- by kelotz
- posted on January 4, 2012
- received No Comments
- in Encounter
- Permalink
Share this article:
ZmEu attacks
One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications.
If your server has suffer this attack, you’ll see a lot of similar rows coming from the same IP address in a very short period of time. If none of the GET requests returned a 200 code, probably you are safe. Else, your system may have been compromised, so you’d better look for suspicious things in any of the files/folders they found.
Even if you don’t have phpMyAdmin installed or if all the requests returned a 404 error you should block this kind of attacks not only for security reasons, but for system stability and good performance. You can start by doing this 3 things:
Block all the suspicious IPs. This will not block the attacks, as attackers use different IPs each time. But I think it’s a good practice to block requests coming from zombies in case more malicious attacks, and maybe more dangerous than ZmEu, are coming from there in the future. You can use iptables to block these addresses:
[box type="info"] iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP[/box]Install ModSecurity. It is an open source web application firewall that will help you securing your Apache web server. With this Apache module you’ll be able to block almost any attack, although you will have to learn how to configure new rules if the default ones are not enough for you.
Every attack of this kind creates a performance leak, as a 404 error page must be generated and served. You can create an antibot.php file with these lines:
<?
header(“HTTP/1.1 403 Forbidden”);
?>
Then add these lines to your .htaccess file in the web root directory. If you don’t have one, just create it. Remember you must have mod_rewrite installed and loaded.
RewriteEngine on
RewriteCond %{REQUEST_URI} !^antibot.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/antibot.php [R=301,L]
This will reply with a 403 error to all the requests that contain the string ZmEu in the user agent. So if you only use this method, your server will be blocking only ZmEu attacks. If you also want to block other user agents just add another RewriteCond %{HTTP_USER_AGENT} botname_regexp line.