The Linux Page

Attacks by ZmEu or w00tw00t robots

Who is ZmEu?

An image showing ZmeuThe name Zmeu (no capital E) is the name of a fantastic creature of Romania. There are so many stories that there isn't a clear understanding of what it is... but it is human like, can spit fire and wants to marry young women.

If you're wondering, it is generally a bad guy.

ZmEu Attack

Today, I noticed a lot of traffic on one of my servers. Looking into what was happening, I immediately found out that an attacker was looking for a loophole in that system. That attack was being performed from China.

I checked another server, and sure enough, that other server was being attacked as well.

I quickly added some code to our modsecurity to block further testing of our systems. Not that there are any holes, but it uses a lot of CPU time to generate 1,000's of totally useless pages when we could instead turn them back right at the gate.

The system returned one of the following errors:

302 (redirect)

400 Bad Request

404 Page Not Found

The problem is the 404. Obviously, they won't be able to hack the system because they get a 404, but it requires quite some work to generate the 404 page... And if we know that it is not necessary because it is an attack, then we should just return 400 and be done with it.

The 302 was not followed. Interesting since they are trying to break in and a 302 could sound like it might work! Ah! Except that the 302 happens because the server sends them to an HTTPS which apparently they would not have been able to handle.

modsecurity2 Additions

I added a rule to modsecurity that looks like this:

   SecRule REQUEST_URI "@rx (?i)\/(php-?My-?Admin[^\/]*|mysqlmanager
       |myadmin|pma2005|pma\/scripts|w00tw00t[^\/]+)\/"
       "severity:alert,id:'0000013',deny,log,status:400,
       msg:'Unacceptable folder.',severity:'2'"

WARNING: You cannot really cut the lines that way... Use a \ and don't cut strings. This is for better, easier to read HTML display.

If you are using phpMyAdmin, then you'll want to add another rule to skip this one. That other rule should check your IP and when you get a perfect match, use "skipAfter:0000013".

The message is what is logged in your mod_debug file. It can be anything you want.

Run /etc/init.d/apache2 reload to run with the new rule.

The rule I present here is "limited", yours may include more folders as seen in the attack logs. You could also limit the agent and refuse any ZmEu whatnot to connect to your server.

Attack Logs

I pasted the attack logs below cleaning up a few things so it does not look as large as it would otherwise be.

Notes:

  1. We have two IP addresses: 69.55.233.22 and 69.55.233.23. The robot seems to have been testing with both IPs even though they used the same domain name (which is wrong, that domain name is only attached to one specific IP address!)
  2. They tried many entries in upper and lower case (i.e. myPhpAdmin and myphpadmin,) which is a good idea since a Unix system will only recognize the correct case...
  3. Note that for myPhpAdmin they checked all sorts of versions, in other words, whatever version you have there is probably a hack for it... I strongly suggest that you use a specific port if you use that silly tool and close the port to anyone by you (i.e. http://www.example.com:8881/myPhpAdmin and block 8881 in your firewall to all but your static IP address)
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" "69.55.233.22" "ZmEu"
GET /scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 302 20 "69.55.233.22" "ZmEu"
GET /admin/pma/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /db/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /db/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /dbadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /dbadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /myadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /myadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /mysql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /web/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /web/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /p/m/a/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-myadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmy-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /webadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /php-myadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /sqlweb/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmy-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /webadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /sqlweb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysql-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysql-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"

Update 2010-09-19

In the last 3 days I have got many hits from various IP addresses, all happening very fast and all three hitting 3 pages, two of which had a wrong 'index.php' at the end (which is ignored by Drupal, but should never be there since Drupal uses index.php?q=/path/ and not /path/index.php).

There is an example:

GET /aggregator/categories/2%20%20/index.php HTTP/1.1" 200 55765 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /aggregator/categories/index.php HTTP/1.1" 404 73041 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /index.php HTTP/1.1" 200 62789 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /aggregator/index.php HTTP/1.1" 200 72023 "linux.m2osw.com" "-" "Mozilla/5.0"

Notice the double space after the /2 on the first line!

As you can see, it pretends to be Mozilla and it puts a clean referrer. Yet, from index.php you cannot get to any of those other 3 entries.

