Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Protection against muieblackcat BOT [closed]

Tags:

asp.net

iis

bots

This morning I noticed some odd records in our IIS logs coming from;

  • 193.169.40.39 - associated with PHP pages (2012-12-15 05:34:24 EST)

  • 121.14.73.8 - associated with PHP pages (2012-12-15 23:11:42 EST)

  • 167.206.74.237 - associated with wordpress pages (2012-12-16 22:38:37 EST)

  • 178.15.152.69 - associated with wordpress pages (2012-12-17 12:11:00 EST)

This is alarming because we do not host PHP / wordpress pages.

A Google search would lead me to believe that muieblackcat is a web-bot which tries to exploit PHP vulnerabilities.

Am I safe since we do not host a PHP environment? I had thought of blocking the IP, but then again the bot more then likely uses some sort of proxy to do it's dirty work.

Are the word-press PHP files requests more than likely the same bot? Perhaps someone who has run into the muieblackcat recognizes the word-press requests. Please see IIS records below.

Are there any defense mechanisms / precautions the more experienced could shine some light on, regarding ASP.NET IIS 7 Hosting?

Example:

Odd PHP entries

2012-12-15 05:34:24 /muieblackcat - 193.169.40.39 - 1424 140 224
2012-12-15 05:34:24 /index.php - 193.169.40.39 - 1424 138 5
2012-12-15 05:34:24 /admin/index.php - 193.169.40.39 - 1424 144 5
2012-12-15 05:34:24 /admin/pma/index.php - 193.169.40.39 - 1424 148 3
2012-12-15 05:34:24 /admin/phpmyadmin/index.php - 193.169.40.39 - 1424 155 4 . . .

Odd WP entries

2012-12-16 22:38:37 /wp-login.php - 167.206.74.237 - 1405 219 281
2012-12-16 22:38:37 /blog/wp-login.php - 167.206.74.237 - 1405 224 60
2012-12-16 22:38:37 /wordpress/wp-login.php - 167.206.74.237 - 1405 229 60

2012-12-16 22:38:37 /wp/wp-login.php - 167.206.74.237 - 1405 222 59

like image 910
clamchoda Avatar asked Dec 17 '12 17:12

clamchoda

2 Answers

It looks like the cat is trying to guess where the WP and PhpMyAdmin locate, if it gets response, I guess the next step is checking whether it can exploit the vulnerability.

Basically, it works like port scanning. If you do not have WP and PhpMyAdmin installed, you should be ok.

Usually, these kind of scanner will scan once, if did not find anything useful to them, they will leave.

like image 195
urlreader Avatar answered Oct 21 '22 14:10

urlreader

Yes, you are safe. My server sees things like this all the time, they're harmless if you don't have those applications installed.

like image 32
egrunin Avatar answered Oct 21 '22 16:10

egrunin
Sign in to Comment

Related questions

"service cannot be activated because it requires asp net compatibility", but I need it for impersonation
Gridview's footer is not visible
Remove The Space in a String in c#
ASP.NET MVC3 routing REST services to controller
Listing Folders in a Directory using asp.net and C#
WebSecurity.InitializeDatabaseConnection - How specify a db schema?
Asp.net - How to convert a button to a hyperlink
Manipulate string problem
Best option for modal popup window in ASP.NET? [closed]
What's the difference between declarative and imperative programming?
Nullable Object must have a value #2
Web.config appSettings configSource attribute transformation
How to do delayed postbacks?
Extract sub-directory name from URL in ASP.NET C#
German UI Culture de-DE decimal changing to comma value issue in asp.net
how to check if a control of a certain type?
calling two functions on asp.net button onclick
How can I run a method every page load in MVC3?
Remove all items from a List<T> if variations of T occur
Jquery - Pass asp button command argument with jquery

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!