Standard Operating Procedure

Considering it’s still Summer time I woke up without much to do. So I decided to check on the ole website. I’ve been trying to get better at using Linux command line interfaces and understanding sysadmin roles better so I decided to go poking around in our servers.

After running$ apt-get update and $ apt upgrade I decided to go through the /var/log/apache2/access logs in case there was anything interesting there.

Well there was. A single IP address 179.86.208.206 was making thousands of GET requests to /phpmyadmin/index.php?

 (╯°□°)╯︵ ┻━┻

First I ran $ rkhunter.

No flags.

Phew.

After I calmed down it was time to investigate.

Recon

A simple$ whois 179.86.208.206 revealed that the requests were coming from Brazil.

Before using iptables to block the offending IP by dropping all packets from that source, I thought I’d take a closer look at the logs to see if there was anything else I missed. I realized that it was multiple IPs making these huge amount of requests.

Upon closer inspection I realized that they were all coming from the same user-agent "Mozilla/5.0 Jorgee"

Response

Now even though I know user agents can be spoofed fairly easily, I decided this would be the quickest way to mitigate this issue. So I added a rule to iptables with
sudo iptables -A INPUT -m string --algo bm --string "User-Agent: Mozilla/5.0 Jorgee" -j DROP

Checked the access logs and all get requests made from this user agent were no longer showing up.

Nice.

So after a quick Google search I found that this is a known web vulnerability scanner looking for weak passwords as low hanging fruit.

Going back through the logs and looking at the passwordfield it looks like it’s a pretty basic dictionary attack.
179.86.208.206 - - [12/Aug/2017:15:44:51 +0000] "GET /phpmyadmin/index.php?pma_username=root&pma_password=dbadmin HTTP/1.1" 302 1122 "-" "Mozilla/5.0 Jorgee"
179.86.208.206 - - [12/Aug/2017:15:42:03 +0000] "GET /phpmyadmin/index.php?pma_username=root&pma_password=wordpress HTTP/1.1" 302 1120 "-" "Mozilla/5.0 Jorgee"
179.86.208.206 - - [12/Aug/2017:15:42:27 +0000] "GET /phpmyadmin/index.php?pma_username=administrador&pma_password=administrador HTTP/1.1" 302 1116 "-" "Mozilla/5.0 Jorgee"

Take Aways

The key take aways here are first, to be vigilant and skim your access logs every so often to look for suspicious activity.
Second, thanks to password managers like LastPass we will not fall prey to these kinds of attacks.

If you have any additional security recommendations for iptables policies please let me know! Thanks for reading ^^

-Jon