This webpage http://file.oboz.ua/files/vf4f51401192c57_20123223481.mail%5B1%5D is trying to make a fishing attack using this page to serve unprocessed html code in order to make something with user of mail.ru.
if you see a log entry like this:
126.96.36.199 - - [02/Jan/2013:08:53:31 +0000] "GET /mapi?query=%7B%22cmd%22%3A%22getCounters%22%2C%22jsonPrefix%22%3A%22__PHJSONPCallback_47%22%7D&rnd=1357116906112 HTTP/1.1" 403 507 "http://my.mail.ru/friends?" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.12 (KHTML, like Gecko) Maxthon/3.0 Chrome/18.0.966.0 Safari/535.12"
Now, it looks like this guy know exactly what he is searching for and a closer look to http://file.oboz.ua/files/vf4f51401192c57_20123223481.mail%5B1%5D suggests me that this guy is trying to hijack users to another form instead of their form (probably the login form to mail.ru) in order to steal credentials. The page itself if properly displayed in the browser is the copy of the home page of mail.ru
So what to do?
As I already wrote about, in my article on defending myself with fail2ban against repeated behaviors, it’s time to ask fail2ban to da another job for me.
so I will create a new file for this particular but very recurring request (20,30 per minute).
Create a new file to store filter rules in:
the add following rules:
# Fail2Ban configuration file # # Author: Giuseppe Urso # Author website:http://blog.giuseppeurso.net # $Revision: uhm $ # [Definition] failregex = ^ -.*"(GET|POST).*\mapi?.query=.* HTTP\/.*$ ignoreregex =
Save and close, respectively with: “CTRL”+”o”, “ENTER”, “CTRL”+”x”.
then edit /etc/fail2ban/jail.local typing:
And add as last “jail”:
[wordpress-mapi] enabled = true port = http,https filter = wordpress-mapi logpath = /var/log/ispconfig/httpd/*/*access.log bantime = 360 findtime = 30 maxretry = 1
Save and exit nano as already done with the previous file and restart fail2ban issuing the following command:
service fail2ban restart
As usual take a look at the last part of the failtoban log file (/var/log/fail2ban.log) so you can see if something went wrong with:
tail -F /var/log/fail2ban.log
and when the file opens hit “SHIFT”+”G” to go to the end of the file. If you use tail and you are actualli under attack you should see something like:
2013-01-02 09:31:53,180 fail2ban.actions: WARNING [wordpress-mapi] Ban 188.8.131.52 2013-01-02 09:32:53,274 fail2ban.actions: WARNING [wordpress-mapi] Ban 184.108.40.206 2013-01-02 09:33:06,318 fail2ban.actions: WARNING [wordpress-mapi] Unban 220.127.116.11 2013-01-02 09:33:29,372 fail2ban.actions: WARNING [wordpress-mapi] Unban 18.104.22.168 2013-01-02 09:33:33,406 fail2ban.actions: WARNING [wordpress-mapi] Ban 22.214.171.124 2013-01-02 09:33:48,455 fail2ban.actions: WARNING [wordpress-mapi] Ban 126.96.36.199 2013-01-02 09:34:29,531 fail2ban.actions: WARNING [wordpress-mapi] Ban 188.8.131.52 2013-01-02 09:35:00,591 fail2ban.actions: WARNING [wordpress-mapi] Ban 184.108.40.206 2013-01-02 09:35:04,620 fail2ban.actions: WARNING [wordpress-mapi] Unban 220.127.116.11 2013-01-02 09:35:06,653 fail2ban.actions: WARNING [wordpress-mapi] Ban 18.104.22.168
That’s all, there is no more we can do with these tools because it is a distributed attack, it means that each connection starts from a different ip address, so waiting for repeated behavior from an ip address is unuseful this case. this case we should match the request uri or the referral… 🙂
Any comment is welcome!