")" 2>&1 |
logmsg $0 W -p=$$ -i -e "($ME/$LINENO)"
if [ $? -ne 0 ]
then
exit
fi
logmsg $0 I -p=$$ "Blocked: $IP"
fi
STAT=0
/sbin/iptables ${FLAG} INPUT -s $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
/sbin/iptables ${FLAG} OUTPUT -d $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
/sbin/iptables ${FLAG} FORWARD -d $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
/sbin/iptables ${FLAG} FORWARD -s $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
logmsg $0 E -p=$$ -f=$LOGFILE "($ME/$LINENO) $IP"
/sbin/service iptables save 2>&1 | logmsg $0 D -p=$$ -i "($ME/$LINENO)"
if [ "$DEL" -a $STAT -eq 0 ]
then
mysql orders\
$DBHOST $DBUSER $DBPASS\
--exec="delete from ipblock\
where ip = \"$IP\"\
and hostname = \"$HOST\"" 2>&1 |
logmsg $0 E -p=$$ -i "($ME/$LINENO)" Unblock:
logmsg $0 I -p=$$ "Unblocked: $IP"
fi
logmsg $0 Z -p=$$ $STAT
exit $STAT
Re: Attack by ZmEu
I find the test of the length quite interesting...
length("$ENV{REQUEST_URI}") > 128
and return &hack;
I would think that 128 isn't such a very long URL although many system refuse anything any longer browsers support 1024 (IE) or much more (nearly 64kb for FireFox, at least older versions were that large with URLs.
Re: Attack by ZmEu
Hi there,
I've just found some files and logs about what it seems to be an IRC command and control server.
I leave a testuser in the machine and someone located it. Ups! I did it again!
I have everyfile with logs if you want to check them. I can upload it to bittorrent or something similar.
Maybe it can help to stop them a little bit.
Just let me know.
Kindest regards
Re: Attack by ZmEu
Hi gadlinux,
I think we already got quite a few samples and we don't need more. And most of the people get loads of samples in their own logs. 8-)
Thank you.
Alexis