{"id":281,"date":"2017-09-12T02:23:03","date_gmt":"2017-09-12T02:23:03","guid":{"rendered":"http:\/\/info.juliusgoh.life\/?p=281"},"modified":"2018-04-24T03:18:53","modified_gmt":"2018-04-24T03:18:53","slug":"how-to-prevent-web-attack-jorgee-vulnerability-scanner","status":"publish","type":"post","link":"https:\/\/info.juliusgoh.life\/?p=281","title":{"rendered":"How to Prevent Web Attack: Jorgee Vulnerability Scanner"},"content":{"rendered":"

Recently i’ve added a few method of blocking some ip and user agent for my server. For my server , i am using nginx as my web server. What is Jorgee Vulnerability Scanner?<\/a>Here are some example of Jorgee Vulnerability Scanner.<\/p>\n

\r\n46.142.55.116 - - [11\/Sep\/2017:22:02:10 +0000] \"HEAD http:\/\/198.167.140.231:80\/mysql\/admin\/ HTTP\/1.1\" 404 0 \"-\" \"Mozilla\/5.0 Jorgee\"\r\n46.142.55.116 - - [11\/Sep\/2017:22:02:11 +0000] \"HEAD http:\/\/198.167.140.231:80\/mysql\/dbadmin\/ HTTP\/1.1\" 404 0 \"-\" \"Mozilla\/5.0 Jorgee\"\r\n46.142.55.116 - - [11\/Sep\/2017:22:02:11 +0000] \"HEAD http:\/\/198.167.140.231:80\/mysql\/sqlmanager\/ HTTP\/1.1\" 404 0 \"-\" \"Mozilla\/5.0 Jorgee\"\r\n46.142.55.116 - - [11\/Sep\/2017:22:02:11 +0000] \"HEAD http:\/\/198.167.140.231:80\/mysql\/mysqlmanager\/ HTTP\/1.1\" 404 0 \"-\" \"Mozilla\/5.0 Jorgee\"\r\n46.142.55.116 - - [11\/Sep\/2017:22:02:11 +0000] \"HEAD http:\/\/198.167.140.231:80\/phpmyadmin\/ HTTP\/1.1\" 404 0 \"-\" \"Mozilla\/5.0 Jorgee\"\r\n46.142.55.116 - - [11\/Sep\/2017:22:02:11 +0000] \"HEAD http:\/\/198.167.140.231:80\/phpMyadmin\/ HTTP\/1.1\" 404 0 \"-\" \"Mozilla\/5.0 Jorgee\"\r\n\r\n<\/pre>\n
As you can notice the user agent is jorgee So i’ve added a block list in my sites-available\/ config. i’ve added the code below:-<\/p>\n
\r\n    ##  \r\n    # Block User Agent (Jorgee Vulnerability scan)\r\n    ##  \r\n    \r\n    if ($http_user_agent ~* (Jorgee|curl|wget) ){\r\n         return 403;\r\n    }  \r\n<\/pre>\n
Explanation for codes above:
\n1.Remember that if() and if () is different, you will failed to reload nginx if you type if() instead of if ().
\n2.The sign “~*” is case insensitive AND “~” is case sensitive.
\n3.The code above will return 403 to whom that uses curl or wget to my site and will also block Jorgee User Agent as you can see at the first part the user agent that are using contains jorgee.
