ZmEu Attacks/Exploits on the rise… again

Well as the title it seems that ZmEu activity is on the rise again. I have noticed lately in review logs from my servers and my clients server ZmEu seems to be generating a ton of noise. I have seen it go after shopping carts like Zencart and OS commerce but the most common entries seem to be attacks against mysqladmin/phpmyadmin. It is also no surprise that most of these attacks are originating from China.

The activity is pretty simple to spot if you view your httpd logs i have omitted various lines just to show some of the different versions it tests against:

GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" "69.55.233.22" "ZmEu"
GET /scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 302 20 "69.55.233.22" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmyadmin2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /pma/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /web/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /web/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmyadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-my-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.6/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.7/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.5.7-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-alpha2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-beta2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-rc3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.0-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.1-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.2-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.3-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4-pl4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.6.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-pl1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0-pl2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.7.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.3/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.1-rc1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /sqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqlmanager/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /p/m/a/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /phpmanager/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /PMA2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /php-myadmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /pma2005/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /phpmy-admin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /webadmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /sqlweb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.23" "ZmEu"
GET /websql/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /webdb/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysqladmin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"
GET /mysql-admin/scripts/setup.php HTTP/1.1" "69.55.233.22" "ZmEu"

The logs do not cover everything but it is still a pain in the ass.

So, how do we help reduce the attack surface and vectors for ZmEu?

Some of the most effective counter-measures are simple best practices.

At the perimeter firewall or choke start with the old deny all and only open the specific ports required.

If you don’t “need” thing like mysqladmin/phpmyadmin then remove it or don’t install it.

If you are going to run them things like .htaccess files and mod_sec are your friends… so use them!

Hell, most hardware firewalls include at least one ssl vpn license these days so if you can’t control access based on ip,

restrict it to the vpn network as a management segment

(i.e. http://www.foo.net:8881/myPhpAdmin and block 8881 in your firewall to all but your static IP address).

Here is a quick little mod_sec rule to help you out:

       SecRule REQUEST_URI "@rx (?i)\/(php-?My-?Admin[^\/]*|mysqlmanager
       |myadmin|pma2005|pma\/scripts|phpMyAdmin-insertproperver|w00tw00t[^\/]+)\/"
       "severity:alert,id:'0000013',deny,log,status:400,
       msg:'Unacceptable folder.',severity:'2'"

READ THIS TWICE!!!: You can’t really cut the lines this way… Use a \ and don’t cut strings.

This is just to make the format easier to read on the blog.

If you are using phpMyAdmin, then you’ll want to add another rule to skip this one.

That other rule should check your IP and when you get a perfect match, use “skipAfter:0000013″.

Hope this helped!

–E

ZmEu Attacks/Exploits on the rise… again

My Recent Tweets:

RSS Feed For This Page Only

ZmEu Attacks/Exploits on the rise… again

My Recent Tweets:

Tags

RSS Feed For This Page Only