Written by Phil on July 30, 2010 – 2:18 PM
It seems like every log file of every HTTP server I administrate has its error logs chock full of HTTP 404 errors in recent days. And where exactly are all these errors coming from? Apparently, they’re coming from script kiddies looking to take over SQL databases for the lulz.
What Is ZmEu?
From my research, ZmEu appears to be a security tool used for discovering security holes in in version 2.x.x of phpMyAdmin, a web based MySQL database manager. The tool appears to have originated from somewhere in Eastern Europe. Like what seems to happen to all black hat security tools, it made its way to China, where it has been used ever since for non stop brute force attacks against web servers all over the world.
But I Don’t Run phpMyAdmin in a Production Environment Anyway.
Frankly, anyone who runs that silly software in anything other than a test environment under heavy access restrictions should probably find another profession. However, the constant 404s the tool generates in your error files can get a bit annoying, and could potentially even cause a DDoS of your web server to occur if you do not have the budget for the most fanciest of hardware.
How Do I Know If I’m Being Attacked By This ZmEu Thing?
Check your access log files. You should begin to see logs that look a little like
212.175.84.210 - - [29/Jul/2010:10:05:43 -0400] "GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" 212.175.84.210 - - [29/Jul/2010:10:05:43 -0400] "GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" 212.175.84.210 - - [29/Jul/2010:10:05:43 -0400] "GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" 212.175.84.210 - - [29/Jul/2010:10:05:44 -0400] "GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" 212.175.84.210 - - [29/Jul/2010:10:05:44 -0400] "GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" 404 315 "-" "ZmEu" 212.175.84.210 - - [29/Jul/2010:10:05:44 -0400] "GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" 404 315 "-" "ZmEu" 212.175.84.210 - - [29/Jul/2010:10:05:45 -0400] "GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu" 212.175.84.210 - - [29/Jul/2010:10:05:45 -0400] "GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" 404 315 "-" "ZmEu"
This is the tool trying its hardest to find any installs of phpMyAdmin that may be installed on your webserver. If it finds one, more than likely it will attempt to exploit a security hole that may be active for whatever version of phpMyAdmin it is to find that may not have been properly dealt with by the system administrator.
Wow That Is Annoying. What Can I Do About It?
The first thought that may pop into your head would be to just simply block out any IP addresses that ring up a whole bunch of concurrent HTTP 404 errors. However, I have a hunch that if we send the tool back anything other than an HTTP 404 error, perhaps it will cease its scanning, thinking that it might have found something. Knowing this, we can trick the tool into thinking it might have found an install of phpMyAdmin, when in reality we can send the attacker a page back saying something along the lines of “Get a Job.”
Step 1: Create An Abuse Page
Create a page somewhere on your server where we can convey the appropriate message that we don’t take very kindly to script kiddies on this web server. It need not be very complicated, just enough to get the point across. Here is mine, nothing fancy.
Optionally, we can have the page return an HTTP 403 error, perhaps further confusing the tool. In PHP, for example, this can be accomplished with a line such as
<?
header("HTTP/1.1 403 Forbidden");
?>
Step 2: The Power Of mod_rewrite
There is just something about script kiddies and their inability to ever tweak configuration files to something other than the default values. Exploiting this, we can effectively block just about all instances of this annoying tool.
The tool uses the User-Agent string “ZmEu” to identify itself. So naturally, let’s redirect all traffic identifying its user-agent as “ZmEu” to our abuse page.
Create an .htaccess file in your web root directory if one does not already exist, and add the following
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
</IfModule>
This mod_rewrite directive will then redirect all traffic using an HTTP 301 reply to your abuse page, if their User-Agent identifies itself as ZmEu.
Terrific! Problem Solved.
The convenient thing about this solution is that even if you do have phpMyAdmin installed on your web server for whatever reason, the tool will not be able to find it since we are redirecting visits to the abuse page based on User-Agent.
I hope that this article gives you another weapon to add to your arsenal in the decades old fight against Chinese based brute force attacks.
-PR
[...] setup up to date. There is an in-the-wild exploit out there that bots like to try to hack. See here. A friend of mine had neglected phpMyAdmin (they stopped using it but hadn't removed it from the [...]
[...] This post was mentioned on Twitter by seeread, seeread. seeread said: Phil http://t.co/nv0Dt61 » Blog Archive » Getting A Little Sick Of ZmEu http://t.co/CdYmB8d [...]
[...] of these attacks. There are quite a few people who have faced similar issues in the recent past, http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/ [...]
[...] Fortunately, our server has not been compromised. External links: http://www.modsecurity.org/ http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/ [...]
Exactly what I wanted,
Cheers!
Thanks for the tip! I’ve also been tired of ZmEu, toata dragostea, and others.
I tried to get my .htaccess file to block the collection of black hat browsers, but have been unsuccessful, though I finally found a good code example that lets me block all of China, Romania, and others.
