Bad Bot

Apache: Blocking bad bots attacks from ZmEu

Take a quick look at Apache's access.log, there are always all sorts of unknown IPs are connecting, mostly with a status code 403, 404. For example, Some bots like ZmEu are trying to find phpmyadmin or other unprotect web server. ZmEu is a script built by a group of Romanian Hackers. This script essentially looks for a set of scripts and directories of common interest, like for example /phpMyAdmin/*, /pma/* what it is actually looking for is unprotect scripts and other things that might allow the foreign host access into something valuable. such as such as your MySQL databases!

An example of ZmEu scan logs. If you see the status code is 403 or 404, your are mostly OK. If the status code is 200, you might need to find out what ZmEu already found out. It's only dangerous if you have unpatched or unprotected versions of software on the host that may be vulnerable. - - [17/Jul/2014:08:29:35 -0700] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 230 "-" "ZmEu" - - [17/Jul/2014:08:29:36 -0700] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 230 "-" "ZmEu" - - [17/Jul/2014:08:29:36 -0700] "GET /pma/scripts/setup.php HTTP/1.1" 404 2946 "-" "ZmEu" - - [17/Jul/2014:08:29:36 -0700] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 2948 "-" "ZmEu" - - [17/Jul/2014:08:29:37 -0700] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 2949 "-" "ZmEu"

How to stop ZmEu?

IP blocking is not a essential way to fix this problem because ZmEu scan can be executed from any IP address. An easy quick fix to rid of almost all ZmEu attacks is block all http-agent contains "ZmEu" because the http-agent that ZmEu uses is "ZmEu".

Lets block it on an Apache global level, add this to any of your virtual host or host directives (httpd.conf or *.conf or .htaccess):

order allow,deny  
# deny based on User-Agent
SetEnvIfNoCase User-Agent "^ZmEu" bad_bot
deny from env=bad_bot
allow from all

Then restart your Apache and enjoy.

Leave a Reply

Your email address will not be published. Required fields are marked *