The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ScanAlert bot. How can we block this critter?

Discussion in 'Security' started by jols, Oct 8, 2007.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    The bot from ScanAlert.com is hitting our server very hard, causing all kinds of security alerts. I just want to block this thing. Anyone know a good method for doing this? Anyone know what their IP range is?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Yes, but they seem to be using hundreds of different IPs.
     
  4. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    These scanalert people seem to be attempting to hack the server:

    216.35.7.103 - support [08/18/2008:03:04:50 -0000] "GET /bigipgui/bigconf.cgi?command=bigcommand&CommandType=bigpipe HTTP/1.0" FAILED LOGIN cpaneld: user name not provided or invalid user
    216.35.7.103 - support [08/18/2008:03:04:50 -0000] "GET /bigipgui/bigconf.cgi?command=bigcommand&CommandType=bigpipe HTTP/1.0" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root
    Aug 18 13:04:53 secure pure-ftpd: (?@216.35.7.103) [WARNING] Authentication failed for user [NULL]
    216.35.7.103 - support [08/18/2008:03:04:51 -0000] "GET /bigipgui/bigconf.cgi?command=bigcommand&CommandType=bigpipe HTTP/1.0" FAILED LOGIN webmaild: user password hash is missing from system (user probably does not exist)
    216.35.7.103 - admin [08/18/2008:03:05:05 -0000] "GET / HTTP/1.0" FAILED LOGIN cpaneld: user name not provided or invalid user
    216.35.7.103 - admin [08/18/2008:03:05:05 -0000] "GET / HTTP/1.0" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root

    I'm not paying for scanning so i want to ban them too!
     
  5. slim

    slim Well-Known Member

    Joined:
    May 27, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    Scanalert are probably scanning your server because one of your clients has paid them for the HackerSafe logo. Scanalert will scan your box to ensure that it passes the HackerSafe logo requirements. The scanning includes tests for many known exploits. If you block it from scanning your machines then the hackersafe test will fail and your client will be upset :eek:
     
  6. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    I could imagine that they do port scans and the like, looking for unusual activity on certain ports, that could indicate so sort of hacked process, etc. on the server; but "FAILED LOGIN" attempts???

    Leaves me wondering about the possibility of crackers faking the Scanalert headers just so host masters will say, "Oh we should not block them, that's only Scanalert."
     
  7. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    my firewall blocks them anyway. Too bad for them!
     
  8. alwaysweb

    alwaysweb Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dallas, TX
    cPanel Access Level:
    Root Administrator
    Old thread, I know. We also have seen ScanAlert pound sites on our servers from time to time. It would be nice if they would throttle their scans, at least!

    But, if anyone has this issue and is searching... You can go to:

    McAfee Secure

    and get a list of all the IP addresses used by McAfee ScanAlert and do what you want with that information. *ahem, block* :)
     
  9. alwaysweb

    alwaysweb Well-Known Member

    Joined:
    Mar 8, 2002
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Dallas, TX
    cPanel Access Level:
    Root Administrator
    In case this is helpful to anyone, here is a one-liner we use CSF and build a block file for ScanAlert's network blocks:


    wget -q -O- http://www.mcafeesecure.com/help/ScanIps.csv | awk 'NR < 4 { next } { print }' | cut -d"," -f2 | replace '"' '' -- | sort -n > /etc/csf/csf.denyscanalert; service csf restart


    To include these blocks in CSF, add this to /etc/csf.deny :

    Include /etc/csf/csf.denyscanalert

    and restart csf: service csf restart
     
Loading...

Share This Page