Home > Apache > ZmEu attacks: Some basic forensic

ZmEu attacks: Some basic forensic

One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – http://www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications. This is how logs looked like.

This one failed to find phpMyAdmin as it got an 404 HTTP error code:

75.127.68.106 [...] "GET //phpMyAdmin/ HTTP/1.1" 404 285 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

This one succeeded, 200 HTTP code was returned when accessing http://domain.com/myadmin:

75.127.68.106 [...] "GET //myadmin/ HTTP/1.1" 200 8644 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

The last one is a bit strange, as they are looking for /w00tw00t.at.blackhats.romanian.anti-sec:):

89.108.119.29 [...] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 315 "-" "ZmEu"

This are just 3 examples. If your server has suffer this attack, you’ll see a lot of similar rows coming from the same IP address in a very short period of time. If none of the GET requests returned a 200 code, probably you are safe. Else, your system may have been compromised, so you’d better look for suspicious things in any of the files/folders they found.

Even if you don’t have phpMyAdmin installed or if all the requests returned a 404 error you should block this kind of attacks not only for security reasons, but for system stability and good performance. You can start by doing this 3 things:

  1. Block all the suspicious IPs. This will not block the attacks, as attackers use different IPs each time. But I think it’s a good practice to block requests coming from zombies in case more malicious attacks, and maybe more dangerous than ZmEu, are coming from there in the future. You can use iptables to block these addresses:
    iptables -I INPUT -s 89.108.119.29 -j DROP
  2. Install ModSecurity. It is an open source web application firewall that will help you securing your Apache web server. With this Apache module you’ll be able to block almost any attack, although you will have to learn how to configure new rules if the default ones are not enough for you.
  3. Every attack of this kind creates a performance leak, as a 404 error page must be generated and served. You can create an antibot.phpfile with these lines:
    <?
    header("HTTP/1.1 403 Forbidden");
    ?>

    Then add these lines to your .htaccess file in the web root directory. If you don’t have one, just create it. Remember you must have mod_rewrite installed and loaded.

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^antibot.php
    RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
    RewriteRule .* http://www.yourdomain.com/antibot.php [R=301,L]

    This will reply with a 403 error to all the requests that contain the string ZmEu in the user agent. So if you only use this method, your server will be blocking only ZmEu attacks. If you also want to block other user agents just add another RewriteCond %{HTTP_USER_AGENT} botname_regexp line. When adding another condition, don’t forget to add [OR] at the end of the previous RewriteCond.

    Update: nyhm proposed these other rewrite rules in the comments. They’re more straightforward and they probably work better than the ones above.

    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} ^ZmEu [OR]
    RewriteCond %{HTTP_USER_AGENT} (.*)AnotherAgent(.*)
    RewriteRule .* – [F]

    Replace AnotherAgent by the user agent you want to bloc or remove the line and the previous [OR].

You may want to block these IPs in your server, as they’re known to be doing this kind of attacks:

75.127.68.106
78.111.81.180
112.95.145.153
89.108.119.29
77.222.43.19
89.208.136.210

External links:
http://www.modsecurity.org/
http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/
http://blamcast.net/articles/block-bots-hotlinking-ban-ip-htaccess
 
Advertisements
Categories: Apache Tags: ,
  1. 2011/05/24 at 15:28

    Thanks you for the information. I have blocked the following hosts on my iptables that are mostly ZmEu related and some are for webstats/ which I have a question for you at end.

