2

recently I've identified that some hack attempt was performed at one of my servers.

I have dumped nginx logs to github, please take a look and try to identify which tool was used to perform this attack.

Excerpt from log:

195.154.41.132 - ktuser [04/Nov/2016:12:59:18 -0400] "POST /apply.cgi HTTP/1.1" 404 459 "-" "-"
195.154.41.132 - ktuser [04/Nov/2016:12:59:18 -0400] "GET /cgi_bin/user_network_connection.asp HTTP/1.1" 404 459 "-" "-" 
162.243.79.108 - - [01/Nov/2016:16:39:57 -0400] "HEAD http://8.8.8.8:80/phpmyadmin4/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
162.243.79.108 - - [01/Nov/2016:16:39:57 -0400] "HEAD http://8.8.8.8:80/2phpmyadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
162.243.79.108 - - [01/Nov/2016:16:39:57 -0400] "HEAD http://8.8.8.8:80/phpmy/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
162.243.79.108 - - [01/Nov/2016:16:39:57 -0400] "HEAD http://8.8.8.8:80/phppma/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
162.243.79.108 - - [01/Nov/2016:16:39:57 -0400] "HEAD http://8.8.8.8:80/myadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
162.243.79.108 - - [01/Nov/2016:16:39:57 -0400] "HEAD http://8.8.8.8:80/shopdb/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"

Full log can be seen here: https://gist.github.com/acosonic/772971fee7b4b20c5ba3da7657a42430

Also, please advice if there is some behavioural tool that would learn and identify that above is a threat, and ban such IP's.

Aleksandar Pavić
  • 272
  • 2
  • 11
  • 1
    Looks like a web vulnrability scanner (looking at that log, it could be any of them) has run a scan, the log format is your servers access log. – TheJulyPlot Nov 15 '16 at 16:33
  • I also own VPS, and similar kind of logs also do occur. This is basically a bot which is actually checking the Admin directories or Access-Manager directory of various services which you run on your server like PHPMyadmin, wp-admin for wordpress, /user/login for Joomla and so in. This is basically bruteforcing your juicy directories but it's not present so it gives 404 error. So, In case you have any unsecured login directory or any admin login of a service running. It's better to harden the credentials for the same – Gerorge Timber Nov 15 '16 at 18:19
  • @Gergrge Timber That part I figured immediately, and I'm asking which bot are they using...? And I'm also asking for advice for some behavioural analyses intrusion prevention tool. In this case rule would be 3 false scan = ban... – Aleksandar Pavić Nov 15 '16 at 21:20
  • 2
    A Google search on "Mozilla/5.0 Jorgee" identifies which bot it is. As for how to respond, it really depends on your site and what is considered abnormal for your use cases. We can't know that for your server. – schroeder Nov 15 '16 at 22:09
  • I'm in the same situation like you. This bot is trying to bruteforce directories and SSH. I've banned more than 217 IPs and everyday there is new ones ... I don't know how to stop this attacck ... Maybe having a new IP address for my server ? – Chiheb Nexus Jul 30 '17 at 09:11
  • I was thinking to build rule for fail2ban, but I never get time :( – Aleksandar Pavić Jul 31 '17 at 10:14
  • 1
    No need to note them all, just one ore two as it is working from a list. Just ban anything looking for PMA2012/pma2012 etc. as they have to be door knocking. – mckenzm Aug 28 '17 at 21:07

1 Answers1

1

It is a vulnerability scanner called Jorgee. The log actually tells you this because it is displaying the user-agent for each request. A quick search on the user-agent reveals a whole host of information about Jorgee.

There's a couple of steps you can take, you could setup something like Fail2Ban. If you didn't want to setup anything too complicated then you have a few configuration options you can do. They won't stop everything, you would need to do a lot more if you were trying to defend against anything other than an automated bot.

Firstly, you could look for any user-agents which you don't want, for example in this case, you can look for any user-agents which show Jorgee and you can drop those requests.

Secondly, you can setup rules to block unwanted host headers. This is fairly trivial to do, and you can create rules to only allow host headers that you want specifically and drop any host-headers that are either numeric or not in your list.

As I said, you would need to do a lot more than this to stop anyone even remotely serious but this is a start.