Archive

Archive for February, 2011

ZmEu attacks: Some basic forensic

2011/02/25 16 comments

One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – http://www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications. This is how logs looked like.

This one failed to find phpMyAdmin as it got an 404 HTTP error code:

75.127.68.106 [...] "GET //phpMyAdmin/ HTTP/1.1" 404 285 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

This one succeeded, 200 HTTP code was returned when accessing http://domain.com/myadmin:

75.127.68.106 [...] "GET //myadmin/ HTTP/1.1" 200 8644 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

The last one is a bit strange, as they are looking for /w00tw00t.at.blackhats.romanian.anti-sec:):

89.108.119.29 [...] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 315 "-" "ZmEu"

This are just 3 examples. If your server has suffer this attack, you’ll see a lot of similar rows coming from the same IP address in a very short period of time. If none of the GET requests returned a 200 code, probably you are safe. Else, your system may have been compromised, so you’d better look for suspicious things in any of the files/folders they found.

Even if you don’t have phpMyAdmin installed or if all the requests returned a 404 error you should block this kind of attacks not only for security reasons, but for system stability and good performance. You can start by doing this 3 things:

  1. Block all the suspicious IPs. This will not block the attacks, as attackers use different IPs each time. But I think it’s a good practice to block requests coming from zombies in case more malicious attacks, and maybe more dangerous than ZmEu, are coming from there in the future. You can use iptables to block these addresses:
    iptables -I INPUT -s 89.108.119.29 -j DROP
  2. Install ModSecurity. It is an open source web application firewall that will help you securing your Apache web server. With this Apache module you’ll be able to block almost any attack, although you will have to learn how to configure new rules if the default ones are not enough for you.
  3. Every attack of this kind creates a performance leak, as a 404 error page must be generated and served. You can create an antibot.phpfile with these lines:
    <?
    header("HTTP/1.1 403 Forbidden");
    ?>

    Then add these lines to your .htaccess file in the web root directory. If you don’t have one, just create it. Remember you must have mod_rewrite installed and loaded.

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^antibot.php
    RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
    RewriteRule .* http://www.yourdomain.com/antibot.php [R=301,L]

    This will reply with a 403 error to all the requests that contain the string ZmEu in the user agent. So if you only use this method, your server will be blocking only ZmEu attacks. If you also want to block other user agents just add another RewriteCond %{HTTP_USER_AGENT} botname_regexp line. When adding another condition, don’t forget to add [OR] at the end of the previous RewriteCond.

    Update: nyhm proposed these other rewrite rules in the comments. They’re more straightforward and they probably work better than the ones above.

    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} ^ZmEu [OR]
    RewriteCond %{HTTP_USER_AGENT} (.*)AnotherAgent(.*)
    RewriteRule .* – [F]

    Replace AnotherAgent by the user agent you want to bloc or remove the line and the previous [OR].

You may want to block these IPs in your server, as they’re known to be doing this kind of attacks:

75.127.68.106
78.111.81.180
112.95.145.153
89.108.119.29
77.222.43.19
89.208.136.210

External links:
http://www.modsecurity.org/
http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/
http://blamcast.net/articles/block-bots-hotlinking-ban-ip-htaccess
 
Advertisements
Categories: Apache Tags: ,

Shutdown your computer, cleaners are lurking

It’s late and you are at work. Is time to take the bus and go home, but your computer is processing a huge amount of ultra-confidential data (of course, this only can be done on Linux :P). You’ll miss the bus if you don’t run now, but you don’t want to shut you computer down and lose a lot of time repeating all the process tomorrow.

The problem is that if you don’t shut down the computer, the cleaners, that are coming at 22:00 to clean the office armed with their brooms and cloths, could access all the data in your computer (as we all know, cleaners are actually high level hackers). So, what can you do?

Don’t worry, just run the next command and your PC will shut down one minute before they come into your office:

shutdown -h 21:59

If you know how long it will take to finish the process (let’s say 60 minutes), run this command instead:

shutdown -h +60

Finally, if you are too paranoid, you can halt your computer immediately by running this one:

shutdown -h now

Hey! And don’t forget to lock the door!

Categories: Commands, Linux Tags: , ,

Generate ADDRESSBOOK type QR Codes

Recently I had to design some business cards for a computer science research group. So I decided to add a small touch of innovation by using a QR code that stored all the contact info.

Plain text QR’s are good as they are, but they weren’t enough for my purposes, so after researching a bit around the issue I found out that barcode scanning apps are also able to identify QR’s that are encoded with the vCard notation, and thus store the information in addressbook fashion.

So the first thing I did was having a look at vCard 3.0 specification‘s notation. Actually there also are other addressbook syntaxes out there, but vCard is probably the one that offers most options.

Here’s what Julius Caesar’s contact info would look like if written in vCard syntax:

BEGIN:VCARD
VERSION:3.0
N:Caesar Augustus;Galus Julius;
FN:Galus Julius Caesar Augustus
TITLE:CEO/Emperor
TEL;TYPE=WORK;VOICE:+555 946017
TEL;TYPE=WORK;CELL:+555 678658
EMAIL;TYPE=WORK:caesar.rules@gmail.es
ADR;TYPE=INTL,POSTAL,WORK:;;Velitrae Ox Head avenue, 1;Rome;Augusta;14567;Italy
URL;TYPE=WORK:http://www.thosewhoareabouttodiesaluteyou.com
END:VCARD

After writing the vCard it’s time to generate a QR with the encoded information. To do so, you can use one of the many available online QR code generation tools, such as Google’s Chart API’s Wizard. This is what Julius Caesar’s ADDRESSBOOK type QR code would look like.


When you scan the QR code (using a smartphone’s camera via barcode scanning app) it will show all the contact info and automatically tell you if you want to do one of the following:

Add contact, Show map, Call number, Send email

If you save the contact you’ll see there’s a few bugs on retrieving the vCard info. The address is treated as a whole thing instead of splitting it by postal code, location …

The first phone number on the vCard is treated as it were the cellphone number nevertheless if you specify VOICE and not CELL.

So it’s a very promising way to add contacts but still has some full-support issues.