Jorgee goes on a rampage

In a time-frame of just 10 seconds I got 1200 requests from the Jorgee vulnerability scanner, originating from 15 unique IP addresses. As usual it was just a blind attack probing a /24 subnet.

I deploy a rather aggressive ModSecurity with Fail2ban defense that banned every offending IP address within a few seconds. Still, I must admit that 1200 requests slipping through the cracks was a bit more than expected. I guess my RPi3 can’t really go toe to toe against Digital Ocean and other cloud based hosting providers.

Even if you don’t deploy a web application firewall it’s still easy to block these types of attacks with the Apache mod_rewrite module. Every single request followed the same pattern:

104.131.252.112 - - [01/Apr/..] "HEAD http://109.109..:80/phpMyAdmin/ HTTP/1.1" 403 - "-" "Mozilla/5.0 Jorgee"

User agent:

“Mozilla/5.0 Jorgee” => The attacker is polite and informs us it’s actually Jorgee, well known vulnerability scanner. We can simply block this attack by identifying “Jorgee” from its user agent string:

# Block bad user agents
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} ^.*(jorgee|morfeus|other).* [NC]
RewriteRule ^(.*)$ - [L,R=403]
</IfModule>

Host header:

http://IPADDRESS:PORT => A blind scan of IP addresses, at best performed against a block of static IP addresses. We’ll be less vulnerable against these sorts of attacks by not accepting numeric or unknown host headers:

# Block unwanted host headers
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_HOST} !^blog\.paranoidpenguin\.net$ [NC]
RewriteCond %{HTTP_HOST} !^www\.blog\.paranoidpenguin\.net$ [NC]
RewriteRule ^(.*)$ - [L,R=403]
</IfModule>
jorgee vulnerability scanner
A Jorgee vulnerability scan in progress.

The list of attacking IP addresses:

104.131.252.112
115.159.215.67
123.206.107.228
155.133.45.237
192.99.243.159
37.188.113.215
37.5.36.208
62.197.125.167
62.231.98.228
79.160.64.5
79.205.227.95
84.72.174.101
85.54.60.166
94.229.68.210

Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed or check out the human-readable sitemap for more content.

Related posts