I blocked this one in a similar using modsecurity2 with the following rule:

SecRule REQUEST_URI "@rx \/aggregator\/(?:[^/]+\/)*index\.php$" "severity:alert,id:'0000008',exec:/usr/loccal/bin/start-lockout"

The rule captures any path that starts with aggregator and includes index.php at the end. If that happens it is a robot. Therefore it gets blocked (the start-lockout process adds their IP address to the firewall, automatically.) The following is the list that got caught within 1h.

pkts   source IP
  28   174.143.33.218
  48   209.240.96.35
  32   202.160.120.220
  28   174.139.12.170
  27   208.115.101.50
  52   216.12.222.154
  48   74.86.154.37
  50   207.178.136.143
   2   91.186.11.81
  46   178.32.40.3
   2   74.63.10.96
   2   67.225.164.101
   8   59.120.145.13
  50   64.9.53.20
-----
437 packets blocked.

Note that the firewall blocked 423 packets plus 14 addresses is 437 packets that did not make a return trip. Yes. These addresses include things that seem legitimate... I'm not too sure why this happens, but I suspect that someone's server was compromised and the IP address is used by the hacker...

Re: Attack by ZmEu

This is indeed an awesome tutorial for attacks BY ZmEu

Re: Attack by ZmEu

Came up with this modsecurity rule to block ZmEu bots

SecRule REQUEST_HEADERS:User-Agent "ZmEu" "severity:alert,id:'0000013', deny, log, status:400, msg:'ZmEu bot detected', severity:'2'"

Re: Attack by ZmEu

Well... I think there are just way too many bad bots out there. Some like this one may look more prominent when they find your server, but I've seen quite a few attacks over the years, all from different bots.

Re: Attack by ZmEu

A: Do NOT - DO NOT!!! have the letters "admin" anywhere on your system. If you notice every attempted break in has the word "admin" in it. mv admin nancy. mv admin kitty. mv admin spot - anything except admin - that includes phpmyadmin, myphpadmin, wp-admin. Redirect to hack.html/php.

B: If your website is for a cab company in (say) Kansas City there is no need for someone in China or Moscow to access your site - htaccess - deny from a.b.c.d. Use www.arin.net.

Re: Attack by ZmEu

Here we go =)

109.70.2.100
114.35.48.216
116.254.203.24
117.103.223.26
117.135.143.64
118.26.17.170
121.189.62.84
12.219.41.222
122.224.6.43
122.72.76.130
123.231.66.85
1.234.31.20
1.234.4.16
173.234.163.99
174.120.179.66
178.124.132.111
178.73.196.246
180.131.3.12
184.106.213.172
184.106.220.5
184.154.22.68
184.173.112.132
189.254.67.74
190.187.148.146
193.193.194.30
194.140.232.13
195.77.92.237
200.102.9.34
202.102.70.84
202.137.23.131
202.143.145.27
203.158.223.152
203.91.121.71
208.68.209.241
210.211.100.172
211.152.55.131
212.72.26.163
216.12.205.234
217.109.182.24
217.12.246.187
217.145.71.1
217.15.123.102
218.16.230.104
218.29.115.152
219.153.1.229
220.66.7.180
221.13.34.3
222.122.186.200
222.36.0.46
223.85.245.54
41.203.119.18
41.93.32.3
46.165.193.147
46.166.178.166
50.22.86.10
58.141.76.253
59.173.18.100
5.9.75.60
60.248.147.85
61.145.246.100
64.250.114.155
66.161.176.108
67.152.51.22
69.13.149.83
70.36.118.56
72.34.32.121
72.51.39.133
74.55.241.170
74.82.51.213
77.238.8.148
79.99.41.36
80.250.166.21
80.86.83.93
81.0.119.24
81.91.109.11
82.213.78.2
84.237.80.106
85.100.42.26
91.149.145.55
93.157.174.2
94.23.34.76
95.13.23.252
95.163.100.31

Re: Attack by ZmEu

Why is there not much mention of this bot?

I see scans coming from far and wide, globally on a daily basis.

Yet never hear any mention of Zemu other than my IDS.

Re: Attack by ZmEu

I was hit too.. I found that is a stupid child in a city near me... Man! He need a kick in his ass !!

Re: Attack by ZmEu

Ah-ha!! I'll have to look at --icase, I didn't know about that before!

I asked about adding you just in case... Everyone else in the list are people I used to work with.. :)

The CMS I made is PHP based, and "ultra-optimized" (MDO). It's in a complete form, but there's always more stuff to add. The entire CMS is 29KB (compared to 8MB for WP), is incredibly fast and has a full range of options (backups, pagination, bot protection etc..). I haven't actually named it yet.. It's Open so anyone can modify however they wish. We could email, and your welcome to take a look at the code if you like! I think I still have your email.

