Yesterday I was doing my work suddenly i received some alerts on my Snort IDS with Signature. It's like below
#48-(3-699628) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:28:00 91.121.158.56:59362 10.21.1.19:80 TCP
#49-(3-699627) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59179 10.21.1.19:80 TCP
#50-(3-699626) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59010 10.21.1.19:80 TCP
#51-(3-699625) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58725 10.21.1.19:80 TCP
#53-(3-699623) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58563 10.21.1.19:80 TCP
after i searched google regarding ZmEu and found some one try discovering phpMyAdmin security hole. I confirmed my apache access.log also. It is showing some hacker try to hack phpMyAdmin.
91.121.158.56 - - [29/Oct/2013:13:27:58 +0530] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /pma/scripts/setup.php HTTP/1.1" 404 17112 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
We can block above ZmEu scanner using iptables or fail2ban. Here i am going to use iptables string match.
[root@server~]# iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --algo bm --string 'ZmEu' -j DROP
Explanation:-
--dport -----> destination port
--to -----> offset to stop searching
1000 -----> total 1000 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)
Save the iptables rule and restart
[root@server~]# service iptables save
After you will check the iptables rule. It will show like below
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 STRING match "ZmEu" ALGO name bm TO 1000
Now I blocked ZmEu using Iptables.....
#48-(3-699628) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:28:00 91.121.158.56:59362 10.21.1.19:80 TCP
#49-(3-699627) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59179 10.21.1.19:80 TCP
#50-(3-699626) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:59 91.121.158.56:59010 10.21.1.19:80 TCP
#51-(3-699625) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58725 10.21.1.19:80 TCP
#53-(3-699623) [snort] ET SCAN ZmEu Scanner User-Agent Inbound 2013-10-29 13:27:58 91.121.158.56:58563 10.21.1.19:80 TCP
after i searched google regarding ZmEu and found some one try discovering phpMyAdmin security hole. I confirmed my apache access.log also. It is showing some hacker try to hack phpMyAdmin.
91.121.158.56 - - [29/Oct/2013:13:27:58 +0530] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 17119 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:27:59 +0530] "GET /pma/scripts/setup.php HTTP/1.1" 404 17112 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
91.121.158.56 - - [29/Oct/2013:13:28:00 +0530] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 17116 "-" "ZmEu"
We can block above ZmEu scanner using iptables or fail2ban. Here i am going to use iptables string match.
Iptables rule:
[root@server~]# iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --algo bm --string 'ZmEu' -j DROP
Explanation:-
--dport -----> destination port
--to -----> offset to stop searching
1000 -----> total 1000 bytes
--algo -----> Algorithm ( Two type : 1. bm (Boyer Moore) and 2.kmp (Kunth Pratt Morris )
--string -----> Text search pattern (case sensitive)
Save the iptables rule and restart
[root@server~]# service iptables save
[root@server~]# service iptables restart
After you will check the iptables rule. It will show like below
[root@server~]# iptables -nvL
Now I blocked ZmEu using Iptables.....