Attacks by ZmEu or w00tw00t robots

Submitted by Alexis Wilke on Thu, 07/22/2010 - 00:30

Who is ZmEu?

An image showing Zmeu The name Zmeu (no capital E) is the name of a fantastic creature of Romania. There are so many stories that there isn't a clear understanding of what it is... but it is human like, can spit fire and wants to marry young women.

If you're wondering, it is generally a bad guy.

ZmEu Attack

Today, I noticed a lot of traffic on one of my servers. Looking into what was happening, I immediately found out that an attacker was looking for a loophole in that system. That attack was being performed from China.

I checked another server, and sure enough, that other server was being attacked as well.

I quickly added some code to our modsecurity to block further testing of our systems. Not that there are any holes, but it uses a lot of CPU time to generate 1,000's of totally useless pages when we could instead turn them back right at the gate.

The system returned one of the following errors:

302 (redirect)

400 Bad Request

404 Page Not Found

The problem is the 404. Obviously, they won't be able to hack the system because they get a 404, but it requires quite some work to generate the 404 page... And if we know that it is not necessary because it is an attack, then we should just return 400 and be done with it.

The 302 was not followed. Interesting since they are trying to break in and a 302 could sound like it might work! Ah! Except that the 302 happens because the server sends them to an HTTPS which apparently they would not have been able to handle.

modsecurity2 Additions

I added a rule to modsecurity that looks like this:

   SecRule REQUEST_URI "@rx (?i)\/(php-?My-?Admin[^\/]*|mysqlmanager
       |myadmin|pma2005|pma\/scripts|w00tw00t[^\/]+)\/"
       "severity:alert,id:'0000013',deny,log,status:400,
       msg:'Unacceptable folder.',severity:'2'"

Amazon.com Widgets

WARNING: You cannot really cut the lines that way... Use a \ and don't cut strings. This is for better, easier to read HTML display.

If you are using phpMyAdmin, then you'll want to add another rule to skip this one. That other rule should check your IP and when you get a perfect match, use "skipAfter:0000013".

The message is what is logged in your mod_debug file. It can be anything you want.

Run /etc/init.d/apache2 reload to run with the new rule.

The rule I present here is "limited", yours may include more folders as seen in the attack logs. You could also limit the agent and refuse any ZmEu whatnot to connect to your server.

Attack Logs

I pasted the attack logs below cleaning up a few things so it does not look as large as it would otherwise be.

Notes:

We have two IP addresses: 69.55.233.22 and 69.55.233.23. The robot seems to have been testing with both IPs even though they used the same domain name (which is wrong, that domain name is only attached to one specific IP address!)
They tried many entries in upper and lower case (i.e. myPhpAdmin and myphpadmin,) which is a good idea since a Unix system will only recognize the correct case...
Note that for myPhpAdmin they checked all sorts of versions, in other words, whatever version you have there is probably a hack for it... I strongly suggest that you use a specific port if you use that silly tool and close the port to anyone by you (i.e. http://www.example.com:8881/myPhpAdmin and block 8881 in your firewall to all but your static IP address)

GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" "69.55.233.22" "ZmEu"
GET /scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 302 20 "69.55.233.22" "ZmEu"
GET /admin/pma/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /db/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /db/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /dbadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /dbadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /myadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /myadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /mysql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /web/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /web/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /p/m/a/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-myadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmy-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /webadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /php-myadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /sqlweb/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmy-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /webadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /sqlweb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysql-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysql-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"

Update 2010-09-19

In the last 3 days I have got many hits from various IP addresses, all happening very fast and all three hitting 3 pages, two of which had a wrong 'index.php' at the end (which is ignored by Drupal, but should never be there since Drupal uses index.php?q=/path/ and not /path/index.php).

There is an example:

GET /aggregator/categories/2%20%20/index.php HTTP/1.1" 200 55765 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /aggregator/categories/index.php HTTP/1.1" 404 73041 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /index.php HTTP/1.1" 200 62789 "linux.m2osw.com" "-" "Mozilla/5.0"
GET /aggregator/index.php HTTP/1.1" 200 72023 "linux.m2osw.com" "-" "Mozilla/5.0"

Notice the double space after the /2 on the first line!