    DROP all — 88.190.15.188 0.0.0.0/0
    DROP all — 120.70.227.130 0.0.0.0/0
    DROP all — 85.114.128.137 0.0.0.0/0
    DROP all — 200.205.35.66 0.0.0.0/0
    DROP all — 211.154.153.5 0.0.0.0/0
    DROP all — 123.30.109.21 0.0.0.0/0
    DROP all — 212.92.3.51 0.0.0.0/0
    DROP all — 78.159.118.76 0.0.0.0/0
    DROP all — 200.219.202.42 0.0.0.0/0
    DROP all — 203.162.0.78 0.0.0.0/0

    I do have a related question for you. Have you ever seen or know about lot of GET/POST requests to /webstats directory (the default webalizer stats) as shown below?. If you do a google search on these hosts, there are tons of results on them doing the same thing to other webservers but no other details.

    hsi-kbw-109-192-245-251.hsi6.kabel-badenwuerttemberg.de – – [23/May/2011:00:24:10 +0000] “POST /webstats/ HTTP/1.1” 200 11770 “http://bestpennystockprophet.com” “Mozilla 4/0”

    hsi-kbw-109-192-245-251.hsi6.kabel-badenwuerttemberg.de – – [23/May/2011:00:24:11 +0000] “GET /webstats/ HTTP/1.1” 200 11770 “http://bestpennystockprophet.com” “Mozilla 4/0”

    cache.aragon.es – – [23/May/2011:19:36:47 +0000] “GET /webstats/ HTTP/1.1” 200 11770 “-” “Mozilla 4/0”

    cache.aragon.es – – [23/May/2011:19:36:49 +0000] “POST /webstats/ HTTP/1.1” 200 11770 “http://board.azboxworld.com/member.php?u=30045” “Mozilla 4/0”

    Thanks
    -Arul

    • blizarazu
      2011/06/13 at 21:03

      Thanks for your comment.

      No, I’ve never seen those kind of requests. Obviously they are trying to find something about your Webstats application, vulnerabilies, the statistics of your site… who knows. Maybe you should protect your webstats folder. More info in this forum.

      Hope it help

  2. oie
    2011/06/13 at 20:17

    One more 49.212.44.73

  3. 2011/08/29 at 18:44

    Your rules do not work for me exactly as described. Here are some tweaks that fixed it. Notice the / before the first condition filename as well as the [OR] to add more conditions (otherwise they must all match). Thanks for the great guide.

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/antibot.php
    RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*) [OR]
    RewriteCond %{HTTP_USER_AGENT} (.*)AnotherAgent(.*)
    RewriteRule .* /antibot.php [R=301,L]

    One question, though… Why redirect with 301 Moved Permanently only to give a 403. Why not write the rule to use [R=403,L]?

  4. 2011/08/31 at 20:03

    Here’s my simplified approach. Can anyone tell me whether this is valid?

    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} ^ZmEu [OR]
    RewriteCond %{HTTP_USER_AGENT} (.*)AnotherAgent(.*)
    RewriteRule .* – [F]

    Notice that the ZmEu agent tends to start with the name. Does this need to be ^ZmEu(.*) to catch the rest, or is that implied? The AnotherAgent is given as an example.

    Instead of redirecting (301), this uses the [F] rule, which immediately throws a 403 Forbidden to the client.

    • blizarazu
      2012/01/12 at 0:37

      Good tip, thanks! I’ve tested it and it works like a charm.

      You can write just (.*)ZmEu(.*) as this way it will catch every user agent that contains the ZmEu string in it, even if the agent starts with that name.

      There is a good add-on for Firefox that lets you switch your user agent. It helps a lot for testing such things. Here’s the link:
      https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

  5. mijaelg
    2011/10/03 at 16:07

    Here are more IP addresses ZmEu uses

    219.232.239.29
    200.166.97.100
    116.213.54.27

  6. 2011/10/24 at 13:43

    look:
    [Wed Oct 19 04:00:51 2011] [client 38.126.100.104] /var/www/user
    [Wed Oct 19 09:21:42 2011] [client 61.38.186.61] /var/www/w00tw00t.at.blackhats.romanian.anti-sec

    some fucking russians had tried to hack my server:
    I found that http://www.foods.org.ua/ (I think they are who attacked me but cant prove it actually.)

    AND, not less important, some scripts wrote in perl like this:
    — ll.pl
    http://www.foods.org.ua/scripts/ll.pl

    In that code you can find rules of the attack, may it helps!