How can I adapt my .htaccess file to block multiple bad guys?
Secondly, do I insert the header( HTTP/1.1 403 Forbidden ) code in the section of a PHP page that contains the “Stay away” message, or elsewhere?
Thanks VERY much!
John
Hi John,
By default, the Rewrite Conditions in Apache htaccess files are treated as AND statements, all conditions need to match before the rewrite rule is applied. However, by using the [OR] flag at the end of the RewriteCond statement, you can treat certain Rewrite Conditions in the Rewrite Rule as OR statements, only one of them need to match before the rule is applied. This, matched with whatever attribute you want to use to block blackhats, maybe by User-Agent, IP Address Range, etc, can be used to block many different threats. Remember that all Rewrite Condition statements are regular expression statements.
In response to your second question, the Forbidden HTTP reply should be added to your stay-away page, however whether this has any effect is purely speculation. I can’t really verify what effect this has on the ZmEu tool, since to date I have not been able to locate binaries of the tool or its source code for further analysis.
- Phil
I get attempts to find phpmyadmin every day, and not just from ZmEu. I use OSSEC and am writing a rule to add a DROP rule to iptables on the first attempt to access it.
Hello
Why not this
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* – [F]
looks to me simplier, fail2ban is also a good candidate for these script kiddies
Hello,
there is also other solution in Linux using iptables;
#>iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string –string “ZmEu” –algo bm -j DROP
works well
you can also add similar rules for OUTPUT
IP address: 210.21.221.156 Server Location: Shenzhen, Guangdong in China
ISP: China Unicom IP network.
The scanning was too much for my 1&1 VPS constantly shut down not enough memory blah blah blah and the odd crash. Had to change server they were knocking it over to easily.
216.72.4.146 – - [30/May/2011:23:30:55 +0100] “GET
/admin/KAY-ivrrecording.php?php=info&ip=uname HTTP/1.1″ 404 304 “-”
210.21.221.156 – - [31/May/2011:05:08:10 +0100] “GET
/tools/_pma/scripts/setup.php HTTP/1.1″ 404 305 “-” “ZmEu”
58.218.199.147 – - [02/Jun/2011:01:59:56 +0100] “GET
http://cobebizs.com/proxyheader.php HTTP/1.1″ 404 290 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)”
216.245.217.10 – - [02/Jun/2011:04:16:50 +0100] “GET /” 400 564 “-” “-”
216.245.217.10 – - [02/Jun/2011:04:16:50 +0100] “GET
/w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1″ 400 298 “-” “-”
58.218.199.147 – - [02/Jun/2011:05:46:22 +0100] “GET
http://www.travelimgusa.com/ip.php HTTP/1.1″ 404 289 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)”
Instead of using an .htaccess file, could the mod_rewrite directive be added to an httpd.conf file to apply to all virtual hosts?
[...] http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/ [...]
[...] like the web pages they are attempting to infiltrate one bit. After a little searching, I found an article by Phil Riesch, a sysadmin at Temple University in [...]
Thank you a bunch for sharing this with all people you actually recognize what you’re speaking approximately! Bookmarked. Please also talk over with my site =). We could have a link alternate arrangement between us
@phil – ZmEu is a romanian script-kiddie, who put his name into his “tools”.
@dick – because it would rather start an endless loop (redirected page redirected and so on…)
@rmil – some other traffic could return false-positives and, as i think, you don’t want that to occur.
the quickiest fix of all is to keep your system up-to-date.
some other fix is to run phpmyadmin on a different vhost/webserver on a high port (as that tool only tries to connect to port 80)
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteCond %{HTTP_USER_AGENT} (.*)Java(.*)
RewriteCond %{HTTP_USER_AGENT} (.*)Rippers0(.*)
Is is possible to add more lines without crashing as above?
These are the three that annoys our site daily. Thanks.
Matt/411 NY
I’m sorry, I can’t get this to work. I am trying to test by setting firefox to present as ZmEu user agent.
Here’s what I see in the apache access log.
192.168.1.1 – - [01/Feb/2012:19:41:22 -0500] “GET /css/reset.css HTTP/1.1″ 404 512 “http://mcreynolds.isa-geek.net/” “ZmEu”
My index.html references the reset.css which doesn’t exist, but, the browser is not redirected anyway and I can see my index.html, sans style.
What is the best way to determine if one *has* been compromised? Thx!
Thanks a lot…
Hey there, Thanks for your post, it was really informative. I’ll be looking forward to coming again….
@Nick: I would assume you would begin to see unauthorized access to any MySQL databases you manage with your phpMyAdmin installation.
I am being plagued by these attempts, for those of you whom want to thwart all attack attempts and dont have public access servers, set your 404 or redirect to the following php, they can then have fun hacking themselves