How to Prevent Web Attack: Jorgee Vulnerability Scanner

Recently i’ve added a few method of blocking some ip and user agent for my server. For my server , i am using nginx as my web server. What is Jorgee Vulnerability Scanner?Here are some example of Jorgee Vulnerability Scanner.

46.142.55.116 - - [11/Sep/2017:22:02:10 +0000] "HEAD http://198.167.140.231:80/mysql/admin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/mysql/dbadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/mysql/sqlmanager/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/mysql/mysqlmanager/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/phpmyadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"
46.142.55.116 - - [11/Sep/2017:22:02:11 +0000] "HEAD http://198.167.140.231:80/phpMyadmin/ HTTP/1.1" 404 0 "-" "Mozilla/5.0 Jorgee"

As you can notice the user agent is jorgee So i’ve added a block list in my sites-available/ config. i’ve added the code below:-

    ##  
    # Block User Agent (Jorgee Vulnerability scan)
    ##  
    
    if ($http_user_agent ~* (Jorgee|curl|wget) ){
         return 403;
    }  

Explanation for codes above:
1.Remember that if() and if () is different, you will failed to reload nginx if you type if() instead of if ().
2.The sign “~*” is case insensitive AND “~” is case sensitive.
3.The code above will return 403 to whom that uses curl or wget to my site and will also block Jorgee User Agent as you can see at the first part the user agent that are using contains jorgee.

Besides , there is a pattern for jorgee attack. Based on my log, they will brute force for 104 or 103 rows like below:-

$ #cat NGINX_LOG_FILE | awk -F\- '{print $1}' | sort | uniq -c | sort -n
     21 66.249.79.94 
     32 66.249.79.65 
     45 121.122.3.93 
    100 133.20.179.115 
    103 107.204.22.107 
    103 84.84.220.185 
    104 101.98.141.66 
    104 115.90.121.189 
    104 120.151.156.132 
    104 122.116.94.48 
    104 140.123.104.106 
    104 173.212.104.118 
    104 176.192.188.192 
    104 185.48.179.142 
    104 193.2.223.28 
    104 203.59.41.166 
    104 203.97.150.131 
    104 217.247.100.213 
    104 217.92.148.44 
    104 218.103.18.33 
    104 2.227.249.205 
    104 223.132.86.20 
    104 61.220.128.188 
    104 62.155.131.217 
    104 68.48.72.64 
    104 75.150.65.94 
    104 78.234.213.11 
    104 80.113.214.119 
    104 83.111.201.28 
    104 88.147.104.60 
    104 90.63.223.128 
    104 90.63.245.57 
    104 91.211.146.146 
    104 91.35.192.197 
    104 91.51.61.137 
    104 92.154.88.116 

I’ve create a file named as blockips.conf and include the blockips.conf in my server configuration.

    ##
    # Block spammers and other unwanted visitors
    ##
    include blockips.conf;

Contents in blockips.conf

deny 68.48.72.64; #20170822
deny 126.130.247.229; #20170822
deny 153.228.237.98; #20170822
deny 173.196.177.69; #20170822
deny 36.224.20.38; #20170822
deny 83.221.223.108; #20170822
deny 87.122.244.224; #20170822
deny 87.60.168.79; #20170822
deny 88.163.253.9; #20170822

And also i did wrote a php script for adding those ip’s into blockips.conf, so that i can block those crawler automatically.Below is the cron code.

$logpath = "/var/log/nginx";
$logfile = "logname";

$shell_check = "cat $logpath/$logfile | awk -F\- '{print $1}' | sort | uniq -c | sort -n";

$row = exec($shell_check,$output,$error);
while(list(,$row) = each($output)){

    $tmp = explode(" ",$row);
    $clean = array_filter($tmp);#To Remove Empty value in key
    $clean = array_values($clean);#To reform key EX: array[2]=20, array[10]=30 bcome array[0]=20,array[1]=30

    $count = $clean[0];
    $ipadd = $clean[1];

    if($count == "103" || $count == "104"){

        $output1 = array();
        $check_block = "cat /etc/nginx/blockips.conf | grep $ipadd";
        $shell_check_block = exec($check_block,$output1,$error1);

        if(empty($output1)){
            #If Not BLocked
            exec("echo 'deny $ipadd; #".date('YmdHi')."' >> /etc/nginx/blockips.conf");
            echo "$ipadd Added Into Blockips.conf\n";
        }
    }   
}

exec("/etc/init.d/nginx reload");
echo "Restarting nginx service \n";

On 2017-09-21 , My colleague shared an article with me about block jorgee scanner in firewall level by just typing a single command in to iptables. Blocking user agent jorgee in firewall level is more efficient than the description i talked above. But hopefully it gives you some idea on your other projects and so on 🙂

iptables -A INPUT -m string --algo bm --string "User-Agent: Mozilla/5.0 Jorgee" -j DROP

Here are the reference to the iptables description above.http://sipadcg.org/jorgee/

You may also like...

2 Responses

  1. care says:

    I’ve been browsing online more than 4 hours today, yet I never found any interesting
    article like yours. It’s pretty worth enough for me.

    Personally, if all site owners and bloggers made good content as you did, the web will be
    a lot more useful than ever before.
    http://theelderscrolls5skyrimevolution225.ru

  2. juliusgoh22 says:

    Thanks Care , your comment really ment alot to me 🙂 Thank you