Apache2 access.log problem mapi?query= cmd getCounters jsonPrefix _PHJSONPCallback_1046 &rnd=

fail2ban-in-action-for-wordpress-security-and-performancesThis webpage http://file.oboz.ua/files/vf4f51401192c57_20123223481.mail%5B1%5D is trying to make a fishing attack using this page to serve unprocessed html code in order to make something with user of mail.ru.
if you see a log entry like this: - - [02/Jan/2013:08:53:31 +0000] "GET /mapi?query=%7B%22cmd%22%3A%22getCounters%22%2C%22jsonPrefix%22%3A%22__PHJSONPCallback_47%22%7D&rnd=1357116906112 HTTP/1.1" 403 507 "http://my.mail.ru/friends?" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.12 (KHTML, like Gecko) Maxthon/3.0 Chrome/18.0.966.0 Safari/535.12"

Now, it looks like this guy know exactly what he is searching for and a closer look to http://file.oboz.ua/files/vf4f51401192c57_20123223481.mail%5B1%5D suggests me that this guy is trying to hijack users to another form instead of their form (probably the login form to mail.ru) in order to steal credentials. The page itself if properly displayed in the browser is the copy of the home page of mail.ru


So what to do?
As I already wrote about, in my article on
defending myself with fail2ban against repeated behaviors, it’s time to ask fail2ban to da another job for me.

so I will create a new file for this particular but very recurring request (20,30 per minute).
Create a new file to store filter rules in:

nano /etc/fail2ban/filter.d/wordpress-mapi.conf

the add following rules:

# Fail2Ban configuration file
# Author: Giuseppe Urso
# Author website:http://blog.giuseppeurso.net
# $Revision: uhm $

failregex = ^ -.*"(GET|POST).*\mapi?.query=.* HTTP\/.*$
ignoreregex =

Save and close, respectively with: “CTRL”+”o”, “ENTER”, “CTRL”+”x”.

then edit /etc/fail2ban/jail.local typing:

nano /etc/fail2ban/jail.local

And add as last “jail”:

enabled = true
port = http,https
filter = wordpress-mapi
logpath = /var/log/ispconfig/httpd/*/*access.log
bantime = 360
findtime = 30
maxretry = 1

Save and exit nano as already done with the previous file and restart fail2ban issuing the following command:

service fail2ban restart

As usual take a look at the last part of the failtoban log file (/var/log/fail2ban.log) so you can see if something went wrong with:

tail -F /var/log/fail2ban.log

or with

less /var/log/fail2ban.log

and when the file opens hit “SHIFT”+”G” to go to the end of the file. If you use tail and you are actualli under attack you should see something like:

2013-01-02 09:31:53,180 fail2ban.actions: WARNING [wordpress-mapi] Ban
2013-01-02 09:32:53,274 fail2ban.actions: WARNING [wordpress-mapi] Ban
2013-01-02 09:33:06,318 fail2ban.actions: WARNING [wordpress-mapi] Unban
2013-01-02 09:33:29,372 fail2ban.actions: WARNING [wordpress-mapi] Unban
2013-01-02 09:33:33,406 fail2ban.actions: WARNING [wordpress-mapi] Ban
2013-01-02 09:33:48,455 fail2ban.actions: WARNING [wordpress-mapi] Ban
2013-01-02 09:34:29,531 fail2ban.actions: WARNING [wordpress-mapi] Ban
2013-01-02 09:35:00,591 fail2ban.actions: WARNING [wordpress-mapi] Ban
2013-01-02 09:35:04,620 fail2ban.actions: WARNING [wordpress-mapi] Unban
2013-01-02 09:35:06,653 fail2ban.actions: WARNING [wordpress-mapi] Ban

That’s all, there is no more we can do with these tools because it is a distributed attack, it means that each connection starts from a different ip address, so waiting for repeated behavior from an ip address is unuseful this case. this case we should match the request uri or the referral… 🙂

Any comment is welcome!

Incoming search terms:

  • odnoklassniki ru/mapi?query={cmd:getcounters jsonprefix:__phjsonpcallback_2} (684)
  • odnoklassniki ru/mapi?query={cmd:getcounters} (258)
  • https://ok ru/mapi?query={\cmd\:\getCounters\} (24)
  • odnoklassniki ru/mapi?query={cmd:getCounters jsonPrefix:__PHJSONPCallback_3} (15)
  • odnoklassniki ru/mapi?query={cmd:getCounters jsonPrefix:__PHJSONPCallback_4} (10)
(Visited 2,116 times, 1 visits today)

Author: Giuseppe Urso

Giuseppe lives in Haarlem now with his shiny dog, Filippa
In 1982 received his first home computer, a Commodore 64, followed by Datasette and a 1541 Floppy Disk Drive.
In 1999 he installed his first Linux distro (LRH6).
In 2006 he switched to Debian as favourite OS. Giuseppe Urso actively sustains the Free Software Fundation and his founder Richard Mattew Stallman, he speaks to people trying to convince them to join the fight now, and about how important is to use Free Software only.
He has a job as Infra Specialist at Hippo Enterprise Java Cms an Open Source Enterprise class Content Management System, one of the coolest company ever, in Amsterdam. He’s always ready to install Debian on other people computers for free.

Leave a Reply

Your email address will not be published. Required fields are marked *