0

Looking at my server error logs, I see a lot of attempts from IP addresses in China, Thailand, and whatnot trying to access non-existent directories called "manager", "phpmyadmin", "admin", anything in cgi-bin, and the like. There are a couple odd repeated requests for something called "w00tw00t.at.blackhats.romanian.anti-sec:" and "HNAP1".

I was thinking of figuring out how to write an .htaccess rule to redirect the request back to the requesting IP address, but wondered if there were other nasty tricks that would frustrate these dirtbags, given that the same 4 or 5 nonexistent directories are always attempted.

Update: Following the suggestion of "Michael - sqlbot" below, I attempted to set up mod_security on my server as a tarpit. I installed it just fine, and configured it, but even though I can verify it's compiling my configuration script (verified by introducing a syntax error and restarting httpd), it seems to be ignoring the undesirable access attempts.

Here's what I have in /etc/httpd/modsecurity.d/activated_rules/tarpit.conf

<IfModule mod_security2.c>
    SecRuleEngine On
    SecDefaultAction log,allow,status:406,phase:2
    SecRule REQUEST_URI phpmyadmin t:lowercase,id:14142,pause:5000,log,noauditlog,status:402,deny

    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
</IfModule>

The modsec_debug.log file is created initially but always empty. Requesting mydomain.com/phpmyadmin just returns the usual 403 error as if mod_security wasn't there. (I am not sure why I am getting the 403 error, maybe it's due to an old symlink I had to the phpmyadmin directory, which hasn't been there for a long time).

Anachronist
  • 1,032
  • 12
  • 16

1 Answers1

0

You probably aren't being scanned by a live person, so there's little point in trying to give them something to look at. You're likely being scanned by scripts, which would just ignore any response that isn't consistent with the vulnerability they are scanning for.

In front of my servers, I have "haproxy," which has a "tarpit" capability... when a request matching the suspicious/annoying pattern arrives, it gets "tarpitted" -- after a delay of a several (configurable) seconds, the response is "500 Internal Server Error" and the connection is closed.

To me, the most satisfying part is the delay. They are obviously trying to scan as many hosts as they can in the least time possible, so a nice long delay wastes their time. Side bonus, the request does not make it to the apache log, since It's never forwarded to apache, and evidently haproxy is able to service these requests with very little overhead.

Apparently, this can be done with apache itself, though I haven't tried it. Here's one approach I found by googling for "apache" and "tarpit."

http://edvoncken.net/2010/08/annoyed-by-phpmyadmin-scans-set-up-a-tarpit-with-mod_security/

It would be amusing if it were possible to send them a redirect that would cause them to attack a law enforcement target that has been specifically set up for that purpose, but short of that, involving a third party in your deflection scheme without their consent is ethically dubious.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427