Jorgee user-agent Block

Discussion in 'General Support' started by david62311, Jul 18, 2017.

  1. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,165
    Likes Received:
    251
    I had trouble stopping constant scans on my Webid website. The scans were happening and I couldn't stop the Jorgee user-agent like I normally could stop other user-agents from even seeing the site. The scans were crazy. The Jorgee user-agent was looking for non-existent links on my site. The only one it was trying to hit that was existent was the /admin folder.

    I had this block up in my .htaccess panel. I shortened this list so, you don't have to look at the whole list.

    Code:
    # BLOCK USER AGENTS
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} Jorgee [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Presto/2 [NC]
    RewriteRule !^robots\.txt$ - [F]
    I had the block list like that and the scans kept coming. It was showing the jorgee user-agent a 403 page and was blocking it but, it kept running similar scans over and over again and did so for about a month. Normally a block like I have there wouldn't even allow the user-agent to even see the page. It was weird that it was allowing the scan to happen.

    The scans look something like this and they repeated a lot with various different IPs each time. There was no ip range to block out because they kept changing and were never even close to being the same.

    Code:
    /2phpmyadmin/
    /MyAdmin/
    /PMA/
    /PMA2011/
    /PMA2012/
    /admin/
    /admin/db/
    /admin/pMA/
    /admin/phpMyAdmin/
    /admin/phpmyadmin/
    /admin/sqladmin/
    /admin/sysadmin/
    /admin/web/
    /administrator/PMA/
    /administrator/admin/
    /administrator/db/
    /administrator/phpMyAdmin/
    /administrator/phpmyadmin/
    /administrator/pma/
    /administrator/web/
    /database/
    /db/
    /db/db-admin/
    /db/dbadmin/
    /db/dbweb/
    /db/myadmin/
    /db/phpMyAdmin-3/
    /db/phpMyAdmin/
    /db/phpMyAdmin3/
    /db/phpmyadmin/
    /db/phpmyadmin3/
    /db/webadmin/
    /db/webdb/
    /db/websql/
    /dbadmin/
    /myadmin/
    /mysql-admin/
    /mysql/
    /mysql/admin/
    /mysql/db/
    /mysql/dbadmin/
    /mysql/mysqlmanager/
    /mysql/pMA/
    /mysql/pma/
    /mysql/sqlmanager/
    /mysql/web/
    /mysqladmin/
    /mysqlmanager/
    /php-my-admin/
    /php-myadmin/
    /phpMyAdmin-3/
    /phpMyAdmin/
    /phpMyAdmin2/
    /phpMyAdmin3/
    /phpMyAdmin4/
    /phpMyadmin/
    /phpmanager/
    /phpmy-admin/
    /phpmy/
    /phpmyAdmin/
    /phpmyadmin/
    /phpmyadmin2/
    /phpmyadmin3/
    /phpmyadmin4/
    /phppma/
    /pma/
    /pma2011/
    /pma2012/
    /program/
    /shopdb/
    /sql/myadmin/
    /sql/php-myadmin/
    /sql/phpMyAdmin/
    /sql/phpMyAdmin2/
    /sql/phpmanager/
    /sql/phpmy-admin/
    /sql/phpmyadmin2/
    /sql/sql-admin/
    /sql/sql/
    /sql/sqladmin/
    /sql/sqlweb/
    /sql/webadmin/
    /sql/webdb/
    /sql/websql/
    /sqlmanager/

    You can imagine I was stumped that it kept doing scans like that with my block that should of blocked that. These types of scans lasted over a month according to my Raw Access log. I had a hunch and removed all of my .htaccess codes on both the Webid site and my main server but, I left ZB Block up and running to see if it would stop the Jorgee user-agent from scanning my site. ZB Block never even saw it. The Jorgee user-agent was seeing 405 pages after I released the .htaccess codes which means the pages didn't exists. I guess I was thinking if I showed the Jorgee user-agent that the pages were not there that it would stop scanning but, it continued scanning my site.

    Today I was searching for another way to block the Jorgee user-agent and found one. I added this to my .htaccess file above my user-agent blocks and it seems to work. I don't believe I needed other or morfeus added to it. I believe that is just an example to add other ones but, this blocked the Jorgee user-agent...and now I feel a little bit relaxed. This block I added to my .htaccess file below worked! Phew!

