stopping ZmEu attacks with ASP.NET MVC

Question

recently my elmah exception logs are full of attempts from people using thus dam ZmEu security software against my server

for those thinking “what the hell is ZmEu?” here is an explanation...

“ZmEu appears to be a security tool used for discovering security holes in in version 2.x.x of PHPMyAdmin, a web based MySQL database manager. The tool appears to have originated from somewhere in Eastern Europe. Like what seems to happen to all black hat security tools, it made its way to China, where it has been used ever since for non stop brute force attacks against web servers all over the world.”

Heres a great link about this annoying attack -> http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/

Im using .net so they aint gonna find PHPMyAdmin on my server but the fact that my logs are full ofZmEu attacks its becoming tiresome.

The link above provide a great fix using HTAccess, but im using IIS7.5, not apache. I have a asp.net MVC 2 site, so im using the global.asax file to create my routes

Here is the HTAccess seugestion

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
</IfModule>

My question is there anything i can add like this in the Global.ascx file that does the same thing ?

Answer 1

Whenever I get a ZmEu or phpMyAdmin or forgotten_password I redirect the query to:

<meta http-equiv='refresh' content='0;url=http://www.ripe.net$uri' />

[or apnic or arin]. I'm hoping the admins at ripe.net don't like getting hacked.

Answer 2

The ZmEu attacks were annoying me too, so I looked into this. It can be done with an HttpModule.

Add the following class to your project:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Security.Principal;
//using log4net;

namespace YourProject
{
    public class UserAgentBlockModule : IHttpModule
    {

        //private static readonly ILog logger = LogManager.GetLogger(typeof(UserAgentBlockModule));

        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(context_BeginRequest);
        }

        void context_BeginRequest(object sender, EventArgs e)
        {
            HttpApplication application = (HttpApplication)sender;
            HttpRequest request = application.Request;
            if (request.UserAgent.Contains("ZmEu"))
            {
                //logger.InfoFormat("ZmEu attack detected from IP {0}, aiming for url {1}", request.UserHostAddress, request.Url.ToString());
                HttpContext.Current.Server.Transfer("RickRoll.htm");
            }

        }

        public void Dispose()
        {
            // nothing to dispose

        }

    }
}

and then add the following line to web.config

<httpModules>
    ...
   <add name="UserAgentBlockFilter" type="YourProject.UserAgentBlockModule, YourProject" />
</httpModules>

... and then add a suitable htm page to your project so there's somewhere to redirect them to.

Note that if you're using log4net you can comment in the log4net lines in the code to log the occasions when the filter kicks in.

This module has worked for me in testing (when I send the right userAgent values to it). I haven't tested it on a real server yet. But it should do the trick.

Although, as I said in the comments above, something tells me that returning 404 errors might be a less conspicuous response than letting the hackers know that you're aware of them. Some of them might see something like this as a challenge. But then, I'm not an expert on hacker psychology, so who knows.