  7. 2012/02/22 at 1:26

    redirect 301 /phpmanager/ http://www.urbandictionary.com/define.php?term=fuck+you
    redirect 301 /webadmin/ http://www.urbandictionary.com/define.php?term=fuck+you

    This is what we do to the hackers.

  8. psilofski
    2012/04/02 at 11:44

    Take a look at this:
    http://httpd.apache.org/docs/2.0/howto/htaccess.html

    It would be better to include the .htaccess script (nyhm solution) in your httpd.conf file and completely dump the .htaccess , in order to allow for “AllowOverride None ” in your server configuration, both for reasons of security and speed.

    That is of course if you have root access to the server…

  9. Tony
    2012/07/18 at 15:08

    You may also want do add 211.210.124.201 to your list.

  10. nyles
    2012/07/25 at 4:29

    Thanks for this blog post. We just saw zemu activity on one of our servers, nearly exactly as described up above, coming from IP 213.0.180.23 .

  11. Some1
    2013/02/18 at 4:36

    And don’t forget

    Otherwise attack will continue because your script misses exit; after header()

  12. gnoptiy
    2014/01/31 at 4:07

    Here’s my list of blocked IP:

    37.28.156.211
    60.247.114.36
    74.208.185.34
    74.208.193.10
    75.127.68.106
    75.208.185.34
    77.222.43.19
    78.111.81.180
    78.129.149.17
    87.106.253.58
    89.108.119.29
    89.208.136.210
    91.196.170.90
    94.102.51.155
    99.177.96.73
    112.95.145.153
    115.239.253.11
    118.244.208.26
    119.57.51.154
    125.76.233.59
    173.224.218.101
    176.61.139.107
    202.104.192.164
    203.171.229.184
    208.109.249.220
    89.248.169.48
    118.97.192.134
    50.56.114.172
    61.221.178.17
    89.248.171.55
    94.102.53.231
    122.154.46.166
    140.117.164.36
    186.53.21.167
    186.9.244.14
    210.61.208.243
    24.113.4.80
    85.94.47.194

