当前位置: 文江博客话题详情

使用 ASP.NET MVC 阻止 ZmEu 攻击

发布于 2024-09-26 00:15:19 字数 1006 浏览 7 评论 0原文

最近,我的 elmah 异常日志充满了人们对我的服务器使用 dam ZmEu 安全软件的尝试,

那些人想“ZmEu 到底是什么?”这是一个解释...

“ZmEu 似乎是一个安全工具,用于发现 PHPMyAdmin 2.xx 版本中的安全漏洞,PHPMyAdmin 是一个基于 Web 的 MySQL 数据库管理器。该工具似乎起源于东欧的某个地方。就像所有黑帽安全工具所发生的情况一样,它进入了中国,从那时起它就被用来对世界各地的网络服务器进行不间断的暴力攻击。”

这是关于这种恼人的攻击的一个很好的链接 -> http://www.philriesch.com/ Articles/2010/07/getting-a-little-sick-of-zmeu/

我使用 .net,所以他们不会在我的服务器上找到 PHPMyAdmin,但事实上我的日志充满了 ZmEu 攻击,这变得令人厌烦。

上面的链接提供了使用 HTAccess 的一个很好的修复,但我使用的是 IIS7.5,而不是 apache。 我有一个 asp.net MVC 2 站点,所以我使用 global.asax 文件来创建我的路由

这是 HTAccess seugestion

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
</IfModule>

我的问题是我可以在 Global.ascx 文件中添加类似的内容来执行相同的操作吗?

原文

recently my elmah exception logs are full of attempts from people using thus dam ZmEu security software against my server

for those thinking “what the hell is ZmEu?” here is an explanation...

“ZmEu appears to be a security tool used for discovering security holes in in version 2.x.x of PHPMyAdmin, a web based MySQL database manager. The tool appears to have originated from somewhere in Eastern Europe. Like what seems to happen to all black hat security tools, it made its way to China, where it has been used ever since for non stop brute force attacks against web servers all over the world.”

Heres a great link about this annoying attack -> http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/

Im using .net so they aint gonna find PHPMyAdmin on my server but the fact that my logs are full ofZmEu attacks its becoming tiresome.

The link above provide a great fix using HTAccess, but im using IIS7.5, not apache.
I have a asp.net MVC 2 site, so im using the global.asax file to create my routes

Here is the HTAccess seugestion

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
</IfModule>

My question is there anything i can add like this in the Global.ascx file that does the same thing ?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

夜访吸血鬼 2024-10-03 00:15:19

我的另一个的替代答案...这个专门阻止 Elmah 记录 ZmEu 生成的 404 错误,同时保持网站的其余行为不变。这可能比直接向黑客返回消息稍微不那么明显。

您可以通过多种方式控制 Elmah 记录哪些内容,其中一种方法是将其添加到 Global.asax

void ErrorLog_Filtering(object sender, ExceptionFilterEventArgs e)
{
    if (e.Exception.GetBaseException() is HttpException)
    {
        HttpException httpEx = (HttpException)e.Exception.GetBaseException();
        if (httpEx.GetHttpCode() == 404)
        {
            if (Request.UserAgent.Contains("ZmEu"))
            {
                // stop Elmah from logging it
                e.Dismiss();
                // log it somewhere else
                logger.InfoFormat("ZmEu request detected from IP {0} at address {1}", Request.UserHostAddress, Request.Url);
            }           
        }
    }
}

要触发此事件,您需要从项目中引用 Elmah DLL,并将 using Elmah; 添加到 Global.asax.cs 的顶部。

logger.InfoFormat 开头的行假定您正在使用 log4net。如果不是,请将其更改为其他内容。

An alternative answer to my other one ... this one specifically stops Elmah from logging the 404 errors generated by ZmEu, while leaving the rest of your sites behaviour unchanged. This might be a bit less conspicuous than returning messages straight to the hackers.

You can control what sorts of things Elmah logs in various ways, one way is adding this to the Global.asax

void ErrorLog_Filtering(object sender, ExceptionFilterEventArgs e)
{
    if (e.Exception.GetBaseException() is HttpException)
    {
        HttpException httpEx = (HttpException)e.Exception.GetBaseException();
        if (httpEx.GetHttpCode() == 404)
        {
            if (Request.UserAgent.Contains("ZmEu"))
            {
                // stop Elmah from logging it
                e.Dismiss();
                // log it somewhere else
                logger.InfoFormat("ZmEu request detected from IP {0} at address {1}", Request.UserHostAddress, Request.Url);
            }           
        }
    }
}

For this event to fire, you'll need to reference the Elmah DLL from your project, and add a using Elmah; to the top of your Global.asax.cs.