As you can see, it pretends to be Mozilla and it puts a clean referrer. Yet, from index.php you cannot get to any of those other 3 entries.

I blocked this one in a similar using modsecurity2 with the following rule:

SecRule REQUEST_URI "@rx \/aggregator\/(?:[^/]+\/)*index\.php$" "severity:alert,id:'0000008',exec:/usr/loccal/bin/start-lockout"

The rule captures any path that starts with aggregator and includes index.php at the end. If that happens it is a robot. Therefore it gets blocked (the start-lockout process adds their IP address to the firewall, automatically.) The following is the list that got caught within 1h.

pkts   source IP
  28   174.143.33.218
  48   209.240.96.35
  32   202.160.120.220
  28   174.139.12.170
  27   208.115.101.50
  52   216.12.222.154
  48   74.86.154.37
  50   207.178.136.143
   2   91.186.11.81
  46   178.32.40.3
   2   74.63.10.96
   2   67.225.164.101
   8   59.120.145.13
  50   64.9.53.20
-----
437 packets blocked.

Note that the firewall blocked 423 packets plus 14 addresses is 437 packets that did not make a return trip. Yes. These addresses include things that seem legitimate... I'm not too sure why this happens, but I suspect that someone's server was compromised and the IP address is used by the hacker...

Add new comment

more IP-s

Submitted by Lubo Trifonov (not verified) on Fri, 09/24/2010 - 06:04.

my web server was exploited this morning,

I check the logs for string: w00tw00t

this is what I found:

62.112.194.132
202.201.14.232
88.191.39.161
88.191.39.161
81.0.199.65
78.46.40.163
78.46.40.163
67.19.202.114
67.19.202.114
78.110.161.11
64.29.139.254
209.217.106.3
209.217.106.3
121.242.207.140
121.242.207.140
85.158.253.153
85.158.253.153
202.201.14.232
173.236.13.58
93.182.137.2
201.116.227.194
62.149.202.70
216.14.84.212
216.14.84.212
211.181.102.144
70.84.219.250
72.1.100.236

Try MaxMind GeoIP search

Submitted by Anonymous (not verified) on Wed, 09/22/2010 - 06:29.

http://www.maxmind.com/app/locate_demo_ip

According to MaxMind, 218.78.209.241, belongs to an ISP in Shanghai, China.

Bogus net

Submitted by Alexis Wilke on Tue, 09/14/2010 - 14:28.

Addresses that start with 10.x.x.x are reserved for local networks. If you are not using them, you can block them on your firewall.

When you look in your BIND folder, generally named.conf.options, you find the following list:

acl bogusnets {
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};

All of those can be blocked 100% except for the few that you use for your network (Intranet). Most people use the 192.168.x.x network. All the others can be shut down.

If you use iptables, then the following will do:

iptables -A bad_tcp_packets -i eth2 -s 10.0.0.0/8 -j DROP
iptables -A bad_tcp_packets -i eth2 -s 172.16.0.0/12 -j DROP

You can add all the bogus networks you want in a similar way.

Thank you for the info!
Alexis Wilke

We're getting hit with this right now, but yet another ip

Submitted by Anonymous (not verified) on Tue, 09/14/2010 - 13:58.

10.104.63.192

..again unregistered.

Interesting, it's not listed...

Submitted by Alexis Wilke on Sat, 09/04/2010 - 22:46.

I checked with dig and the IP you mentioned is not recognized as anyone's IP. Some hackers use those IPs that should be black listed by ISPs but somehow aren't... That way, it's much harder to track them down since no one claims owning those IPs.

# dig -x 218.78.209.241

; <<>> DiG 9.4.2-P2 <<>> -x 218.78.209.241
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44082
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;241.209.78.218.in-addr.arpa. IN PTR

;; Query time: 362 msec
;; SERVER: 206.13.31.12#53(206.13.31.12)
;; WHEN: Sat Sep 4 22:42:55 2010
;; MSG SIZE rcvd: 45

My logs lists this IP -

Submitted by Anonymous (not verified) on Sat, 09/04/2010 - 14:56.

My logs lists this IP - 218.78.209.241

Main Menu