  13. 2014/02/10 at 8:50

    my block list
    201.161.20.0/24
    98.239.231.0/24
    98.158.29.0/24
    98.102.190.0/24
    97.66.33.0/24
    95.79.102.0/24
    95.77.96.0/24
    95.77.96.0/24
    95.67.79.0/24
    94.102.51.0/24
    94.102.49.0/24
    93.95.135.0/24
    93.184.66.0/24
    93.174.95.0/24
    93.157.175.0/24
    91.232.208.0/24
    91.223.48.0/24
    89.248.171.0/24
    87.106.191.0/24
    85.159.33.0/24
    83.229.14.0/24
    82.221.105.0/24
    82.221.102.0/24
    82.165.198.0/24
    80.82.64.0/24
    80.24.30.175
    77.40.50.0/24
    77.247.181.0/24
    77.193.211.0/24
    76.178.40.0/24
    71.58.59.0/24
    70.164.62.0/24
    69.170.160.0/24
    68.55.71.0/24
    66.249.76.0/24
    66.249.74.0/24
    66.249.73.0/24
    66.249.66.0/24
    66.249.64.0/24
    66.197.192.0/24
    66.197.192.0/24
    64.251.25.0/24
    61.247.168.0/24
    61.231.1.0/24
    61.174.51.0/24
    61.160.247.0/24
    61.160.215.0/24
    61.160.213.0/24
    61.160.212.0/24
    61.160.195.0/24
    61.160.194.0/24
    61.147.70.0/24
    61.147.107.0/24
    61.147.103.0/24
    60.36.163.0/24
    60.28.162.0/24
    60.199.196.0/24
    58.30.32.0/24
    58.215.142.0/24
    58.210.77.0/24
    58.137.93.0/24
    54.232.27.0/24
    54.224.24.0/24
    54.204.125.0/24
    50.30.32.0/24
    50.30.32.0/24
    50.16.39.0/24
    50.151.125.0/24
    5.178.66.0/24
    46.23.203.0/24
    46.162.212.0/24
    42.62.3.0/24
    38.64.139.0/24
    37.59.213.0/24
    31.3.253.0/24
    31.210.112.0/24
    245.90.85.0/24
    24.179.15.0/24
    24.158.137.0/24
    23.21.245.0/24
    222.85.90.0/24
    222.73.238.0/24
    222.186.62.0/24
    222.186.128.0/24
    222.178.10.0/24
    222.135.144.0/24
    222.122.206.0/24
    221.6.152.0/24
    221.131.116.0/24
    220.143.64.0/24
    219.92.5.0/24
    219.239.34.0/24
    218.92.38.0/24
    218.75.110.0/24
    218.56.161.0/24
    218.26.89.0/24
    218.203.55.0/24
    218.2.22.0/24
    216.177.210.0/24
    213.20.227.0/24
    213.136.59.0/24
    212.85.158.0/24
    212.175.87.0/24
    212.175.130.0/24
    212.110.185.0/24
    211.90.10.0/24
    211.247.0.0/24
    211.141.34.0/24
    210.31.61.0/24
    209.126.230.0/24
    208.84.81.0/24
    208.115.234.0/24
    203.6.149.0/24
    203.206.178.0/24
    203.172.141.0/24
    203.113.174.0/24
    202.201.152.0/24
    202.124.205.0/24
    201.6.109.0/24
    199.114.230.0/24
    198.72.110.0/24
    195.76.107.0/24
    195.45.73.0/24
    195.219.251.0/24
    195.21.32.0/24
    194.250.119.0/24
    194.24.228.0/24
    194.12.225.0/24
    194.1.144.0/24
    192.81.213.0/24
    190.90.100.0/24
    190.72.182.0/24
    189.24.7.0/24
    189.231.79.0/24
    189.211.61.0/24
    189.112.5.0/24
    189.100.138.0/24
    188.241.194.0/24
    186.209.72.0/24
    186.120.40.0/24
    186.119.122.0/24
    185.4.227.0/24
    185.25.151.0/24
    184.106.208.0/24
    183.78.169.0/24
    183.63.53.0/24
    183.129.228.0/24
    182.73.65.0/24
    182.18.27.0/24
    180.179.208.0/24
    178.33.28.0/24
    176.43.0.0/24
    174.143.204.0/24
    174.123.86.0/24
    171.91.159.0/24
    162.243.195.0/24
    162.243.192.0/24
    162.243.142.0/24
    146.155.78.0/24
    140.116.245.0/24
    137.175.161.0/24
    125.212.38.0/24
    124.254.0.0/24
    124.254.0.0/24
    124.173.121.0/24
    124.120.28.0/24
    123.30.182.0/24
    123.110.103.0/24
    122.49.0.0/24
    122.155.197.0/24
    122.155.1.0/24
    120.209.199.0/24
    120.194.7.0/24
    120.125.85.0/24
    120.110.7.0/24
    119.105.203.0/24
    119.10.116.0/24
    118.97.236.0/24
    118.97.192.0/24
    118.82.44.0/24
    118.163.17.0/24
    117.41.186.0/24
    117.41.183.0/24
    117.41.182.0/24
    115.29.148.0/24
    115.249.128.0/24
    115.230.126.0/24
    114.80.81.0/24
    114.80.100.0/24
    114.112.165.0/24
    111.73.45.0/24
    111.4.122.0/24
    111.205.154.0/24
    109.123.121.0/24
    108.35.57.0/24
    103.5.148.0/24
    1.93.29.0/24

  14. Christian
    2017/03/12 at 21:48

    If anyone is interested — that’s the snippet I came up with for lighttpd, it just returns 403 for any request from any user agent matching ZmEu or Morfeus

    $HTTP[“useragent”] =~ “(ZmEu|Morfeus)” {
    url.access-deny = (“”)
    }

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: