phpMyAdmin/MySQL attack - how to block with CSF/regex?

[BBM]

The IP-changes about every minute.
CSF doesn't do anything about this and it causes an increased load on my server. How can I use a regex rule to block this?


Small snippet from the Apache access log;

153.155.31.225 - - [04/Jul/2017:21:32:15 +0200] "HEAD http://xx.xx.xx.xx:80/PMA2016/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:15 +0200] "HEAD http://xx.xx.xx.xx:80/PMA2017/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:16 +0200] "HEAD http://xx.xx.xx.xx:80/PMA2018/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:17 +0200] "HEAD http://xx.xx.xx.xx:80/pma2011/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:18 +0200] "HEAD http://xx.xx.xx.xx:80/pma2012/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:18 +0200] "HEAD http://xx.xx.xx.xx:80/pma2013/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:19 +0200] "HEAD http://xx.xx.xx.xx:80/pma2014/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:19 +0200] "HEAD http://xx.xx.xx.xx:80/pma2015/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:20 +0200] "HEAD http://xx.xx.xx.xx:80/pma2016/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:21 +0200] "HEAD http://xx.xx.xx.xx:80/pma2017/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:22 +0200] "HEAD http://xx.xx.xx.xx:80/pma2018/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:23 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2011/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:24 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2012/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:24 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2013/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:25 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2014/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:26 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2015/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:26 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2016/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:27 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2017/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:28 +0200] "HEAD http://xx.xx.xx.xx:80/phpmyadmin2018/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"
153.155.31.225 - - [04/Jul/2017:21:32:28 +0200] "HEAD http://xx.xx.xx.xx:80/phpmanager/ HTTP/1.1" 404 182 "-" "Mozilla/5.0 Jorgee"

 

[Richard G]

Can't imagine this increases load on a server. A 404 is almost no work for a webserver.

Try using mod_evasive on apache or whitelist ip access to directadmin.
These kind of scans (and many others) are just someting which is always happening, you can't block them all forever.
I don't know any regexp for this, you might best ask over at the CSF support forum for one. But really... I wouldn't care about it.

 

[BBM]

True about the increased load.
Turned out it were 2 crawler bots also busy on my server that were hammering away at a domain of mine; Ahref and Toweya bots.
Blocked (most of?) their ip-ranges and the load seems back to normal now.

Been noticing an ever increasing load on my server the last couple of days/weeks but didn't put enough time in it to find out where it came from exactly.
I knew which domain was responsible but couldn't find any traffic that proved this.

 

[Richard G]

Indeed bots can be an issue. I had a couple of them too increasing the load. Asked them to stop hammering via mail. They said they would but didn't so I also blocked their complege range which brought back the peace.

However, sometimes it's only heavy when they do a first index and after that they only index changes which does not take a lot of resources. It's just a question of finding out which bots are oke and which are staying abusive to the system. Which is not allways all that easy.

 

[SeLLeRoNe]

Technically, if those are bots that follow the rules, you can block them using the robots.txt file with this content

User-agent: *
Disallow: /

This will tell them you don't want them to index that site, so if you put it for example in the phpMyAdmin folder it will not be scanned.

Best regards

 

[Wanabo]

It looks like they are scanning for vulnerable files.
I have a custom regex that will block such an attacker after 10 not found files.

/usr/local/csf/bin/regex.custom.pm

## Scanning for files
if (($globlogs{HTACCESS_LOG}{$lgfile}) and
($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[\w*:?error\] \[pid \d+:tid \d+?\] ?\[client (\S+):\d+\] .*: Got error.*Primary script unknown/))
{ return ("Scanning for files triggerd",$1,"ScanningForFiles","10","80,443","1"); }

Sample of mail by CSF including log lines:

Time:     Sat Jul  8 13:38:09 2017 +0200
IP:       xxx.xxx.xxx.xxx (FR/France/APoitiers-xxx.xxx.xxx.abo.wanadoo.fr)
Failures: 10 (ScanningForFiles)
Interval: 3600 seconds
Blocked:  Permanent Block

