New malware user-agent value: “Jorgee”
gvt.net.br domain name. The attack signature appears to be identical to earlier attacks. As I say below the smart thing to do is explicitly disallow proxying and blacklist any source trying to use your server as a proxy. Also, blacklist any HTTP user-agent containing the word “Jorgee”.
Lastly, consider blacklisting URIs that you know are not valid for your site and which are frequent targets of attacks. For example, the WordPress “revslider” plugin has had multiple vulnerabilities. Hardly a day goes by that I do not see an attack trying to exploit a revslider vulnerability. Which means it will never be installed on my site. I automatically blacklist any source which makes a request that references that plugin.
Mozilla/5.0 Jorgee“. The URIs included those I recorded in the original attack (see below) plus a few new ones. Also, like the original attack all of these were HEAD requests phrased as a proxy request with the ultimate target my own server.
Today I saw a heretofore unknown HTTP user-agent string: “Jorgee“. The word “Jorgee” has appeared in the Cookie HTTP header of the “Ringing.at.your.dorbell!” attack. I strongly recommend blacklisting the “Jorgee” user-agent value. These are the rules I have in my .htaccess file to reject blocked user-agents:
# Block ZmEu and other bots based on their user agent signature. Another sign
# that hackers aren't as smart as they think they are. Note the first
# condition. A quoted user-agent string is another sign of a sloppy hacker. No
# legitimate browser or web crawler quotes the user-agent string.
RewriteCond %{HTTP_USER_AGENT} ^" [OR]
RewriteCond %{HTTP_USER_AGENT} =x00_-gawa.sa.pilipinas.2015 [OR]
RewriteCond %{HTTP_USER_AGENT} =Jorgee [OR]
RewriteCond %{HTTP_USER_AGENT} =ZmEu [OR]
RewriteCond %{HTTP_USER_AGENT} =immoral [OR]
RewriteCond %{HTTP_USER_AGENT} ^PHP/5\.{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*\stools.ua.random [OR]
RewriteCond %{HTTP_USER_AGENT} ^chroot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DataCha0s [OR]
RewriteCond %{HTTP_USER_AGENT} ^I'm\sa\smu\smu [OR]
RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^q\[ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus\sFucking\sScanner
RewriteRule ^ blocked.php [END,E=error-notes:blacklisted-user-agent]
The attack came from a dynamic address in domain telefonica.de in Germany. The malware was issuing requests that superficially looked like proxy requests. I say superficially because the IP address was that of my server. For example:
HEAD http://75.101.21.75:80/mysql/admin/ HTTP/1.1
The proxy formulation caused my web server abuse monitor to automatically blacklist the source since I don’t allow proxying via my web server. For posterity here are the 85 URIs this malware probed:
/2phpmyadmin/ /MyAdmin/ /PMA/ /PMA2011/ /PMA2012/ /admin/ /admin/db/ /admin/pMA/ /admin/phpMyAdmin/ /admin/phpmyadmin/ /admin/sqladmin/ /admin/sysadmin/ /admin/web/ /administrator/PMA/ /administrator/admin/ /administrator/db/ /administrator/phpMyAdmin/ /administrator/phpmyadmin/ /administrator/pma/ /administrator/web/ /database/ /db/ /db/db-admin/ /db/dbadmin/ /db/dbweb/ /db/myadmin/ /db/phpMyAdmin-3/ /db/phpMyAdmin/ /db/phpMyAdmin3/ /db/phpmyadmin/ /db/phpmyadmin3/ /db/webadmin/ /db/webdb/ /db/websql/ /dbadmin/ /myadmin/ /mysql-admin/ /mysql/ /mysql/admin/ /mysql/db/ /mysql/dbadmin/ /mysql/mysqlmanager/ /mysql/pMA/ /mysql/pma/ /mysql/sqlmanager/ /mysql/web/ /mysqladmin/ /mysqlmanager/ /php-my-admin/ /php-myadmin/ /phpMyAdmin-3/ /phpMyAdmin/ /phpMyAdmin2/ /phpMyAdmin3/ /phpMyAdmin4/ /phpMyadmin/ /phpmanager/ /phpmy-admin/ /phpmy/ /phpmyAdmin/ /phpmyadmin/ /phpmyadmin2/ /phpmyadmin3/ /phpmyadmin4/ /phppma/ /pma/ /pma2011/ /pma2012/ /program/ /shopdb/ /sql/myadmin/ /sql/php-myadmin/ /sql/phpMyAdmin/ /sql/phpMyAdmin2/ /sql/phpmanager/ /sql/phpmy-admin/ /sql/phpmyadmin2/ /sql/sql-admin/ /sql/sql/ /sql/sqladmin/ /sql/sqlweb/ /sql/webadmin/ /sql/webdb/ /sql/websql/ /sqlmanager/