securing phpmyadmin / annoying bots with a tarpit

[bad_brain]

when you are providing public services you can be sure it'll not take long until lame bots start to appear. in our case there is a phpmyadmin backend available which is of course a true bot magnet if you use the standard /phpmyadmin or /pma URLs.

excerpt from the access log:

Code: Select all

103.108.195.244 - - [08/Dec/2020:21:23:52 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:52 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:53 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:54 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:54 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:55 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:56 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:56 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:57 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:58 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:58 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:59 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:00 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:00 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:01 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:02 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:02 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:03 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:04 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17064 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:05 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

so the first step is to us a non-standard URL. in Debian, using Apache2 and the phpmyadmin package from the repositories, you'll have to edit /etc/apache2/conf-available/phpmyadmin.conf
simply change the alias on top of the file:

Code: Select all

Alias /putyourcustomURLhere /usr/share/phpmyadmin

don't forget to restart apache!


buuut....bots will still scan for the /phpmyadmin URL, so why not having a little fun with them? here's where a tarpit comes into play, as the name suggests it slows down bots and can occupy resources on the bot server side. in my case I am using Matthew Sigley's PHP-HTTP-Tarpit: https://github.com/msigley/PHP-HTTP-Tarpit
make sure to check the README and the script itself, it has super fun options like:

Code: Select all

	function rand_content( $random_content_length = 2048 ) {
		$random_words = array( '', 
							//Send them down a wild goose chase.
							'Public Key:', 
							'Private Key:',
							'Password',
							'Username',
							//Piss off people who aren't escaping content correctly in Unix or piping to Grep.
							"\x03", //Interupt
							"\x04", //Logout
							"\x07", //Beep
							"\x21", //Communcation Error
							" | shutdown -r now",
							//Exploit grep debian bug #736919 for those running out of date software and put grep in an infinite loop
							"\xe9\x65\n\xab\n"
							);

the setup is really easy and straight forward, make sure to use a URL rewrite and not a redirect to forward bots to the tarpit script.
in my example access to /phpmyadmin is rewritten to the tarpit script dildo.php:

Code: Select all

RewriteEngine on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^phpmyadmin$ /dildo.php? [R=301,L]

that's it!

[Gogeta70]

Hahah! A web server that hacks you back, but only a little

It brings to mind an idea for a fun little project... You know those vulnerable VM's and what-not you can download to test/practice pentesting against? Imagine one of those, but made by bad_brain. It's still intentionally vulnerable, but the goal is to hack it without it hacking you first. That actually sounds pretty fucking cool

[ayu]

haha this is awesome .

Reminded me about a post I read about a guy who does something similar with bots that scans SSH xD.
Can't find the post/blog now but basically when his script detected that someone was attacking the server it started slowing down the responses so much that the scanner would just sort of hang there in infinity and do nothing x).

[computathug]

Ha ha brilliant. Love the url dildo.php, for some reason i remembered the song Dingo Bats, and changed it to Dildo Bots.

Stuck in my head now...