iptables to block user agent - what am I doing wrong.
 

For over a month now I have been receiving thousands (3 or 4 every second atm) of the following on one of my domains:
I believe the problem is being caused by machines infected with the Pushdo virus (or similar) which apparently uses an algorithm to choose 300 domains to send these requests to, in order to mask it's real command requests and make finding the command and control systems more difficult to track down. It has not affected the server too much so far and banning IPs does not work as they change all the time. The problem is it is getting worse (more machines infected?) so I tried the following to stop it:

But it does not work. I am definitely no expert on iptables so I am hoping someone can tell me what I have done wrong? I realise that there is a chance of blocking a few legitimate users but I am willing to put up with that. If it is possible to only block POST traffic with the that user agent then even better!

I don't know if what I am trying to do is possible but I am starting to clutch at straws now as I don't want to leave it till the traffic is so high I have to close down the domain completely.

OS: CentOS 6.4

Try:
You can test it for completeness using
or possibly:
Others may have additional intput. ;)

I use .htaccess or httpd.conf for user_agent blocking, but that's just "me".
I've never tried it with UA strings in an iptable rule, but it could work.

Many Thanks
 

Thank you so much, that seems to have done the job! :hattip:

I would be interested to know if people think there is another, better way to deal with this?

I have to sort out the SMTP request from the virus now but that is for another day

Glad it works using iptables!

Here's how I deal with it using .htaccess

Open a terminal and >
and "see" where it 'takes' you

That's using .htaccess.

If you have root access you can modify the apache|httpd.conf file, OR if you don't have access to those configuration files,
then you can use .htaccess.
Fine tuning can be done on a site-by-site basis if you use http.conf or .htaccess. (some requests may be 'legimate'?)
I'd be happy to post the meat-and-potatoes of it.

Subscribed with interest...

Virus?
spewing spam are we?

Hi Habitual

Unfortunately although the iptables method blocked the required traffic, it caused loads of Apache child processes which refused to die and then caused the system to become unstable.

I would be most interested in the .htaccess method, it sounds like the solution I need. I have full root access but it is only one domain that is affected so I will use .htaccess rather than http.conf.

Thanks

ouch. Sorry about that!

I don't know how to write that string.
I have to 'borrow' from examples I find on the net.

Check this out --> http://stackoverflow.com/questions/1...ttack/18046104

That "drop" example doesn't include the option I gave:
this may be what's causing apache child processes which refuse to die. I am not sure.

Have you checked your domain at http://www.unmaskparasites.com/ ?
It's a very good place to see if your site is up to something nefarious.

Pay particular attention to entries in the External References section.

Why do you believe it's PushDo?

some santiized (masked IP of the host) logs would help for analysis...

More experienced gurus may have something else to include/offer.

Again, Sorry.

No need to apologise, you were trying to help and it almost worked.

I probably wasn't clear in my first post - It is not my server that is infected but is is being contacted by infected machines. The later variants of the Pushdo virus (and probably a few others now) are masking their true command and control systems by also contacting 300 other non infected sites (See here) This does not fit exactly with my problem as they describe a GET request whereas I am receiving POSTs but I have seen other reports of variants using POST. I am not 100% certain that this is the problem but unfortunately it looks like the algorithm used to choose these 300 domains is occasionally coming up with mine :( I am also receiving SMTP traffic from the same IPs, which fits in with the Pushdo 'modus operandi' as it also tries to send Spam at the same time.

All I want to do is block the requests. I can slow it down a bit with Fail2Ban on both the SMTP and HTTP side but the overhead for banning 100K+ IPs is quite high (even when using IPset - thanks to advice from this forum!)

I don't actually think there are that many infected systems contacting my domain, but rather the IPs are spoofed (I have yet to find a definitive answer on this). Inspecting the incoming packet TTLs with tcpdump *seems* to indicate 4 different sources but this is a VERY unreliable method. Also the steady stream of traffic would point to a low number of sources as there are no peaks and troughs as there would be if all these IPs were real?? If all the thousands of IPs I have logged were real I am sure they would have swamped the server a long time ago!

Sorry for rambling, but any help is gratefully received.

Scott

Scott:

Are you seeing any s_nn log hits as described here?

Do you have legitimate smtp traffic?

One small step could be drop all traffic for outdated user_agents such as MSIE 6.0?

Have you done an rkhunter scan?

John

Hi John

The article you linked to is from 2007, it is a very different version now (apparently first seen August this year) Not sure what the s_nn log is?

I do have legitimate SMTP traffic and that is all fine. The unwanted traffic consists of an malformed SMTP request which, I assume, is looking for an open relay or trying to trigger an unpatched exploit. This request simply times out, so apart from the slight hit on RAM and CPU resources, I am not too concerned about this side.

My system automatically does an rkhunter scan every week and I have done it manually a few times too. Like I said, I am 99% certain (as certain as you can ever be with servers!) that my system is clean. It is purely incoming requests that are of concern. I have gone over all the the logs and examined all the incoming and outgoing packets and everything leaving the server is legitimate. The only responses my server gives to these requests is to serve the home page as requested by the HTTP portion, and to return an error (Usually 502 5.5.2 Error: command not recognized but occasionally others) on the SMTP side. I have even compared all the image files on the site to my local originals as I have heard of jpegs holding C2 instructions. They are all fine and are never requested by these IPs anyway but just wanted to be sure!

I have tried to do this with .htaccess using the following:

But I get Internal Server Error so I am doing something wrong there. I was hoping to be able to be a bit more specific about what traffic to drop but if getting rid of IE6 users is the only option I will definitely take it!

Thanks again

Scott

If they are all MSIE 6.0 user_agents and you want to deny them, then

works on my host.
in my .htaccess "test"

My intent on sending you to that blog was for you to examine your log files more intently. :)
I've even asked for sanitized records from it...

For some reason that produces a redirect on any browser I have tried? (Firefox, Chrome and IE)

I don't know, it must be something specific to the httpd version.

I cannot tell on my shared hosting at GoDaddy what version I'm bound to.

Sorted! (Hopefully)
 

I used the following and it is working:

http://wordpress.org/support/topic/u...th-post-status
suggests changing your IP (A record) and using iptables with the drop rule.

That does look like it is the same thing. Strangely the requests in that log are already showing that they being 301 redirected?

Changing IP will not help as the traffic is resolving from the domain name so it would just move to the new IP, and dropping the domain name is not an option.

I have tried the iptables rule they suggest but it does the same as the one tried before - blocks the traffic but creates lots of Apache child processes.