stopping ZmEu attacks with ASP.NET MVC

asp.net asp.net-mvc security elmah
JGilmartin picture JGilmartin · Oct 2, 2010 · Viewed 10.6k times · Source

recently my elmah exception logs are full of attempts from people using thus dam ZmEu security software against my server

for those thinking “what the hell is ZmEu?” here is an explanation...

“ZmEu appears to be a security tool used for discovering security holes in in version 2.x.x of PHPMyAdmin, a web based MySQL database manager. The tool appears to have originated from somewhere in Eastern Europe. Like what seems to happen to all black hat security tools, it made its way to China, where it has been used ever since for non stop brute force attacks against web servers all over the world.”

Heres a great link about this annoying attack -> http://www.philriesch.com/articles/2010/07/getting-a-little-sick-of-zmeu/

Im using .net so they aint gonna find PHPMyAdmin on my server but the fact that my logs are full ofZmEu attacks its becoming tiresome.

The link above provide a great fix using HTAccess, but im using IIS7.5, not apache. I have a asp.net MVC 2 site, so im using the global.asax file to create my routes

Here is the HTAccess seugestion

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
</IfModule>

My question is there anything i can add like this in the Global.ascx file that does the same thing ?

Answer

codeulike picture codeulike · Oct 25, 2010

An alternative answer to my other one ... this one specifically stops Elmah from logging the 404 errors generated by ZmEu, while leaving the rest of your sites behaviour unchanged. This might be a bit less conspicuous than returning messages straight to the hackers.

You can control what sorts of things Elmah logs in various ways, one way is adding this to the Global.asax

void ErrorLog_Filtering(object sender, ExceptionFilterEventArgs e)
{
    if (e.Exception.GetBaseException() is HttpException)
    {
        HttpException httpEx = (HttpException)e.Exception.GetBaseException();
        if (httpEx.GetHttpCode() == 404)
        {
            if (Request.UserAgent.Contains("ZmEu"))
            {
                // stop Elmah from logging it
                e.Dismiss();
                // log it somewhere else
                logger.InfoFormat("ZmEu request detected from IP {0} at address {1}", Request.UserHostAddress, Request.Url);
            }           
        }
    }
}

For this event to fire, you'll need to reference the Elmah DLL from your project, and add a using Elmah; to the top of your Global.asax.cs.

The line starting logger.InfoFormat assumes you are using log4net. If not, change it to something else.

Related questions

How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings

I've added elmah to an asp.net mvc 4 application. Logging is working and now I am trying to configure security but elmah is not picking up the settings and the logs remain visible by all users. This is an intranet …

Read More
How can I set the 'secure' flag for cookies in an ASP.NET MVC website?

I have set the following in web.config: <system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web> When I hit the website using an HTTP connection, it redirects to my login page (specifying the …

Read More
A potentially dangerous Request.Form value was detected from the client

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown. I don't want to go into the discussion about the smartness of throwing an exception or crashing an …

Read More