The line starting logger.InfoFormat assumes you are using log4net. If not, change it to something else.

回复 原文
梨涡少年 2024-10-03 00:15:19

ZmEu 攻击也让我很烦恼,所以我对此进行了调查。可以使用 HttpModule 来完成。

将以下类添加到您的项目中:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Security.Principal;
//using log4net;

namespace YourProject
{
    public class UserAgentBlockModule : IHttpModule
    {

        //private static readonly ILog logger = LogManager.GetLogger(typeof(UserAgentBlockModule));

        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(context_BeginRequest);
        }

        void context_BeginRequest(object sender, EventArgs e)
        {
            HttpApplication application = (HttpApplication)sender;
            HttpRequest request = application.Request;
            if (request.UserAgent.Contains("ZmEu"))
            {
                //logger.InfoFormat("ZmEu attack detected from IP {0}, aiming for url {1}", request.UserHostAddress, request.Url.ToString());
                HttpContext.Current.Server.Transfer("RickRoll.htm");
            }

        }

        public void Dispose()
        {
            // nothing to dispose

        }

    }
}

然后将以下行添加到 web.config

<httpModules>
    ...
   <add name="UserAgentBlockFilter" type="YourProject.UserAgentBlockModule, YourProject" />
</httpModules>

...然后将合适的 htm 页面添加到您的项目中,以便将它们重定向到某个地方。

请注意,如果您使用 log4net,您可以在代码中的 log4net 行中进行注释,以记录过滤器启动的情况。

该模块在测试中对我有用(当我向其发送正确的 userAgent 值时)。我还没有在真实的服务器上测试过。但它应该能解决问题。

尽管如此,正如我在上面的评论中所说,有些事情告诉我,返回 404 错误可能比让黑客知道你知道它们是一个不那么明显的响应。他们中的一些人可能会认为这样的事情是一个挑战。但是,我不是黑客心理学专家,所以谁知道呢。

The ZmEu attacks were annoying me too, so I looked into this. It can be done with an HttpModule.

Add the following class to your project:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Security.Principal;
//using log4net;

namespace YourProject
{
    public class UserAgentBlockModule : IHttpModule
    {

        //private static readonly ILog logger = LogManager.GetLogger(typeof(UserAgentBlockModule));

        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(context_BeginRequest);
        }

        void context_BeginRequest(object sender, EventArgs e)
        {
            HttpApplication application = (HttpApplication)sender;
            HttpRequest request = application.Request;
            if (request.UserAgent.Contains("ZmEu"))
            {
                //logger.InfoFormat("ZmEu attack detected from IP {0}, aiming for url {1}", request.UserHostAddress, request.Url.ToString());
                HttpContext.Current.Server.Transfer("RickRoll.htm");
            }

        }

        public void Dispose()
        {
            // nothing to dispose

        }

    }
}

and then add the following line to web.config

<httpModules>
    ...
   <add name="UserAgentBlockFilter" type="YourProject.UserAgentBlockModule, YourProject" />
</httpModules>

... and then add a suitable htm page to your project so there's somewhere to redirect them to.

Note that if you're using log4net you can comment in the log4net lines in the code to log the occasions when the filter kicks in.

This module has worked for me in testing (when I send the right userAgent values to it). I haven't tested it on a real server yet. But it should do the trick.

Although, as I said in the comments above, something tells me that returning 404 errors might be a less conspicuous response than letting the hackers know that you're aware of them. Some of them might see something like this as a challenge. But then, I'm not an expert on hacker psychology, so who knows.

回复 原文
小…楫夜泊 2024-10-03 00:15:19

每当我收到 ZmEu 或 phpMyAdmin 或忘记密码时,我会将查询重定向到:

<meta http-equiv='refresh' content='0;url=http://www.ripe.net$uri' />

[或 apnic 或 arin]。我希望ripe.net 的管理员不喜欢被黑客攻击。

Whenever I get a ZmEu or phpMyAdmin or forgotten_password I redirect the query to:

<meta http-equiv='refresh' content='0;url=http://www.ripe.net$uri' />

[or apnic or arin]. I'm hoping the admins at ripe.net don't like getting hacked.