Log entries:

[Sat Jul 08 13:21:17.994135 2017] [proxy_fcgi:error] [pid 31144:tid 139892470093568] [client xxx.xxx.xxx.xxx:51852] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:22:14.006709 2017] [proxy_fcgi:error] [pid 31144:tid 139892621162240] [client xxx.xxx.xxx.xxx:51952] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:26:46.104859 2017] [proxy_fcgi:error] [pid 31144:tid 139892436522752] [client xxx.xxx.xxx.xxx:52644] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:26:51.783739 2017] [proxy_fcgi:error] [pid 31144:tid 139893032306432] [client xxx.xxx.xxx.xxx:40226] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:27:45.652355 2017] [proxy_fcgi:error] [pid 31144:tid 139892587591424] [client xxx.xxx.xxx.xxx:52754] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:33:14.279631 2017] [proxy_fcgi:error] [pid 31144:tid 139892755445504] [client xxx.xxx.xxx.xxx:41726] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:33:22.001643 2017] [proxy_fcgi:error] [pid 31144:tid 139892595984128] [client xxx.xxx.xxx.xxx:41760] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:35:26.624854 2017] [proxy_fcgi:error] [pid 31144:tid 139892621162240] [client xxx.xxx.xxx.xxx:49288] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:37:57.595718 2017] [proxy_fcgi:error] [pid 31144:tid 139892402951936] [client xxx.xxx.xxx.xxx:42342] AH01071: Got error 'Primary script unknown\n'
[Sat Jul 08 13:38:07.074289 2017] [proxy_fcgi:error] [pid 31144:tid 139892822587136] [client xxx.xxx.xxx.xxx:42364] AH01071: Got error 'Primary script unknown\n'

 

[Richard G]

Oh that's a nice regexp, I can use that too, but I will only change the 1 to a temp ban value.
Thank you for sharing!

if (($globlogs{HTACCESS_LOG}{$lgfile}) and

Does we need to create a htaccess log for this or something? Or does it just read the /var/log/httpd/access_log?
Is an additional line in csf.conf needed too for the logs or not?

 

[Wanabo]

Just make sure you HTACCESS_LOG is not disabled in CSF config. I have added my paths for HTACCESS_LOG as well, because by default only the default domain is checked.

 This option will keep track of the number of "File does not exist" errors in
HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
seconds then the IP address will be blocked

Care should be used with this option as it could generate many
false-positives, especially Search Bots (use csf.rignore to ignore such bots)
so only use this option if you know you are under this type of attack

A sensible setting for this would be quite high, perhaps 200

To disable set to "0"
LF_APACHE_404 = 100

HTACCESS_LOG = /var/log/httpd/error_log /var/log/nginx/error_log /var/log/httpd/domains/*.error.log /var/log/nginx/domains/*.error.log

 

[BBM]

Thanks for the regex. Just put it in and modified the htaccess_log with the domain error logs.

 

[Richard G]

Ah thank you. It seemd for some reason I did disable the htaccess log. So I enabled it again.
Let's see if it works.

 

[Wanabo]

Curious if it works for you.

 

[Richard G]

I'm curious too but I don't have any "Primary script unknown" notices in my logs yet and no "scanning" in lfd.log either.
There was somebody who tried to use some XSS flaw or something in the mainlog. But the regexp is not looking at that.

 

[Wanabo]

Did you checked all error logs for "Primary script unknown"?

Try to load a non existing .php file with your browser on a website on your server and search for the error in the logs.

 

[Richard G]

I can have a try but I've seen that the ylmf-pc blocks in the regexp wered not working either so I won't get my hopes up.
Just searched all error logs and no log containing the text "Primary script".

If I try to load a non existing .php file with my browser, it gives this error:

traalala.php' not found or unable to stat

which seems to me the correct error.