New malware user-agent value: “Jorgee”

Update 2015-09-09: I’ve seen a huge increase in people reading this article in the past two days. Checking my logs I see that my server was attacked again by the “Jorgee” malware yesterday. The previous attack was almost exactly three months ago (specifically 2015-06-03). The latest attack was from a personal computer in Brasil with a gvt.net.br domain name. The attack signature appears to be identical to earlier attacks. As I say below the smart thing to do is explicitly disallow proxying and blacklist any source trying to use your server as a proxy. Also, blacklist any HTTP user-agent containing the word “Jorgee”.

Lastly, consider blacklisting URIs that you know are not valid for your site and which are frequent targets of attacks. For example, the WordPress “revslider” plugin has had multiple vulnerabilities. Hardly a day goes by that I do not see an attack trying to exploit a revslider vulnerability. Which means it will never be installed on my site. I automatically blacklist any source which makes a request that references that plugin.

Update 2015-05-03: I’ve seen relatively few “Jorgee” attacks since the original one I wrote about below. This morning I saw a coordinated attack from 80 machines, each making over 100 requests, in the span of two minutes. The user-agent string was “Mozilla/5.0 Jorgee“. The URIs included those I recorded in the original attack (see below) plus a few new ones. Also, like the original attack all of these were HEAD requests phrased as a proxy request with the ultimate target my own server.

Today I saw a heretofore unknown HTTP user-agent string: “Jorgee“. The word “Jorgee” has appeared in the Cookie HTTP header of the “Ringing.at.your.dorbell!” attack. I strongly recommend blacklisting the “Jorgee” user-agent value. These are the rules I have in my .htaccess file to reject blocked user-agents:

# Block ZmEu and other bots based on their user agent signature. Another sign
# that hackers aren't as smart as they think they are. Note the first
# condition. A quoted user-agent string is another sign of a sloppy hacker. No
# legitimate browser or web crawler quotes the user-agent string.
RewriteCond %{HTTP_USER_AGENT} ^" [OR]
RewriteCond %{HTTP_USER_AGENT} =x00_-gawa.sa.pilipinas.2015 [OR]
RewriteCond %{HTTP_USER_AGENT} =Jorgee [OR]
RewriteCond %{HTTP_USER_AGENT} =ZmEu [OR]
RewriteCond %{HTTP_USER_AGENT} =immoral [OR]
RewriteCond %{HTTP_USER_AGENT} ^PHP/5\.{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*\stools.ua.random [OR]
RewriteCond %{HTTP_USER_AGENT} ^chroot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DataCha0s [OR]
RewriteCond %{HTTP_USER_AGENT} ^I'm\sa\smu\smu [OR]
RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^q\[ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus\sFucking\sScanner
RewriteRule ^ blocked.php [END,E=error-notes:blacklisted-user-agent]

The attack came from a dynamic address in domain telefonica.de in Germany. The malware was issuing requests that superficially looked like proxy requests. I say superficially because the IP address was that of my server. For example:

HEAD http://75.101.21.75:80/mysql/admin/ HTTP/1.1

The proxy formulation caused my web server abuse monitor to automatically blacklist the source since I don’t allow proxying via my web server. For posterity here are the 85 URIs this malware probed:

/2phpmyadmin/
/MyAdmin/
/PMA/
/PMA2011/
/PMA2012/
/admin/
/admin/db/
/admin/pMA/
/admin/phpMyAdmin/
/admin/phpmyadmin/
/admin/sqladmin/
/admin/sysadmin/
/admin/web/
/administrator/PMA/
/administrator/admin/
/administrator/db/
/administrator/phpMyAdmin/
/administrator/phpmyadmin/
/administrator/pma/
/administrator/web/
/database/
/db/
/db/db-admin/
/db/dbadmin/
/db/dbweb/
/db/myadmin/
/db/phpMyAdmin-3/
/db/phpMyAdmin/
/db/phpMyAdmin3/
/db/phpmyadmin/
/db/phpmyadmin3/
/db/webadmin/
/db/webdb/
/db/websql/
/dbadmin/
/myadmin/
/mysql-admin/
/mysql/
/mysql/admin/
/mysql/db/
/mysql/dbadmin/
/mysql/mysqlmanager/
/mysql/pMA/
/mysql/pma/
/mysql/sqlmanager/
/mysql/web/
/mysqladmin/
/mysqlmanager/
/php-my-admin/
/php-myadmin/
/phpMyAdmin-3/
/phpMyAdmin/
/phpMyAdmin2/
/phpMyAdmin3/
/phpMyAdmin4/
/phpMyadmin/
/phpmanager/
/phpmy-admin/
/phpmy/
/phpmyAdmin/
/phpmyadmin/
/phpmyadmin2/
/phpmyadmin3/
/phpmyadmin4/
/phppma/
/pma/
/pma2011/
/pma2012/
/program/
/shopdb/
/sql/myadmin/
/sql/php-myadmin/
/sql/phpMyAdmin/
/sql/phpMyAdmin2/
/sql/phpmanager/
/sql/phpmy-admin/
/sql/phpmyadmin2/
/sql/sql-admin/
/sql/sql/
/sql/sqladmin/
/sql/sqlweb/
/sql/webadmin/
/sql/webdb/
/sql/websql/
/sqlmanager/

Published by

Kurtis Rader

I'm first and foremost a Secular Humanist and Atheist. To pay the bills I'm a software engineer. When not working I walk or play with my dogs, read lots of non-fiction (and some fiction), and watch lots of movies.