    Code:
    # Block bad user agents
    <IfModule mod_rewrite.c>
    RewriteCond %{HTTP_USER_AGENT} ^.*(jorgee|morfeus|other).* [NC]
    RewriteRule ^(.*)$ - [L,R=403]
    </IfModule>

    I thought I would share this information with you in case you come across the jorgee user-agent running scans like it did on my site.
     
  2. skyhigh

    skyhigh Member

    Joined:
    Sep 28, 2010
    Messages:
    449
    Likes Received:
    8
    the scan is it a bad thing?
     
  3. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,165
    Likes Received:
    251
    A lot of things that scans a site is usually not a good thing but, you still need search engines to scan your site(s) if you want them to be discovered. Most of the time the bad things that scan a site are looking for holes or backdoors to get in and compromise a site and server. What this Jorgee user-agent scan tried to scan made my jaw drop even though the only thing it would of found would of the been the admin folder.

    My blocks that I shared seemed to have held just for the afternoon yesterday. The simple .htaccess blocks should of not let the scanner even see my site. I checked my site last night and the scans had stopped yesterday. Today they were back scanning about 20 links at a time per random IP and were just making a mess of my logs and possibly slowing down my site.

    I added this to the main .htaccess file in the public folder and it seemed to have stopped it for now. It seems like I have to add the full string to make it work. I never had to do that before. All I had to do was add only part of the string.

    Code:
    RewriteCond %{HTTP_USER_AGENT} Mozilla/5\.0\ Jorgee [NC,OR]
    Here's just a small part of my block code that didn't work and it should of.

    Code:
    RewriteCond %{HTTP_USER_AGENT} Jorgee [NC,OR]
    I will share just part of my blocking codes in my public .htaccess file. Anybody can use this and add their own user-agent blocks. Just make sure the last user-agent block has no OR at the end like I have in the example or it will cause problems. This is a block in my main public folder .htaccess file. If you want to add more user-agent blocks then add them in the middle with the OR added to it. Also add the blank block one too. I can't even tell you how many times that block has save my site from a brute force attack.

    Code:
    # BLOCK USER AGENTS
    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} beast [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} curl [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} echo [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} grab [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Java [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} Mozilla/5\.0\ Jorgee [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} YandexBot [NC]
    RewriteRule !^robots\.txt$ - [F]
    
    # BLOCK BLANK USER AGENTS
    RewriteCond %{HTTP_USER_AGENT} ^-?$
    RewriteRule ^ - [F]
    
    If something new comes up with the Jorgee scans on my site then I will add a new post here with a block for it. I've never had a problem blocking user-agents and stopping them from even seeing my site until this Jorgee user-agent came along. The Jorgee user-agent seems to use a HEAD method instead of GET which is different than what I am used to seeing.
     
    Last edited: Jul 19, 2017
  4. skyhigh

    skyhigh Member

    Joined:
    Sep 28, 2010
    Messages:
    449
    Likes Received:
    8
    ok will make use it when i finally upload my site, thanks
     
  5. david62311

    david62311 Well-Known Member

    Joined:
    Aug 29, 2013
    Messages:
    2,165
    Likes Received:
    251
    I have to post a warning about blocking user-agents like the way I showed and this comes from a few years of experience. The Jorge user-agent was scanning all of those non-existing links for over a month because I neglected my site and wasn't paying attention to the visitor logs. The warning is when you block a bot via user-agent that the bot user-agent signature can change to something else. In my case chrome/59. What is significant about chrome/59 is it's the last chrome version update for older PCs like Windows XP or Windows Vista. For the last 2 to 3 years the user-agents the bots were using was nothing past chrome/39. Somebody has updated the bot program that attacks us to use newer browser user-agent. I'm just going to block chrome/59 for a few days and see if maybe the bot makes adjustment to my block. It probably will. Then I will remove the block from chrome/59 once I see they changed or maybe stopped using the chrome/59 user-agent.
     
  6. paul Goh

    paul Goh New Member

    Joined:
    Jul 5, 2018
    Messages:
    1
    Likes Received:
    0
    This will reduce the load on the server by pointing to 404 instead of 403.

