Monday, March 13, 2017

UA "Mozilla/5.0 Jorgee": Knocking on the phpMyAdmin door

Two times in last couple of days my HIDS is firing alert "Multiple web server 400 error codes from same source ip." Taking a quick look at access.log revealed the following:

XXX.XXX.XX.XX - - [13/Mar/2017:09:36:20 +0100] "HEAD http://[my Ip]:80/phppma/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/phpmy/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/2phpmyadmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/phpmyadmin4/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/phpmyadmin3/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:18 +0100] "HEAD http://[my Ip]:80/phpmyadmin2/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:18 +0100] "HEAD http://[my Ip]:80/phpmyAdmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:18 +0100] "HEAD http://[my Ip]:80/phpMyAdmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/phpMyadmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/phpmyadmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/mysql/mysqlmanager/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/mysql/sqlmanager/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee" 
 
It is obvious that somebody is gathering info about my phpMyAdmin installation (which I am not running anyways). However, UA field looked strange, since I have never seen it before. By consulting couple of OSINT sources, it looks like the signature belongs to phpMyAdmin exploit scanner (guessing some variant of Revolt). Automation of probes from different IPs raised my suspicion on some kind of malware, since back-scan with nmap showed that one source IP hosts Visual SVN server and IIS, while other is running Ubuntu Linux with sshd and nginx default installations.

Since I'm running Apache on that particular server, to block those requests, I have added the following to my .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} Jorgee [NC]
RewriteRule !^robots\.txt$ - [F]

Attacks originated from the IPs in Sankt Petersburg (Russia) and Paris (France).

No comments:

Post a Comment