Sorry we got so off topic!

Re: Attack by ZmEu

Yes, I added exactly that to my firewall configuration file. Actually, I added another one touch to it: --icase. That way, it ignores case so "Payday Loans" is also a match.

I read indeed that this was slow, but as I'm using Drupal at this point it is MUCH faster than hitting Drupal.

And I too am creating a new CMS. I'm still working out the content (everything is content, users, permissions, etc.) once that works, it will be time to generate serious pages including forms and cookies.

http://snapwebsites.org/

P.S. Sorry about the anti-spam module telling you your posts are spam. The Drupal spam module sucks too.

P.P.S. As adding me to your website, not a problem. I suppose you mean adding a link to my page there? Note that you don't have to ask to add links to your page! 8-)

Re: Attack by ZmEu

Hey - awesome! I wonder about those accepted packets, they shouldn't of touched the web server - it should in essence send them to /dev/null.

Did you add it like this (just curious):
*raw
:PREROUTING - [0:0]
-A PREROUTING -m string --algo bm --string "payday loan" -j DROP
COMMIT

..On a different note - I'd like to add you as a friend of my site, if that's ok? Right now that section's on the About page, but will be moved to the footer later. (The site doesn't look that great now, I started it over, and it's a slow process.. I'm building the whole thing by hand, even the CMS.. blah.)

Re: Attack by ZmEu

It looks like it works well. 8-)

As I get many comments about loans on one of my servers... I added such a string:

Chain PREROUTING (policy ACCEPT 9155825 packets, 1286167807 bytes)
pktsbytestargetprotoptinoutsourcedestinationextra
13021702009DROPall--**0.0.0.0/00.0.0.0/0STRING match "payday loan" ALGO name bm TO 65535

We can see it blocked 1302 packets out of 9,155,825 packets. I wonder, however, whether I still wasted the 1.7Mb of bytes as shown in the received bytes column. Anyway, a lot of resources saved, that's for sure!

Re: Attack by ZmEu

Hey Alexis,

Because my goal was to stop them before they hit the web server (before port 80) - so the web server doesn't have to do any work, just the firewall (vs the web server and firewall).

That's why it uses "PREROUTING", which has to go in the *raw table.

Re: Attack by ZmEu

I'm wondering why you'd want to set that on the *raw stack. I would use something like this to block such requests on port 80 (you could add all your HTTP ports like 8080 and 443.)

sudo iptables -A bad-httpd-packets -p tcp -m tcp --dport 80 -m string --algo bm --string "payday loan" -j DROP

Re: Attack by ZmEu

Hey Alexis - Stopping them with one line is far more efficient.. It also lets the firewall do the work, and let's the web server carry on...

Simply run this at the command line:

iptables -t raw -A PREROUTING -m string --algo bm --string "ZmEu" -j DROP

To add to iptables:

*raw
:PREROUTING - [0:0]
-A PREROUTING -m string --algo bm --string "ZmEu" -j DROP
COMMIT

It's 100% effective - I haven't had one ZmEu bot since I implemented it, even if the originating IP changes..

http://fearelise.com/tech/server/using-iptables-to-block-bot-scan...

Hope your doing good!

Re: Attack by ZmEu

Hi gadlinux,

I think we already got quite a few samples and we don't need more. And most of the people get loads of samples in their own logs. 8-)

Thank you.
Alexis

Re: Attack by ZmEu

Hi there,

I've just found some files and logs about what it seems to be an IRC command and control server.

I leave a testuser in the machine and someone located it. Ups! I did it again!

I have everyfile with logs if you want to check them. I can upload it to bittorrent or something similar.

Maybe it can help to stop them a little bit.

Just let me know.
Kindest regards

Re: Attack by ZmEu

I find the test of the length quite interesting...

length("$ENV{REQUEST_URI}") > 128
and return &hack;

I would think that 128 isn't such a very long URL although many system refuse anything any longer browsers support 1024 (IE) or much more (nearly 64kb for FireFox, at least older versions were that large with URLs.

Re: Attack by ZmEu

If you run any public webservers, you can really expect these probes from China.
They are looking to see if you are running any packages with known vulnerabilities,
like phpMyAdmin, wordpress.

The probes can be so intense at times that you will experience denial of service.

Our solution was to declare a 404 handler for missing pages that filters
for the known vulnerabilities that hackers are probing for. If any one
of these vulnerabilities is probed, the IP is immediately added to the
firewall. Networking will immediately block that IP, and the perp will not
be able to probe any other vulnerabilities.

