stopping ZmEu attacks with ASP.NET MVC

Question

Hello,

recently my elmah exception logs are full of attempts from people using thus dam ZmEu security software against my server

for those thinking “what the hell is ZmEu?” here is an explanation...

“ZmEu appears to be a security tool used for discovering security holes in in version 2.x.x of PHPMyAdmin, a web based MySQL database manager. The tool appears to have originated from somewhere in Eastern Europe. Like what seems to happen to all black hat security tools, it made its way to China, where it has been used ever since for non stop brute force attacks against web servers all over the world.”

Heres a great link about this annoying attack -> http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/

Im using .net so they aint gonna find PHPMyAdmin on my server but the fact that my logs are full ofZmEu attacks its becoming tiresome.

The link above provide a great fix using HTAccess, but im using IIS7.5, not apache. I have a asp.net MVC 2 site, so im using the global.asax file to create my routes

Here is the HTAccess seugestion

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
</IfModule>

My question is there anything i can add like this in the Global.ascx file that does the same thing ?

Any response is most welcome

Truegilly

Answer 1

The ZmEu attacks were annoying me too, so I looked into this. It can be done with an HttpModule.

Add the following class to your project:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Security.Principal;
//using log4net;

namespace YourProject
{
    public class UserAgentBlockModule : IHttpModule
    {

        //private static readonly ILog logger = LogManager.GetLogger(typeof(UserAgentBlockModule));

        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(context_BeginRequest);
        }

        void context_BeginRequest(object sender, EventArgs e)
        {
            HttpApplication application = (HttpApplication)sender;
            HttpRequest request = application.Request;
            if (request.UserAgent.Contains("ZmEu"))
            {
                //logger.InfoFormat("ZmEu attack detected from IP {0}, aiming for url {1}", request.UserHostAddress, request.Url.ToString());
                HttpContext.Current.Server.Transfer("RickRoll.htm");
            }

        }

        public void Dispose()
        {
            // nothing to dispose

        }

    }
}

and then add the following line to web.config

<httpModules>
    ...
   <add name="UserAgentBlockFilter" type="YourProject.UserAgentBlockModule, YourProject" />
</httpModules>

... and then add a suitable htm page to your project so there's somewhere to redirect them to.

Note that if you're using log4net you can comment in the log4net lines in the code to log the occasions when the filter kicks in.

This module has worked for me in testing (when I send the right userAgent values to it). I haven't tested it on a real server yet. But it should do the trick.

Although, as I said in the comments above, something tells me that returning 404 errors might be a less conspicuous response than letting the hackers know that you're aware of them. Some of them might see something like this as a challenge. But then, I'm not an expert on hacker psychology, so who knows.

Answer 2

An alternative answer to my other one ... this one specifically stops Elmah from logging the 404 errors generated by ZmEu, while leaving the rest of your sites behaviour unchanged. This might be a bit less conspicuous than returning messages straight to the hackers.

You can control what sorts of things Elmah logs in various ways, one way is adding this to the Global.asax

void ErrorLog_Filtering(object sender, ExceptionFilterEventArgs e)
{
    if (e.Exception.GetBaseException() is HttpException)
    {
        HttpException httpEx = (HttpException)e.Exception.GetBaseException();
        if (httpEx.GetHttpCode() == 404)
        {
            if (Request.UserAgent.Contains("ZmEu"))
            {
                // stop Elmah from logging it
                e.Dismiss();
                // log it somewhere else
                logger.InfoFormat("ZmEu request detected from IP {0} at address {1}", Request.UserHostAddress, Request.Url);
            }           
        }
    }
}

For this event to fire, you'll need to reference the Elmah DLL from your project, and add a using Elmah; to the top of your Global.asax.cs.

The line starting logger.InfoFormat assumes you are using log4net. If not, change it to something else.