Journal of Computer Security and Usability

July 30, 2010

Getting A Little Sick of ZmEu

It seems like every log file of every HTTP server I administrate has its error logs chock full of HTTP 404 errors in recent days. And where exactly are all these errors coming from? Apparently, they’re coming from script kiddies looking to take over SQL databases for the lulz.

What Is ZmEu?

From my research, ZmEu appears to be a security tool used for discovering security holes in in version 2.x.x of phpMyAdmin, a web based MySQL database manager. The tool appears to have originated from somewhere in Eastern Europe. Like what seems to happen to all black hat security tools, it made its way to China, where it has been used ever since for non stop brute force attacks against web servers all over the world.

But I Don’t Run phpMyAdmin in a Production Environment Anyway.

Frankly, anyone who runs that silly software in anything other than a test environment under heavy access restrictions should probably find another profession. However, the constant 404s the tool generates in your error files can get a bit annoying, and could potentially even cause a DDoS of your web server to occur if you do not have the budget for the most fanciest of hardware.

How Do I Know If I’m Being Attacked By This ZmEu Thing?

Check your access log files. You should begin to see logs that look a little like

212.175.84.210 - - [29/Jul/2010:10:05:43 -0400] "GET /phpMyAdmin-2.2.3/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
212.175.84.210 - - [29/Jul/2010:10:05:43 -0400] "GET /phpMyAdmin-2.2.6/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
212.175.84.210 - - [29/Jul/2010:10:05:43 -0400] "GET /phpMyAdmin-2.5.1/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
212.175.84.210 - - [29/Jul/2010:10:05:44 -0400] "GET /phpMyAdmin-2.5.4/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
212.175.84.210 - - [29/Jul/2010:10:05:44 -0400] "GET /phpMyAdmin-2.5.5-rc1/scripts/setup.php HTTP/1.1" 404 315 "-" "ZmEu"
212.175.84.210 - - [29/Jul/2010:10:05:44 -0400] "GET /phpMyAdmin-2.5.5-rc2/scripts/setup.php HTTP/1.1" 404 315 "-" "ZmEu"
212.175.84.210 - - [29/Jul/2010:10:05:45 -0400] "GET /phpMyAdmin-2.5.5/scripts/setup.php HTTP/1.1" 404 311 "-" "ZmEu"
212.175.84.210 - - [29/Jul/2010:10:05:45 -0400] "GET /phpMyAdmin-2.5.5-pl1/scripts/setup.php HTTP/1.1" 404 315 "-" "ZmEu"

This is the tool trying its hardest to find any installs of phpMyAdmin that may be installed on your webserver. If it finds one, more than likely it will attempt to exploit a security hole that may be active for whatever version of phpMyAdmin it is to find that may not have been properly dealt with by the system administrator.

Wow That Is Annoying. What Can I Do About It?

The first thought that may pop into your head would be to just simply block out any IP addresses that ring up a whole bunch of concurrent HTTP 404 errors. However, I have a hunch that if we send the tool back anything other than an HTTP 404 error, perhaps it will cease its scanning, thinking that it might have found something. Knowing this, we can trick the tool into thinking it might have found an install of phpMyAdmin, when in reality we can send the attacker a page back saying something along the lines of “Get a Job.”

Step 1: Create An Abuse Page

Create a page somewhere on your server where we can convey the appropriate message that we don’t take very kindly to script kiddies on this web server. It need not be very complicated, just enough to get the point across. Here is mine, nothing fancy.

Optionally, we can have the page return an HTTP 403 error, perhaps further confusing the tool. In PHP, for example, this can be accomplished with a line such as

<?
header("HTTP/1.1 403 Forbidden");
?>

Step 2: The Power Of mod_rewrite

There is just something about script kiddies and their inability to ever tweak configuration files to something other than the default values. Exploiting this, we can effectively block just about all instances of this annoying tool.

The tool uses the User-Agent string “ZmEu” to identify itself. So naturally, let’s redirect all traffic identifying its user-agent as “ZmEu” to our abuse page.

Create an .htaccess file in your web root directory if one does not already exist, and add the following

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
</IfModule>

This mod_rewrite directive will then redirect all traffic using an HTTP 301 reply to your abuse page, if their User-Agent identifies itself as ZmEu.

Terrific! Problem Solved.

The convenient thing about this solution is that even if you do have phpMyAdmin installed on your web server for whatever reason, the tool will not be able to find it since we are redirecting visits to the abuse page based on User-Agent.

I hope that this article gives you another weapon to add to your arsenal in the decades old fight against Chinese based brute force attacks.

March 13, 2017 - But Wait, There's More!

What if you don't run Apache? Are you SOL? Of course not!

Thanks to an eagle-eyed reader's contribution, you can also implement the same blocking strategy for lighttpd as well: this variant of the fix kills ZmEu on lighttpd servers by sending the bot back a 403 error rather than redirecting to an abusefile.

$HTTP["useragent"] =~ "(ZmEu|Morfeus)" {
url.access-deny = ("")
}

EOF