Here is our solution. Not all required code is presented, but you should be
able to get the gist.

First, put a 404 handler in your web server for each site:
---------------------------------------------------------

ErrorDocument 404 "/cgi-bin/common/error.cgi?404"
---------------------------------------------------------

error.cgi looks like this:
---------------------------------------------------------

#!/usr/bin/perl
#
# Copyright 2009 Software Toolz, Inc. - Atlanta, Georgia
#
# All rights reserved worldwide. This program may not be reproduced,
# transmitted, transcribed, stored in a retrieval system or translated in
# any human or computer language, in any form without the express written
# permission of Software Toolz, Inc.
#
# 404 catcher for all non-personals sites
# uses orders.ipblock to record blocks
#
use File::Basename;
use Sys::Hostname;
use lib '/home/common/shared/perl';
require 'syms2.pl';
use libcsub;
use libproj;
require 'badrqst.pl';

&prog_init;
&look_rqst;
&prog_exit;

### End

sub look_rqst
{
my ($fn,@parts,$fext,$buf,@msg);
my ($me) = basename($0);

if ("$ARGV[0]" eq '404')
{
&logmsg('W',"404 request: $ENV{'REQUEST_URI'}");
$fn = basename("$ENV{'REQUEST_URI'}");
if ("$fn" eq 'favicon.ico' or
"$fn" eq 'robots.txt' or
"$fn" eq 'crossdomain.xml' or
"$fn" eq 'wpad.dat') { &prog_exit; }

(@parts) = split /\./,$fn;
$fext = lc($parts[$#parts]);

if ("$fext" eq 'jpg')
{
print "Content-type: image/jpeg\n\n";
open IMG,"

Error

Missing Page

Request: $ENV{REQUEST_URI}
Referrer: $ENV{HTTP_REFERER}
Server: $ENV{SERVER_NAME}

EOT_SHOW_THEM
}
}
else
{
&logmsg('W',"Argument not handled: $ARGV[0]");
}
}

sub prog_init
{
my ($sig);

#&logset('MSG_OPT_ELEVEL','MOST');
&logset('MSG_OPT_PREFIX',"$PREFIX");
&logmsg('B',"$0 @ARGV");
foreach $sig (keys %SIG)
{
if ("$sig" ne 'CHLD' and "$sig" ne 'CLD') { $SIG{$sig} = \&prog_exit; }
}
}

sub prog_exit
{
local($sig) = @_;
my (undef,$filename,$line) = caller;
my ($fn) = basename($filename);
&logmsg('W',"Signal: $sig ($fn/$line)")
if $sig;

&logmsg('Z','End');
exit;
}
---------------------------------------------------------
badrqst.pl looks like this:
---------------------------------------------------------
#
# Copyright 2009 Software Toolz, Inc. - Atlanta, Georgia
#
# All rights reserved worldwide. This program may not be reproduced,
# transmitted, transcribed, stored in a retrieval system or translated in
# any human or computer language, in any form without the express written
# permission of Software Toolz, Inc.
#
use DBI;
use Sys::Hostname;
use lib '/home/common/shared/perl';
use liborder;

sub badrqst
{
my ($timestr) = &currentimestr;
my ($spoolfile) = "/usr/local/spool/badrqst.DAT";
my (@node) = split /\./,hostname();
my ($probe);

$probe = &chk_probe;

# spool the row for the database for the 404 daily report
open DATA,">>$spoolfile";
print DATA "$ENV{SERVER_NAME}\t$ENV{REQUEST_URI}\t$ENV{HTTP_REFERER}\t$ENV{REMOTE_ADDR}\t$node[0]\t$timestr\t$probe\n";
close DATA;
chmod 0666,"$spoolfile";
&logmsg('W',"Missing page referer=$ENV{HTTP_REFERER}, request=$ENV{REQUEST_URI}, cookies=$ENV{HTTP_COOKIE}, agent=$ENV{HTTP_USER_AGENT}, probe=$probe");

return $probe;
}

sub hack
{
my ($timestr) = &currentimestr;
my ($spoolfile) = '/usr/local/spool/hack.DAT';
my ($rows,$rc);
my ($host) = hostname;
my ($errlevel) = 'I';

&trick_hacker;

$rc = system("suexec ipblock.sh $ENV{REMOTE_ADDR}");
if ($rc != 0) { $errlevel = 'E'; }
&logmsg("$errlevel","Add block: $ENV{REMOTE_ADDR}, $rc");

