[Nagiosplug-help] Nagios plugin used to scan my site

[Alex Bond]

Sorry, this was called Nagiosplug-help, so I thought that this would be
a list to contact the developers.  I don't really know what Nagios
plugins do, so I thought that people might like to know how this
software was being used for malicious purposes.  I also hoped that I
could get some advice for defending against it.  Thanks for that.

What's happening is users from a variety of IPs appear to be using these
plugins to quickly attempt to view assorted administrative pages.  For
example, I'll see 100 or more pageview attempts in under a minute, all
attempting to access possible administrative pages like
"websql/main.php" or "mysql-admin/main.php".  Whenever this occurs, of
course I ban the IP, but the attack is just repeated a few days later
from a different IP address.  I contact the owner of the IP block, but
they've been less than helpful in stopping these attempts.

Thanks for your suggestion about rejecting these user agents.  

Alex

-----Original Message-----
From: Marc Powell [mailto:marc at ena.com] 
Sent: Thursday, July 23, 2009 10:55 AM
To: Nagios Plugin Help List; Alex Bond
Subject: Re: [Nagiosplug-help] Nagios plugin used to scan my site


On Jul 23, 2009, at 12:13 PM, Alex Bond wrote:

> Hello, I run a Drupal-based corporate website.  It's still in  
> development, so although it is live it is not yet open to the  
> public.  So far, aside from our developers, most of our web traffic  
> comes from user agent check_http/v2053 (nagios-plugins 1.4.13).   
> Your plugins are being used to scan our website for security  
> vulnerabilities in prelude for hacking attempts.  We have received  
> over 19,000 pageviews from this user agent alone, with more from  
> check_http/1.96 (nagios-plugins 1.4.5).  From your website, it does  
> not look like you are intending your software to be used as a  
> hacking tool, but that is exactly how it is being used.
>
> How can I prevent your plugins from being used to attack our website?

This is a users list so I can only respond from that perspective. We  
are just users of the nagios software, much like you are just a user  
of the Drupal software. If Drupal were used nefariously, would you go  
complain to the Drupal users and ask them how to stop some unknown  
person from doing it? Many kinds of software can be used for  
'inappropriate' purposes, even something as humble as 'ping'. In all  
cases, you find out who's doing it and stop _them_, you don't complain  
to other users of that software or even the developers of that  
software. Contacting us is like contacting other users of Microsoft  
Office because someone sent you a virus infected Word document. It's  
pointless.

Personally, I don't see how check_http could be used as a 'hacking'  
tool. check_http cannot be used to 'scan a website for security  
vulnerabilities'. Maybe someone has it configured to check  
availability of your website for some reason. Maybe that someone is on  
this list, maybe not. You've not provided enough information for them  
to know you're addressing them if they are. Whoever it is, they've  
done it on their own. If you did not give them permission to do so,  
that's on them, not us. Perhaps even, the user agent is being spoofed.  
That, in my mind, is more likely if true scanning is happening.

- Standard abuse logic would seem to apply...
	- You should be contacting the owner of the netblock from which
the  
abuse is originating and ask them to stop.
	- Why don't you configure your web server to reject or return an

error when you see those user agents? That'll get their attention.
	- Why don't you configure your firewall to reject connections
from  
the source address(es)? That'll get their attention.

--
Marc