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} /sqlmanager/ [NC,OR]
    RewriteCond %{REQUEST_URI} /sql/ [NC,OR]
    RewriteCond %{REQUEST_URI} /shopdb/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phppma/ [NC,OR]
    RewriteCond %{REQUEST_URI} /pma/ [NC,OR]
    RewriteCond %{REQUEST_URI} /pma2011/ [NC,OR]
    RewriteCond %{REQUEST_URI} /pma2012/ [NC,OR]
    RewriteCond %{REQUEST_URI} /program/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpmy/[NC,OR]
    RewriteCond %{REQUEST_URI} /mysql/ [NC,OR]
    RewriteCond %{REQUEST_URI} /db/ [NC,OR]
    RewriteCond %{REQUEST_URI} /database/[NC,OR]
    RewriteCond %{REQUEST_URI} /2phpmyadmin/[NC,OR]
    RewriteCond %{REQUEST_URI} /MyAdmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /PMA/ [NC,OR]
    RewriteCond %{REQUEST_URI} /PMA2011/[NC,OR]
    RewriteCond %{REQUEST_URI} /PMA2012/ [NC,OR]
    RewriteCond %{REQUEST_URI} /admin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /admin/web/ [NC,OR]
    RewriteCond %{REQUEST_URI} /administrator/PMA/ [NC,OR]
    RewriteCond %{REQUEST_URI} /administrator/admin [NC,OR]
    RewriteCond %{REQUEST_URI} /administrator/db/ [NC,OR]
    RewriteCond %{REQUEST_URI} /administrator/phpMyAdmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /administrator/phpmyadmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /administrator/pma/ [NC,OR]
    RewriteCond %{REQUEST_URI} /administrator/web/ [NC,OR]
    RewriteCond %{REQUEST_URI} /database/ [NC,OR]
    RewriteCond %{REQUEST_URI} /db/scripts/ [NC,OR]
    RewriteCond %{REQUEST_URI} /myadmin/scripts/ [NC,OR]
    RewriteCond %{REQUEST_URI} /mysql/scripts/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpmyadmin2/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpmyadmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpMyAdmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /catalog/ [NC,OR]
    RewriteCond %{REQUEST_URI} /PMA2/[NC,OR]
    RewriteCond %{REQUEST_URI} /pmamy/ [NC,OR]
    RewriteCond %{REQUEST_URI} /pmamy2/ [NC,OR]
    RewriteCond %{REQUEST_URI} /mysql/ [NC,OR]
    RewriteCond %{REQUEST_URI} /admin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /web/ [NC,OR]
    RewriteCond %{REQUEST_URI} /db/ [NC,OR]
    RewriteCond %{REQUEST_URI} /dbadmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /mysql-admin/[NC,OR]
    RewriteCond %{REQUEST_URI} /phpadmin/[NC,OR]
    RewriteCond %{REQUEST_URI} /phpmyadmin0/[NC,OR]
    RewriteCond %{REQUEST_URI} /phpmyadmin1/[NC,OR]
    RewriteCond %{REQUEST_URI} /phpmyadmin2/[NC,OR]
    RewriteCond %{REQUEST_URI} /myadmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /myadmin2/ [NC,OR]
    RewriteCond %{REQUEST_URI} /xampp/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpMyadmin_bak/ [NC,OR]
    RewriteCond %{REQUEST_URI} /tools/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpmyadmin-old/ [NC,OR]
    RewriteCond %{REQUEST_URI} /pma-old/ [NC,OR]
    RewriteCond %{REQUEST_URI} /caroline/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpma/ [NC,OR]
    RewriteCond %{REQUEST_URI} /phpMyAdmin/ [NC,OR]
    RewriteCond %{REQUEST_URI} /tools/ [NC,OR]
    RewriteCond %{REQUEST_URI} /manager/ [NC,OR]
    RewriteCond %{REQUEST_URI} /wp-content/ [NC,OR]
    RewriteCond %{REQUEST_URI} /user/[NC,OR]
    RewriteCond %{REQUEST_URI} /jmx-console/[NC,OR]
    RewriteCond %{REQUEST_URI} /phpMyAdmin/ [NC]
    RewriteRule .* http://example.com/somewhere-else/ [R=301,L]
    </IfModule>
     

Share This Page