# this queues the row for the database for the blocked IPs
open DATA,">>$spoolfile";
print DATA "$ENV{REMOTE_ADDR}\t$ENV{SERVER_NAME}\t$timestr\t$ENV{REQUEST_URI}\n";
close DATA;
chmod 0666,"$spoolfile";
&logmsg('W',"Hack attempt referer=$ENV{HTTP_REFERER}, remote=$ENV{REMOTE_ADDR}, request=$ENV{REQUEST_URI}, server=$ENV{SERVER_NAME}, cookies=$ENV{HTTP_COOKIE}, agent=$ENV{HTTP_USER_AGENT}");
return 'Y';
}

# these are probes for vulnerabilities
sub chk_probe
{
# hackers have not been sending a referring URL
if ("$ENV{HTTP_REFERER}") { return 'N'; }

length("$ENV{REQUEST_URI}") > 128
and return &hack;
$ENV{REQUEST_URI} =~ /phpmyadmin/i
and return &hack;
$ENV{REQUEST_URI} =~ /\.\.\/|\|/
and return &hack;
$ENV{REQUEST_URI} =~ /README/
and return &hack;
$ENV{REQUEST_URI} =~ /administrator\/index.php/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/admin/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/w00tw00t\.at\.blackhats\.romanian\.anti-sec/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/_vti_bin/
and return &hack;
$ENV{REQUEST_URI} =~ /^\/MSOffice/
and return &hack;
$ENV{REQUEST_URI} =~ /scripts\/setup.php/
and return &hack;
$ENV{REQUEST_URI} =~ /pshwork\.net/
and return &hack;
$ENV{REQUEST_URI} =~ /\/includes\/session.php/
and return &hack;
$ENV{REQUEST_URI} =~ /\/awstat/
and return &hack;
$ENV{REQUEST_URI} =~ /\/phpalbum/i
and return &hack;
$ENV{REQUEST_URI} =~ /\/muieblackcat/
and return &hack;
$ENV{REQUEST_URI} =~ /\+iframesrc\+/
and return &hack;
$ENV{REQUEST_URI} =~ /\/\[object\]/
and return &hack;
$ENV{REQUEST_URI} =~ /\/fckeditor\//i
and return &hack;
$ENV{REQUEST_URI} =~ /^\/mysql/i
and return &hack;
$ENV{REQUEST_URI} =~ /\/bitfield_vbseo.xml/
and return &hack;
$ENV{REQUEST_URI} =~ /\/wp-login\.php\//
and return &hack;
$ENV{REQUEST_URI} =~ /ajaxfilemanager\//i
and return &hack;
$ENV{REQUEST_URI} =~ /\/vbseocp.php/i
and return &hack;
$ENV{REQUEST_URI} =~ /\/mobiquo\/tapatalkdetect\.js/
and return &hack;

return 'N';
}

# response to a known hacker probe
sub trick_hacker
{
my ($buf);

print "Content-type: text/html\n\n";
open HTML,")
{
$buf =~ s/#REMOTE#/$ENV{'REMOTE_ADDR'}/g;
$buf =~ s/#REASON#/Unauthorized Access/g;
print "$buf";
}
close HTML;
return;
}

1;

---------------------------------------------------------
The IP is inserted into a MySQL table that looks like this:
---------------------------------------------------------
-----------------------------------------------------------------------------
Count Field Type Null Key Default Extra
----- ------- ------------- ---- --- ------- -----
0 server varchar(40) NO NULL
1 url varchar(255) NO NULL
2 referer varchar(255) YES NULL
3 remote varchar(32) NO NULL
4 node varchar(16) YES NULL
5 datim datetime YES NULL
6 probe enum('Y','N') YES N
----- ------- ------------- ---- --- ------- -----
-----------------------------------------------------------------------------
This table is used to block the IP only once and also to remove the block
5 days later.
---------------------------------------------------------
The ipblock.sh script called from the Perl script above looks like this:
#
# Copyright 2011 Software Toolz, Inc. - Atlanta, Georgia
#
# All rights reserved worldwide. This program may not be reproduced,
# transmitted, transcribed, stored in a retrieval system or translated in
# any human or computer language, in any form without the express written
# permission of Software Toolz, Inc.
#
ME=`basename $0`
LOGFILE=/var/tmp/$ME.$$.log.tmp
logmsg $0 B -p=$$ "$0 $*"
. mustbe root
IP=$1
DEL=$2
MASK='XX\.XX\.XXX\.'

