securing phpmyadmin / annoying bots with a tarpit

19 inches of...hardware.
Post Reply
User avatar
bad_brain
Site Owner
Site Owner
Posts: 11575
Joined: 06 Apr 2005, 16:00
16
Location: The zone.
Contact:

securing phpmyadmin / annoying bots with a tarpit

Post by bad_brain »

when you are providing public services you can be sure it'll not take long until lame bots start to appear. in our case there is a phpmyadmin backend available which is of course a true bot magnet if you use the standard /phpmyadmin or /pma URLs.

excerpt from the access log:

Code: Select all

103.108.195.244 - - [08/Dec/2020:21:23:52 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:52 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:53 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:54 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:54 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:55 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:56 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:56 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:57 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:58 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:58 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:23:59 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:00 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:00 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:01 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:02 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:02 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:03 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:04 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17064 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
103.108.195.244 - - [08/Dec/2020:21:24:05 +0100] "POST /phpmyadmin/index.php HTTP/1.1" 200 17045 "http://95.216.184.25:80/phpmyadmin/index.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

so the first step is to us a non-standard URL. in Debian, using Apache2 and the phpmyadmin package from the repositories, you'll have to edit /etc/apache2/conf-available/phpmyadmin.conf
simply change the alias on top of the file:

Code: Select all

Alias /putyourcustomURLhere /usr/share/phpmyadmin
don't forget to restart apache! :wink:


buuut....bots will still scan for the /phpmyadmin URL, so why not having a little fun with them? here's where a tarpit comes into play, as the name suggests it slows down bots and can occupy resources on the bot server side. in my case I am using Matthew Sigley's PHP-HTTP-Tarpit: https://github.com/msigley/PHP-HTTP-Tarpit
make sure to check the README and the script itself, it has super fun options like:

Code: Select all

	function rand_content( $random_content_length = 2048 ) {
		$random_words = array( '', 
							//Send them down a wild goose chase.
							'Public Key:', 
							'Private Key:',
							'Password',
							'Username',
							//Piss off people who aren't escaping content correctly in Unix or piping to Grep.
							"\x03", //Interupt
							"\x04", //Logout
							"\x07", //Beep
							"\x21", //Communcation Error
							" | shutdown -r now",
							//Exploit grep debian bug #736919 for those running out of date software and put grep in an infinite loop
							"\xe9\x65\n\xab\n"
							);

the setup is really easy and straight forward, make sure to use a URL rewrite and not a redirect to forward bots to the tarpit script.
in my example access to /phpmyadmin is rewritten to the tarpit script dildo.php:

Code: Select all

RewriteEngine on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^phpmyadmin$ /dildo.php? [R=301,L]
that's it! *thumb*
Image

User avatar
Gogeta70
^_^
^_^
Posts: 3257
Joined: 25 Jun 2005, 16:00
15

Re: securing phpmyadmin / annoying bots with a tarpit

Post by Gogeta70 »

Hahah! A web server that hacks you back, but only a little :lol:

It brings to mind an idea for a fun little project... You know those vulnerable VM's and what-not you can download to test/practice pentesting against? Imagine one of those, but made by bad_brain. It's still intentionally vulnerable, but the goal is to hack it without it hacking you first. That actually sounds pretty fucking cool :mrgreen:
¯\_(ツ)_/¯ It works on my machine...

Online
User avatar
ayu
Staff
Staff
Posts: 8070
Joined: 27 Aug 2005, 16:00
15
Contact:

Re: securing phpmyadmin / annoying bots with a tarpit

Post by ayu »

haha this is awesome :D.

Reminded me about a post I read about a guy who does something similar with bots that scans SSH xD.
Can't find the post/blog now but basically when his script detected that someone was attacking the server it started slowing down the responses so much that the scanner would just sort of hang there in infinity and do nothing x).
"The best place to hide a tree, is in a forest"

User avatar
computathug
Administrator
Administrator
Posts: 2677
Joined: 29 Mar 2007, 16:00
14
Location: UK
Contact:

Re: securing phpmyadmin / annoying bots with a tarpit

Post by computathug »

Ha ha brilliant. Love the url dildo.php, for some reason i remembered the song Dingo Bats, and changed it to Dildo Bots.

Stuck in my head now... :lol:
The devil can cite Scripture for his purpose.
-- William Shakespeare, "The Merchant of Venice"
https://www.rustytub.com
https://tshirt-memes.com/

Post Reply