\n<\/p>\n
Besides , there is a pattern for jorgee attack. Based on my log, they will brute force for 104 or 103 rows like below:-<\/p>\n
\r\n$ #cat NGINX_LOG_FILE | awk -F\\- '{print $1}' | sort | uniq -c | sort -n\r\n     21 66.249.79.94 \r\n     32 66.249.79.65 \r\n     45 121.122.3.93 \r\n    100 133.20.179.115 \r\n    103 107.204.22.107 \r\n    103 84.84.220.185 \r\n    104 101.98.141.66 \r\n    104 115.90.121.189 \r\n    104 120.151.156.132 \r\n    104 122.116.94.48 \r\n    104 140.123.104.106 \r\n    104 173.212.104.118 \r\n    104 176.192.188.192 \r\n    104 185.48.179.142 \r\n    104 193.2.223.28 \r\n    104 203.59.41.166 \r\n    104 203.97.150.131 \r\n    104 217.247.100.213 \r\n    104 217.92.148.44 \r\n    104 218.103.18.33 \r\n    104 2.227.249.205 \r\n    104 223.132.86.20 \r\n    104 61.220.128.188 \r\n    104 62.155.131.217 \r\n    104 68.48.72.64 \r\n    104 75.150.65.94 \r\n    104 78.234.213.11 \r\n    104 80.113.214.119 \r\n    104 83.111.201.28 \r\n    104 88.147.104.60 \r\n    104 90.63.223.128 \r\n    104 90.63.245.57 \r\n    104 91.211.146.146 \r\n    104 91.35.192.197 \r\n    104 91.51.61.137 \r\n    104 92.154.88.116 \r\n<\/pre>\n
I’ve create a file named as blockips.conf and include the blockips.conf in my server configuration.<\/p>\n
\r\n    ##\r\n    # Block spammers and other unwanted visitors\r\n    ##\r\n    include blockips.conf;\r\n<\/pre>\n
Contents in blockips.conf<\/p>\n
\r\ndeny 68.48.72.64; #20170822\r\ndeny 126.130.247.229; #20170822\r\ndeny 153.228.237.98; #20170822\r\ndeny 173.196.177.69; #20170822\r\ndeny 36.224.20.38; #20170822\r\ndeny 83.221.223.108; #20170822\r\ndeny 87.122.244.224; #20170822\r\ndeny 87.60.168.79; #20170822\r\ndeny 88.163.253.9; #20170822\r\n<\/pre>\n
And also i did wrote a php script for adding those ip’s into blockips.conf, so that i can block those crawler automatically.Below is the cron code.<\/p>\n
\r\n$logpath = \"\/var\/log\/nginx\";\r\n$logfile = \"logname\";\r\n\r\n$shell_check = \"cat $logpath\/$logfile | awk -F\\- '{print $1}' | sort | uniq -c | sort -n\";\r\n\r\n$row = exec($shell_check,$output,$error);\r\nwhile(list(,$row) = each($output)){\r\n\r\n    $tmp = explode(\" \",$row);\r\n    $clean = array_filter($tmp);#To Remove Empty value in key\r\n    $clean = array_values($clean);#To reform key EX: array[2]=20, array[10]=30 bcome array[0]=20,array[1]=30\r\n\r\n    $count = $clean[0];\r\n    $ipadd = $clean[1];\r\n\r\n    if($count == \"103\" || $count == \"104\"){\r\n\r\n        $output1 = array();\r\n        $check_block = \"cat \/etc\/nginx\/blockips.conf | grep $ipadd\";\r\n        $shell_check_block = exec($check_block,$output1,$error1);\r\n\r\n        if(empty($output1)){\r\n            #If Not BLocked\r\n            exec(\"echo 'deny $ipadd; #\".date('YmdHi').\"' >> \/etc\/nginx\/blockips.conf\");\r\n            echo \"$ipadd Added Into Blockips.conf\\n\";\r\n        }\r\n    }   \r\n}\r\n\r\nexec(\"\/etc\/init.d\/nginx reload\");\r\necho \"Restarting nginx service \\n\";\r\n\r\n<\/pre>\n
On 2017-09-21 , My colleague shared an article with me about block jorgee scanner in firewall level by just typing a single command in to iptables. Blocking user agent jorgee in firewall level is more efficient than the description i talked above. But hopefully it gives you some idea on your other projects and so on \ud83d\ude42<\/p>\n
\r\niptables -A INPUT -m string --algo bm --string \"User-Agent: Mozilla\/5.0 Jorgee\" -j DROP\r\n<\/pre>\n
Here are the reference to the iptables description above.http:\/\/sipadcg.org\/jorgee\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Recently i’ve added a few method of blocking some ip and user agent for my server. For my server , i am using nginx as my web server. What is Jorgee Vulnerability Scanner?Here are some example of Jorgee Vulnerability Scanner. 46.142.55.116 – – [11\/Sep\/2017:22:02:10 +0000] “HEAD http:\/\/198.167.140.231:80\/mysql\/admin\/ HTTP\/1.1” 404 0 “-” “Mozilla\/5.0 Jorgee” 46.142.55.116 – […]<\/p>\n","protected":false},"author":1,"featured_media":234,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,20],"tags":[],"_links":{"self":[{"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=\/wp\/v2\/posts\/281"}],"collection":[{"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=281"}],"version-history":[{"count":8,"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=\/wp\/v2\/posts\/281\/revisions"}],"predecessor-version":[{"id":297,"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=\/wp\/v2\/posts\/281\/revisions\/297"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=\/wp\/v2\/media\/234"}],"wp:attachment":[{"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/info.juliusgoh.life\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}