if [ -z "$IP" ]
then
logmsg $0 E -p=$$ "$0 [del]"
logmsg $0 Z -p=$$
exit 1
fi

. dbhost.sh
HOST=`hostname`
if [ "$DEL" ]
then
FLAG='-D'
else
FLAG='-I'
if [ `echo "$IP" | egrep "^$MASK"` ]
then
logmsg $0 E -p=$$ "($ME/$LINENO) Our own address: $IP"
logmsg $0 Z -p=$$
exit 1
fi
mysql orders\
$DBHOST $DBUSER $DBPASS\
--exec="insert into ipblock\
values\
(\"$IP\",now(),\"$HOST\")" 2>&1 |
logmsg $0 W -p=$$ -i -e "($ME/$LINENO)"
if [ $? -ne 0 ]
then
exit
fi
logmsg $0 I -p=$$ "Blocked: $IP"
fi

STAT=0

/sbin/iptables ${FLAG} INPUT -s $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
/sbin/iptables ${FLAG} OUTPUT -d $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
/sbin/iptables ${FLAG} FORWARD -d $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
/sbin/iptables ${FLAG} FORWARD -s $IP -j DROP 2>>$LOGFILE
STAT=$(($STAT + $?))
logmsg $0 E -p=$$ -f=$LOGFILE "($ME/$LINENO) $IP"

/sbin/service iptables save 2>&1 | logmsg $0 D -p=$$ -i "($ME/$LINENO)"

if [ "$DEL" -a $STAT -eq 0 ]
then
mysql orders\
$DBHOST $DBUSER $DBPASS\
--exec="delete from ipblock\
where ip = \"$IP\"\
and hostname = \"$HOST\"" 2>&1 |
logmsg $0 E -p=$$ -i "($ME/$LINENO)" Unblock:
logmsg $0 I -p=$$ "Unblocked: $IP"
fi

logmsg $0 Z -p=$$ $STAT
exit $STAT

Re: Attack by ZmEu

Yeah... I'm running 11.04 at this time and it looks okay, for most everything, except for gVim which output is often garbage (it looks like there are many problems with compiz/3D/OpenGL). I could try without compiz though...

I tried 11.10 and it was much worse. They completely changed the UI for the worse and makes it close to unusable. Maybe with a little practice I'd come to like it somewhat, but I'm pretty sure that if they don't offer a proper UI bar as before, it won't be pleasing. So I'm waiting for 12.04 and hoping some people will have added a nice fully compatible small bar as before to that new UI environment. (we can always dream! the force be with me! 8-) )

I do agree that the string in the firewall is a better bet, although a ZmEu user could as easily change the name of his bot... if he were smart, he would use a name that you "cannot" block using a string (i.e. googlebot.)

Re: Attack by ZmEu

Also - Starting in 10.10, and in 11.04 there is a race condition that can cause errors on boot - which is a pain.

11.10 Took away the option to switch to Gnome, and is using a 1/2 Gnome3 backend.

In 10.10 onward, other applications are broken (especially totem w/ color and ff rw.).

There's resolutions online for all that - but in 10.04 nothing is broken and there's no 'forced unity'.

I wanted to note again on the article topic, blocking the ZmEu via IP is the longest way around spoofed IPs.

Stop them at the firewall with one line..

http://fearelise.com/tech/server/using-iptables-to-block-bot-scan...

It works for other bots too... :)

Re: Attack by ZmEu

Hey Alexis!

10.04 is pre-unity w/ Gnome 2 and is way easier to use, IMO.

Re: Attack by ZmEu

Hi Deo,

Thank you for the nice words. My website is full of tricks for Linux. I hope you can find other useful things in connection with your Linux endeavor. Yes. Linux is much better than Windows.

Why did you choose 10.04 instead of 11.04 or 11.10?

Best,
Alexis

Re: Attack by ZmEu

Thank you for this well-commented experience. Last night, when investigating the logs of my ReadyNAS NV+, which I own since march 2011, I found quite some log-items of "visits" by ZmEu (among others! but that's another story). I googled the web and found this webpage. The content on this webpage helped me a lot! I am fairly new in Linux and learn every day. Not bad whith age of 65 :-). I saw that a lot of log-items listed on your webpage are identical to the ones I found in my logfiles. Thanks for the advises and also all the comments of other visitors. In this way I am able to understand how these infringements are done and also how I can tighten the security more. Two years ago I started to study and experiment with Linux when it was clear that Micro$oft wanted me to dump my nice HP desktop PC from 2006 because it was running XP. Now I run Ubuntu 10.04.3 LTS in dualboot and maybe I dump XP fully in the near future. Thanks guys! I come back to learn more and maybe I will be able to contribute something in the future. Deo Volente! Paul.

