Apache: Stopping some web attacks

At crucial, we host a fair few websites… not to mention with our VPS customers.

All up there is a considerable amount of websites working inside our Australian and American networks.

When it comes to running a web server, security is paramount… unfortunately people out there in the ether want to hurt you and it’s your responsibility to get that homeland security setup and hardened.

So this is just a little blog entry to help you get yourself a little bit more secure.

Recently I have seen an uptake in the “ZmEu” attack script, this script is built by a group of Romanian Hackers, they name it “ZmEu” after a Romanian mythological creature.

This script essentially looks for a set of scripts and directories of common interest, like for example /phpMyAdmin/*, what it is actually looking for is unprotect setup scripts and other things that might allow the foreign host access into something valuable. (such as you’re databases!)


An example of this is:

{attacking_IP} – – [08/May/2011:11:18:00 +1000] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 404 318 “-” “ZmEu”

{attacking_IP} – – [08/May/2011:11:18:01 +1000] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 305 “-” “ZmEu”

{attacking_IP} – – [08/May/2011:11:18:01 +1000] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 305 “-” “ZmEu”

{attacking_IP} – – [08/May/2011:11:18:02 +1000] “GET /pma/scripts/setup.php HTTP/1.1” 404 298 “-” “ZmEu”

{attacking_IP} – – [08/May/2011:11:18:02 +1000] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 302 “-” “ZmEu”

{attacking_IP} – – [08/May/2011:11:18:03 +1000] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 302 “-” “ZmEu”


Without protecting you’re installations, this is actually a very easy way to cause detrimental problems to you / your customers and your websites!


Guess what though? it’s an easy quick fix to atleast rid of 99% of ZmEu attacks!


The http-agent that ZmEu uses is  “ZmEu”, viola easy !

Let’s just block it on an apache global level, add this to any of your virtual host or host directives:

SetEnvIf User-Agent ZmEu GoAway=1
Order allow,deny
Allow from all
Deny from env=GoAway

Then restart apache and monitor those log files!

Also, whilst you’re at it, you should be installing php-suhosin and CSF Firewall, I will do these in another blog post!