De ceva vreme exista un bot pe internet care cauta vulnerabilitati in site-uri. Scanarea o face de pe mai multe ip-uri, de aceea este dificila depistarea lui. Insa in log-urile apache exista intotdeauna un request de tipulhttp://domeniu.ro/muieblackcat, urmat de multe requesturi cu url catre anumite setup-uri.
Exemplu de requesturi:
ip:219.94.198.229, page:http://www.tutorialepc.info/muieblackcat,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.6.4-pl3/libraries/dbg/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//old/padmin/libraries/dbg/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///xampp/phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///web/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///php-my-admin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///typo3/phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///admin/pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///admin/phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//sql/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//php/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///PHPMYADMIN/%20/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///phpMyADMIN//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///PHPMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//web/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_admin/pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_myadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//tools/_phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_admin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//tools/_pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpmyadmino-ld/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//tools/pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///backup/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///backup/phpMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///oldweb/phpMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///oldweb/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///web1/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///web2/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///old/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///old/phpMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///phpMyAdminz//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///phpMyAdmi//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///pma4//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///pma1//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.10.3/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.9.1.1/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.10.1/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//pma/libraries/dbg/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.6.4-pl3/libraries/dbg/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//old/padmin/libraries/dbg/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///xampp/phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///web/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///php-my-admin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///typo3/phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///admin/pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///admin/phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//sql/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//php/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///PHPMYADMIN/%20/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///phpMyADMIN//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///PHPMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//web/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_admin/pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_myadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//tools/_phpmyadmin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//_admin/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//tools/_pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpmyadmino-ld/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//tools/pma/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///backup/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///backup/phpMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///oldweb/phpMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///oldweb/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///web1/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///web2/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///old/phpmyadmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///old/phpMyAdmin//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///phpMyAdminz//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///phpMyAdmi//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///pma4//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info///pma1//scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.10.3/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.9.1.1/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//phpMyAdmin-2.10.1/scripts/setup.php,
ip:219.94.198.229, page:http://www.tutorialepc.info//pma/libraries/dbg/setup.php,
Are urmatoarele caracteristici:
- accesarea paginii http://domeniu.ro/muieblackcat. Unele siteuri care au indexata aceasta pagina, fac redirectionare catre un site care doreste sa downloadeze un malware in calculatorul tau, afisand urmatorul popup:Windows Antivirus 2011 has found critical process activity on your PC and will perform fast scan of system files!. Google se pare ca indexeaza paginile de acest tip si doar unele pagini au avertizare de malware.
- injectarea de texte spam si imagini pe respectivul url
- cautarea de setup-uri ale anumitor CMS-uri populare si de vulnerabilitatea website-urilor.
Metode de oprire a acestui malware:
- in aproape orice website exista un fisier .htaccess aflat la baza (root) websiteului. Aici putem introduce dupa liniaRewriteEngine On, urmatoarea linie RewriteRule muieblackcat - [F]. Dupa introducerea acestei linii, daca accesam pagina http://domeniu.ro/muieblackcat ar trebui sa vedem o pagina 404, care ne spune ca nu se poate afisa url-ul. De asemenea sa va asigurati ca nu exista acest malware in alt loc. Ca sa fiti si mai siguri, accesati pagina din webmaster tools la sectiunea Diagnostics -> Malware din dreptul site-ului vostru.
- ca si metoda precedenta, aceasta metoda implica editarea fisierului .htaccess aflat la baza websiteului, insa metoda nu va fi la fel de eficienta ca si prima, deoarece dupa cum am spus mai inainte, acest bot scaneaza website-urile de pe mai multe ip-uri. Aici introducem pe prima linie a fisierului .htaccess urmatoarele linii:
order allow,deny
deny from 82.177.164.171
deny from 219.94.198.229
allow from all
deny from 82.177.164.171
deny from 219.94.198.229
allow from all
Concluzii:
Pe site-urile cu extensia .ro se gasesc momentan 6640 de inregistrari de acest tip. Click aici pentru vizualizarea lor. Pe intreg globul au iesit 378.000 de rezultate cu topicuri ale acestui subiect.
