Keep your webserver protected

So the usual deal, I wake up and I can see that Silverstripe has emailed me 60 errors within 30 mins at 6:30 am

I check my webserver in the morning, and Apache and the database are down. Looking through the logs I can see that my webserver has been vulnerability scanned by ZmEu vulnerability scanner:

60.29.10.18 "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 2432 "-" "ZmEu"

So the ZmEu is a vulnerability scanner to find and exploit holes in PHPmyAdmin.

A quick check, and I can see the IP has been picked up by at least 1 honeypot, the IP itself being located in China. So seems that the scanner is being used by someone there to check out various webservers to see who takes the bait.

The scanner was checking out heaps of different addresses, attempting to find an older version of phpmyadmin. First off I keep phpmyadmin up to date, along with the rest of the software on my webserver. Second of all, i use a nonstandard phpmyadmin URL, which they would never brute-force for a few hundred years.

So the scanner was unable to gain access, but the deluge of requests unfortunately flooded my server to its knees, essentially DOSing my server. Thanks for that.

A check on the net says to set up aApache to return HTTP status code 403 "forbidden" for any requests with the user agent "ZmEu". Seems like a good plan, lets hope the Chinese don't figure out how to change the user agent string on the ZmEu scanner, or we're back at square one.