Re: Attack by ZmEu

Ah! I ran into similar problems with modsecurity... it would block me from writing a script sample using shell or SQL commands!? I removed most of those rules because the CMS takes care of those problems automatically.

Now, it's certainly rare to post about ZmEu... 8-) So that's not too bad on that one. But I could imagine that such a protection directly in your firewall could get you in trouble once in a while. And at the raw level I'd bet they have no clue of what the User-Agent is.

On the other hand, if you capture the IP address of the offensive robot on the first hit and add that to your firewall, automatically, then in effect you're doing the same thing as blocking in the firewall, it's just a bit more dynamic... and the blockage can be much smarter (i.e. know about the protocol.)

Re: Attack by ZmEu

Well - no, there's no slow down. Packets have to go through the "Raw" table anyway (it's their first stop). If you visit my site with a clear cache, notice the speed.

Another method is to redirect the ZmEu hit, but that still makes your web server work. My whole goal was to stop the hit before it even reached the web server.

There is a draw-back - it blocks ALL traffic containing the string - including outgoing...

So, I couldn't type ZmEu in or on my own page. To be able to put the string on the page, you have to put an empty tag (like italics or bold) between two letters (break the string). Like Zm<i></i>Eu - which shows up on the page normally.

That's the only drawback I've seen though.

If you use iptables, I can send you a great set of rules that's fast, efficient and auto-bans scans (ssh, http, https)... Send an email to the address I put in there, and I'll send it to ya and explain what the rules are - then you can post it, as an all around good security measure if you want!

I actually found your site listed in a post on the Jeep Forum. I figure it can't hurt to help a fellow Linux fan!!

Re: Attack by ZmEu

There is always something new to learn! That --algo bm --string "ZmEu" is a good one and would indeed be the best way to block all the ZmEu attacks.

Did you notice any slow down using the string algo?

Re: Attack by ZmEu

This might be easier - stop them at the firewall, dead. On any machine, load balanced or not.

The IP addresses are spoofed, there is no 'they' - 'they' are just a bot, scanning for PMA openings. All of their hits have one thing in common - they all have "ZmEu" in them - so they're easy to stop.

This would be for machines running iptables.

http://fearelise.com/tech/server/using-iptables-to-block-bot-scan...

Pingback

[...] [...]

Re: Attack by ZmEu

What I noticed on our EC2 servers is that it's spoofing the "healthcheck" load balancer machine, so not so easy to deny.

Re: Attack by ZmEu

Hi eggmatters,

First of all, thank you for posting about your idea.

The cloud is not specifically what is necessary to attack back, also attacking back means war which is not automatically what you want and finally, most of us do not have the time... 8-)

This being said, the computers used for such attacks are often themselves servers that were attacked and of which the protections were penetrated. Thus attacking those is not wise (they are generally friendly, only the software added on their server is bad.)

Finally, it is not because ZmEu knows of a hack on your server that it has itself a flaw that you can easily make use of to break it...

Re: Attack by ZmEu

In this day of the "cloud" doesn't anybody have the time to create a dummy server that when the woot.blackhacks or whatever request a phpmyadmin conf file they get some of their own business back? Why not post a dummy site, with dummy configs with some scripts that just wreak havoc on their end? ISE.

Pingback

postfix down

A year ago this bitch put on of my server down with postfix trying to send my user:password repeat xxx times on the mail in the queue...

Still this year i stop using Ubuntu and tweaking server too much (Server X...)and prefer a Debian stable. A must have for serious production purpose.

Pingback

[...] enchurrada de Web scanners disponíveis na internet e o infeliz do ZmEu bot acabam tornando a vida dos nossos servidores Web um [...]

Re: Attack by ZmEu

(1) It's a waste of your time and bandwidth;

(2) They're not all from China;

(3) It is not going to do anything to their server unless you launch a real attack.

Re: Attack by ZmEu

Yes. Like Yahoo! bot. Now I'm okay, but for some time I had to block it because when one connection was too slow to respond, they would not wait. Instead, they would try again, and again, and again... killing the Apache server in the process!

Re: Attack by ZmEu

Think about it. They were kind enough to provide a useragent. Just block the useragent. Get a big list of bad useragents, and block them all. :)

Re: Attack by ZmEu

Why not just redirect it back to their IP? That'd be funny for them. :D

Re: Attack by ZmEu

i'm currently getting bombarded with "w00tw00t.at.blackhats.romanian.anti-sec" followed by tons of requests for /setup.php's just like above..

