-3

Just noticed that my AWS hosted site added a new instance to the LB, and went in to see why. Didn't really see any major upticks, so i checked the logs. Found this (I have replaced a few numbers in the IIP numbers for safety):

2017-10-12 03:18:40 172.X.X.152 HEAD /MySite_deploy/db/phpmyadmin3/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:41 172.X.X.152 HEAD /MySite_deploy/administrator/phpmyadmin/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:42 172.X.X.152 HEAD /MySite_deploy/administrator/web/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 15
2017-10-12 03:18:45 172.X.X.152 HEAD /MySite_deploy/administrator/admin/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:46 172.X.X.152 HEAD /MySite_deploy/phpMyAdmin4/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:47 172.X.X.152 HEAD /MySite_deploy/PMA2011/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:47 172.X.X.152 GET /MySite_deploy/default.aspx - 80 - 172.31.8.111 ELB-HealthChecker/1.0 - 200 0 0 0
2017-10-12 03:18:47 172.X.X.152 HEAD /MySite_deploy/PMA2013/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:49 172.X.X.152 GET /MySite_deploy/default.aspx - 80 - 172.Y.Y.203 ELB-HealthChecker/1.0 - 200 0 0 0
2017-10-12 03:18:49 172.X.X.152 HEAD /MySite_deploy/PMA2015/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:50 172.X.X.152 HEAD /MySite_deploy/PMA2018/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:52 172.X.X.152 HEAD /MySite_deploy/pma2013/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:54 172.X.X.152 HEAD /MySite_deploy/pma2016/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:55 172.X.X.152 HEAD /MySite_deploy/phpmyadmin2011/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:56 172.X.X.152 HEAD /MySite_deploy/phpmyadmin2014/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:57 172.X.X.152 HEAD /MySite_deploy/phpmyadmin2017/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 0
2017-10-12 03:18:57 172.X.X.152 HEAD /MySite_deploy/phpmanager/ - 80 - 172.Y.Y.203 Mozilla/5.0+Jorgee - 404 0 2 15

I someone trying to gain access? How can I prevent attacks like this? Can I even?

Regards,

Bob

Robert Benedetto
  • 1,590
  • 2
  • 29
  • 52
  • yes, it is a hacking attempt. You will see this a lot. There is not much you can do about it, just remove all unnecessary applications and double check the configuration and passwords so that a hacker cannot get access easily.. – Henry Oct 12 '17 at 03:49
  • 1
    Possible duplicate of [Is someone trying to hack my server? Please tell me what can I do?](https://stackoverflow.com/questions/25790261/is-someone-trying-to-hack-my-server-please-tell-me-what-can-i-do) – Jamie Starke Oct 12 '17 at 04:25
  • 1
    You can use something like nginx or apache to deny access your admin page from everywhere. Example Just allow your IP or use rewrite to change path. Some website setting admin page with other port (different with 80) and only allow from some IPs – Bui Anh Tuan Oct 12 '17 at 05:07

3 Answers3

1

You can also use a software application firewall like fail2ban to detect such attacks and write rules to block the originating IPs.

Shantanu
  • 2,206
  • 18
  • 16
0

If you are willing to spend some cash then you can deploy AWS WAF/CDN. WAF comes with some pre-canned bots which block IP addresses when the number of requests are higher than the configured threshold. You can configure a lot more but it's an expensive solution.

Suken Shah
  • 1,622
  • 14
  • 20
0

Jorgee is not hacking your site but it is scanning for common applications that can be used to exploit your web site. Pretty soon your log files will contain so much traffic from bad actors ....

I recommend setting up Amazon WAF (Web Application Firewall). WAF is inexpensive. The WAF ACL costs $5.00 per month and each rule costs $1.00 per month. We have one WAF for several web sites for a total cost of $13.00. You will also need to setup a load balancer or cloudfront to attach the WAF to.

The combination of WAF and loadbalancing reduced so much garbage traffic that we reduced the instance sizes meaning that we are saving money.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • You can set the same rules on your webserver - you don't need WAF for this. It may be a good solution in some cases, but with the right config, bad requests shouldn't even register as far as the server load is concerned. – viraptor Oct 12 '17 at 04:17
  • WAF sounds like a good idea. I'll investigate, but how would I filter out Jorgee? Will I basically just have to say "anything with Jorgee in the header, block it" or will it by IP or so on? Will have a look at it, just want to have a heads up. – Robert Benedetto Oct 12 '17 at 04:29
  • Basically you create a "string matching condition" on "user-agent contains jorgee". Then a rule that uses this string matching condition. WAF is very easy to setup. – John Hanley Oct 12 '17 at 04:37
  • Thanks, got it set up :) – Robert Benedetto Oct 12 '17 at 12:30
  • Hmmm, I have to be using ClooudFront for this to work? Says there are no associated resources, and I only get CloudFront options. I am running in the Singapore region, and there is not even an option to select Singapore? – Robert Benedetto Oct 12 '17 at 12:34
  • There are two types of WAF, Global and Regional. Global WAFs are attached to CloudFront distributions. Regional WAFs are attached to load balancers (ALB / NLB but not CLB) in a region (and not all regions are supported). – John Hanley Oct 12 '17 at 14:42
  • 12. In what Regions is AWS WAF on ALB available in? US East (Northern Virginia), US West (North California), US West (Oregon), Asia Pacific (Tokyo) and EU (Ireland) https://aws.amazon.com/waf/faq/ – John Hanley Oct 12 '17 at 15:00