回复 原文
我很坚强 2024-10-03 00:15:19

在 IIS 6.0 上,您也可以尝试此操作...

在 IIS 中将您的网站设置为使用主机标头。然后在 IIS 中创建一个网站,使用相同的 IP 地址,但没有主机标头定义。 (我将我的站点标记为“流氓站点”,因为一些流氓曾经为其域设置了 DNS,以解析到我受欢迎的政府站点。(我不确定为什么)无论如何,在多个站点上使用主机标头是一个很好的做法。针对不包含主机标头的情况定义的站点是捕获 HTTP 请求中没有您的域名的访问者的一种方法。

在没有主机标头的站点上,创建一个返回响应标头状态的主页。 “HTTP 410 Gone”。或者您可以将它们重定向到其他地方。

任何尝试通过 IP 地址而不是域名访问您的服务器的机器人都会解析此站点并收到错误“410 Gone”

。并修改 URLscan.ini 文件以排除用户代理字符串“ZmEu”。

On IIS 6.0 you can also try this...

Set your website in IIS to use host headers. Then create a web site in IIS, using the same IP address, but with no host header definition. (I labeled mine "Rogue Site" because some rogue oonce deliverately set his DNS for his domain to resolve to my popular government site. (I'm not sure why) Anyway, using host headers on multiple sites is a good practice. And having a site defined for the case when no host header is included is a way to catch visitors who don't have your domain name in the HTTP request.

On the site with no host header, create a home page that returns a response header status of "HTTP 410 Gone". Or you can redirect them elsewhere.

Any bots that try to visit your server by the IP address rather than the domain name will resolve the this site and get the error "410 Gone".

I also use Microsoft's URLscan, and modified the URLscan.ini file to exclude the user angent string, "ZmEu".

回复 原文
云之铃。 2024-10-03 00:15:19

如果您使用的是 IIS 7.X,则可以使用请求过滤来阻止请求

扫描标头:User-agent

拒绝字符串:ZmEu

要尝试它是否有效,请使用以下命令启动 Chrome:参数 --User-Agent "ZmEu"

这样,asp.net 就不会被调用,并且可以节省一些 CPU/内存。

If you are using IIS 7.X you could use Request Filtering to block the requests

Scan Headers: User-agent

Deny Strings: ZmEu

To try if it works start Chrome with the parameter --User-Agent "ZmEu"

This way asp.net is never invoked and its saves you some CPU/Memory..

回复 原文
比忠 2024-10-03 00:15:19

我在 Microsoft URL 重写模块中添加了此模式:

在此处输入图像描述

在此处输入图像描述

在此处输入图像描述

^$|EasouSpider|Add Catalog|PaperLiBot|Spiceworks|ZumBot|RU_Bot|Wget|Java/1.7.0_25|Slurp|FunWebProducts|80legs|Aboundex|AcoiRobot|Acoon Robot|AhrefsBot|aihit|AlkalineBOT|AnzwersCrawl|Arachnoidea|ArchitextSpider|archive|Autonomy Spider|Baiduspider|BecomeBot|benderthewebrobot|BlackWidow|Bork-edition|Bot mailto:[email protected]|botje|catchbot|changedetection|Charlotte|ChinaClaw|commoncrawl|ConveraCrawler|Covario|crawler|curl|Custo|data mining development project|DigExt|DISCo|discobot|discoveryengine|DOC|DoCoMo|DotBot|Download Demon|Download Ninja|eCatch|EirGrabber|EmailSiphon|EmailWolf|eurobot|Exabot|Express WebPictures|ExtractorPro|EyeNetIE|Ezooms|Fetch|Fetch API|filterdb|findfiles|findlinks|FlashGet|flightdeckreports|FollowSite Bot|Gaisbot|genieBot|GetRight|GetWeb!|gigablast|Gigabot|Go-Ahead-Got-It|Go!Zilla|GrabNet|Grafula|GT::WWW|hailoo|heritrix|HMView|houxou|HTTP::Lite|HTTrack|ia_archiver|IBM EVV|id-search|IDBot|Image Stripper|Image Sucker|Indy Library|InterGET|Internet Ninja|internetmemory|ISC Systems iRc Search 2.1|JetCar|JOC Web Spider|k2spider|larbin|larbin|LeechFTP|libghttp|libwww|libwww-perl|linko|LinkWalker|lwp-trivial|Mass Downloader|metadatalabs|MFC_Tear_Sample|Microsoft URL Control|MIDown tool|Missigua|Missigua Locator|Mister PiX|MJ12bot|MOREnet|MSIECrawler|msnbot|naver|Navroad|NearSite|Net Vampire|NetAnts|NetSpider|NetZIP|NextGenSearchBot|NPBot|Nutch|Octopus|Offline Explorer|Offline Navigator|omni-explorer|PageGrabber|panscient|panscient.com|Papa Foto|pavuk|pcBrowser|PECL::HTTP|PHP/|PHPCrawl|picsearch|pipl|pmoz|PredictYourBabySearchToolbar|RealDownload|Referrer Karma|ReGet|reverseget|rogerbot|ScoutJet|SearchBot|seexie|seoprofiler|Servage Robot|SeznamBot|shopwiki|sindice|sistrix|SiteSnagger|SiteSnagger|smart.apnoti.com|SmartDownload|Snoopy|Sosospider|spbot|suggybot|SuperBot|SuperHTTP|SuperPagesUrlVerifyBot|Surfbot|SurveyBot|SurveyBot|swebot|Synapse|Tagoobot|tAkeOut|Teleport|Teleport Pro|TeleportPro|TweetmemeBot|TwengaBot|twiceler|UbiCrawler|uptimerobot|URI::Fetch|urllib|User-Agent|VoidEYE|VoilaBot|WBSearchBot|Web Image Collector|Web Sucker|WebAuto|WebCopier|WebCopier|WebFetch|WebGo IS|WebLeacher|WebReaper|WebSauger|Website eXtractor|Website Quester|WebStripper|WebStripper|WebWhacker|WebZIP|WebZIP|Wells Search II|WEP Search|Widow|winHTTP|WWWOFFLE|Xaldon WebSpider|Xenu|yacybot|yandex|YandexBot|YandexImages|yBot|YesupBot|YodaoBot|yolinkBot|youdao|Zao|Zealbot|Zeus|ZyBORG|Zmeu

最上面列出的“^$”是空字符串的正则表达式。我不允许机器人访问页面,除非它们与用户代理进行识别,我发现大多数情况下,在没有用户代理的情况下,唯一影响我的这些应用程序的就是安全工具变得流氓。

我会建议您在阻止机器人时要非常具体。简单地使用像“fire”这样的通用词可能会对“firefox”产生积极的影响。您也可以调整正则表达式来解决这个问题,但我发现更具体更简单,而且还有一个额外的好处,那就是为下一个人提供更多信息触摸该设置。

此外,您会看到我有一个针对 Java/1.7.0_25 的规则,在这种情况下,它恰好是一个使用此版本的 java 的机器人来攻击我的服务器。请务必小心阻止像这样的特定于语言的用户代理,某些语言(例如 ColdFusion)在 JVM 上运行,并使用语言用户代理和对本地主机的 Web 请求来组装 PDF 等内容。 Jruby、Groovy 或 Scala 可能会做类似的事情,但我还没有测试过它们。

I added this pattern in Microsoft URL Rewrite Module:

enter image description here

enter image description here

enter image description here

^$|EasouSpider|Add Catalog|PaperLiBot|Spiceworks|ZumBot|RU_Bot|Wget|Java/1.7.0_25|Slurp|FunWebProducts|80legs|Aboundex|AcoiRobot|Acoon Robot|AhrefsBot|aihit|AlkalineBOT|AnzwersCrawl|Arachnoidea|ArchitextSpider|archive|Autonomy Spider|Baiduspider|BecomeBot|benderthewebrobot|BlackWidow|Bork-edition|Bot mailto:[email protected]|botje|catchbot|changedetection|Charlotte|ChinaClaw|commoncrawl|ConveraCrawler|Covario|crawler|curl|Custo|data mining development project|DigExt|DISCo|discobot|discoveryengine|DOC|DoCoMo|DotBot|Download Demon|Download Ninja|eCatch|EirGrabber|EmailSiphon|EmailWolf|eurobot|Exabot|Express WebPictures|ExtractorPro|EyeNetIE|Ezooms|Fetch|Fetch API|filterdb|findfiles|findlinks|FlashGet|flightdeckreports|FollowSite Bot|Gaisbot|genieBot|GetRight|GetWeb!|gigablast|Gigabot|Go-Ahead-Got-It|Go!Zilla|GrabNet|Grafula|GT::WWW|hailoo|heritrix|HMView|houxou|HTTP::Lite|HTTrack|ia_archiver|IBM EVV|id-search|IDBot|Image Stripper|Image Sucker|Indy Library|InterGET|Internet Ninja|internetmemory|ISC Systems iRc Search 2.1|JetCar|JOC Web Spider|k2spider|larbin|larbin|LeechFTP|libghttp|libwww|libwww-perl|linko|LinkWalker|lwp-trivial|Mass Downloader|metadatalabs|MFC_Tear_Sample|Microsoft URL Control|MIDown tool|Missigua|Missigua Locator|Mister PiX|MJ12bot|MOREnet|MSIECrawler|msnbot|naver|Navroad|NearSite|Net Vampire|NetAnts|NetSpider|NetZIP|NextGenSearchBot|NPBot|Nutch|Octopus|Offline Explorer|Offline Navigator|omni-explorer|PageGrabber|panscient|panscient.com|Papa Foto|pavuk|pcBrowser|PECL::HTTP|PHP/|PHPCrawl|picsearch|pipl|pmoz|PredictYourBabySearchToolbar|RealDownload|Referrer Karma|ReGet|reverseget|rogerbot|ScoutJet|SearchBot|seexie|seoprofiler|Servage Robot|SeznamBot|shopwiki|sindice|sistrix|SiteSnagger|SiteSnagger|smart.apnoti.com|SmartDownload|Snoopy|Sosospider|spbot|suggybot|SuperBot|SuperHTTP|SuperPagesUrlVerifyBot|Surfbot|SurveyBot|SurveyBot|swebot|Synapse|Tagoobot|tAkeOut|Teleport|Teleport Pro|TeleportPro|TweetmemeBot|TwengaBot|twiceler|UbiCrawler|uptimerobot|URI::Fetch|urllib|User-Agent|VoidEYE|VoilaBot|WBSearchBot|Web Image Collector|Web Sucker|WebAuto|WebCopier|WebCopier|WebFetch|WebGo IS|WebLeacher|WebReaper|WebSauger|Website eXtractor|Website Quester|WebStripper|WebStripper|WebWhacker|WebZIP|WebZIP|Wells Search II|WEP Search|Widow|winHTTP|WWWOFFLE|Xaldon WebSpider|Xenu|yacybot|yandex|YandexBot|YandexImages|yBot|YesupBot|YodaoBot|yolinkBot|youdao|Zao|Zealbot|Zeus|ZyBORG|Zmeu

The top listed one, “^$” is the regex for an empty string. I do not allow bots to access the pages unless they identify with a user-agent, I found most often the only things hitting my these applications with out a user agent were security tools gone rogue.

I will advise you when blocking bots be very specific. Simply using a generic word like “fire” could pop positive for “firefox” You can also adjust the regex to fix that issue but I found it much simpler to be more specific and that has the added benefit of being more informative to the next person to touch that setting.

Additionally, you will see I have a rule for Java/1.7.0_25 in this case it happened to be a bot using this version of java to slam my servers. Do be careful blocking language specific user agents like this, some languages such as ColdFusion run on the JVM and use the language user agent and web requests to localhost to assemble things like PDFs. Jruby, Groovy, or Scala, may do similar things, however I have not tested them.

回复 原文
绝不放开 2024-10-03 00:15:19

正确设置您的服务器,不用担心攻击者:)
他们所做的只是尝试一些基本的可能性,看看您是否忽略了一个明显的陷阱。
过滤掉这位足够好心为您签署其工作的黑客是没有意义的。
如果您仔细查看日志文件,您会发现有很多机器人一直在这样做。

Setup your server up properly and dont worry about the attackers :)
All they do is try some basic possibilities to see if youve overlooked an obvious pitfall.
No point filtering out this one hacker who is nice enough to sign his work for you.
If you have a closer look at your log files you see there are so many bots doing this all the time.

回复 原文
~没有更多了~

关于作者

子栖

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

佚名

文章 0 评论 0

羁客

文章 0 评论 0

天天爱笑的徐老师

文章 0 评论 0

文章 0 评论 0

夏日落

文章 0 评论 0

隐诗

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文