IP where this is coming from (174.133.159.74) is located in houston, texas and has 8 questionable sounding hosts on that ip.. hijacked server?!

http://www.ip-adress.com/reverse_ip/174.133.159.74

the interesting thing is.. this was logged on my homeserver, which i just set up and got online yesterday O_o

Re: Attack by ZmEu

ripe.net? Why? Send them back to China, then they will find out the meaning of pain.

Re: Attack by ZmEu

I don't watch for ZmEu. I do watch for - /admin/myphpadmin, .../forgotten_password.php... I've made a list of about 20+ which all exist on my server: ln -s [xx] 403.php

..what ripe.net does... My hope is they check their logs like we do - except they may take the tack "Nobody would dare ... therefore we don't need to." My hope is the Ripe Admin says "WTF? ....".

grep deny .htaccess | wc = 61 and most are x.0.0.0/8 because I'm 1 of nnn on the shared server - so iptables in not in the cards. One other little script I run on selected IP's: forever { echo 'rand(alphanum)[1000x]'; usleep 10000; } Won't stop them but should slow them down - LaBrea....

Re: Attack by ZmEu

Interesting method... I wonder what ripe.net does about such requests. 8-)

Note that I think these go in wave. So the hackers find a set of working URLs, and they run ZmEu or some other hack on them. Once the set was exhausted, they gather another load of URLs...

This being said ZmEu is just one of the many hacks that can attack your server. When you are PCI Compliant, you know of a really large number of requests that can be stopped first hand by Apache settings (such as denying an IP address, a folder, a file, etc.) or extensions such as modsecurity. In my case, I also block many IPs at the level of the firewall. This is good because it uses nearly no resources. (When you can avoid running Apache, modsecurity, or whatever CMS you're running... you save a lot of CPU, Disk I/O, etc.)

Thank you for the info.
Alexis

Re: Attack by ZmEu

Over time the attacks on our servers have been dropping off. I'd like to think I have something to do with that. First: the word "admin" does not exist on our servers - mv admin Hf826csla997% (hack that subdir AH)

Second:
Htaccess contains:
ErrorDocument 403 /403.php

order allow,deny
deny from nn.0.0.0/8

And my 403.php checks the first octet of the IP and redirects the hack to the correct place they should try to hack: IE .. refresh' content='0;url=http://www.ripe.net/$u[2]/$u[3]/$u[4]/$u[5]' or apnic.net

"I" can't do anything to the hackers - the Admin's at Ripe can :-)

Re: Another one

46.137.113.245 resolves to ec2-46-137-113-245.eu-west-1.compute.amazonaws.com

Re: Attack by ZmEu

Note that modsecurity is useful for many other things, and it is possible to block the IP address of users attacking you in this or any other way so the CPU load goes way down (and the transfer bandwidth that comes with it.)

Re: Attack by ZmEu

Using modsecurity is a CPU loading unnecessary.
Best way is to create a jail in fail2ban that block packets before reaching Apache.
Ex:
[apache-bad]
enabled = false
port = http,https
filter = apache-bad
logpath = /var/log/apache*/*access.log
maxretry = 3
findtime = 5
bantime = 14400

and apache-bad in filter.d :
failregex = .*(admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|)
-.*"POST .*(admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|)

Re: Another one

## my mask numbers

the source ip was : 72.167.161.46
owners have been notified

date nov 21 2010 around 10am pacific time zone x

get this and string of other requests followed
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ZmEu
Host: ##.##.##.##
Connection: Close

?

Another one

Got hit by this on 26/09/10 - 27/09/10 by:
184.72.140.28

resolves to:
ec2-184-72-140-28.compute-1.amazonaws.com

have logged with Amazon cloud abuse team (do an IP whois to get url)

I found some from your list

I found some from your list and some more:

62.112.194.132
85.158.253.153
91.192.194.216
121.242.207.140
201.116.227.194
208.109.154.147
211.181.102.144
109.104.76.142
173.236.13.58
202.201.14.232
209.217.106.3
216.14.84.212
62.149.202.70
64.29.139.254
67.19.202.114
70.84.219.250
71.6.165.142
72.1.100.236
78.110.161.11
78.46.40.163
81.0.199.65
81.28.196.116
87.230.54.108
88.191.39.161
93.182.137.2

I deleted double entries.
I hope it's helpful.

greetinx from Germany