6 thoughts on “New malware user-agent value: “Jorgee””

  1. This attack came to my server as well, completely ignored domains and tryed the same list you gave my came from 200.68.90.125
    Mozilla/5.0 Jorgee Country: ARGENTINA (AR) City: Buenos Aires Latitude: -34.5833 Longitude: -58.3667 IP: 200.68.90.125
    This happened Today! Feel free to contact me.

  2. Here another
    IP:81.132.82.154
    Host: host81-132-82-154.range81-132.btcentralplus.com
    Agent: Mozilla/5.0 Jorgee

  3. Erf…

    193.77.83.80, 174.29.164.186, 188.77.88.183, 69.46.37.67, 173.208.42.8, 107.20.195.151, 52.4.48.44, 90.9.196.173, 46.237.227.232 scanned our servers on the 20150809

  4. Same happened to me:

    23.92.30.183 – – [08/Sep/2015:10:32:29 +0200] “HEAD http://ip.addr:80/1phpmyadmin/ HTTP/1.1″ 404 219 “-” “Mozilla/5.0 Jorgee”
    23.92.30.183 – – [08/Sep/2015:10:32:29 +0200] “HEAD http://ip.addr:80/2phpmyadmin/ HTTP/1.1″ 404 218 “-” “Mozilla/5.0 Jorgee”
    23.92.30.183 – – [08/Sep/2015:10:32:30 +0200] “HEAD http://ip.addr:80/3phpmyadmin/ HTTP/1.1″ 404 218 “-” “Mozilla/5.0 Jorgee”
    23.92.30.183 – – [08/Sep/2015:10:32:30 +0200] “HEAD http://91.36.37.11:80/4phpmyadmin/ HTTP/1.1″ 404 218 “-” “Mozilla/5.0 Jorgee”
    23.92.30.183 – – [08/Sep/2015:10:32:30 +0200] “HEAD http://ip.addr:80/MyAdmin/ HTTP/1.1″ 404 218 “-” “Mozilla/5.0 Jorgee”
    23.92.30.183 – – [08/Sep/2015:10:32:30 +0200] “HEAD http://ip.addr:80/PMA/ HTTP/1.1″ 404 218 “-” “Mozilla/5.0 Jorgee”
    .
    .
    .177.5.247.139 – – [07/Sep/2015:23:59:08 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=xdccserver HTTP/1.1” 302 1208 “-” “Mozilla/5.0 Jorgee”
    177.5.247.139 – – [07/Sep/2015:23:59:09 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=166b4e577630dac1600556489f5e4043 HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”
    177.5.247.139 – – [07/Sep/2015:23:59:10 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=yes HTTP/1.1” 302 1198 “-” “Mozilla/5.0 Jorgee”
    177.5.247.139 – – [07/Sep/2015:23:59:11 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=70666e134418dc14d434aa9c67e4738d HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”
    177.5.247.139 – – [07/Sep/2015:23:59:12 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=zxcvbnm HTTP/1.1” 302 1196 “-” “Mozilla/5.0 Jorgee”
    177.5.247.139 – – [07/Sep/2015:23:59:13 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=820977b17d01f1589b033e5588d7697d HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”

    .
    .
    .
    .
    94.107.239.52 – – [07/Sep/2015:05:10:04 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=payment HTTP/1.1” 302 1198 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:05 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=67fdf60fd2460b9211b1c1747594457e HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:05 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=payments HTTP/1.1” 302 1194 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:06 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=3b0c84ebf57c8f9b86af816cf70ab668 HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:07 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=person HTTP/1.1” 302 1194 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:08 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=38f57bbfcfc3d1f2a078c6ea75992f08 HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:08 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=persona HTTP/1.1” 302 1196 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:09 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=5d5306073378676dd36e49f1c761005d HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:10 +0200] “GET /phpmyadmin/index.php?pma_username=root&pma_password=personal HTTP/1.1” 302 1198 “-” “Mozilla/5.0 Jorgee”
    94.107.239.52 – – [07/Sep/2015:05:10:11 +0200] “GET /phpmyadmin/index.php?lang=en-utf-8&token=960041f20ec980874dba479e515de679 HTTP/1.1” 200 8070 “-” “Mozilla/5.0 Jorgee”

    The list is not complete ….

  5. Same here, I’ve seen it several times now on several of my domains, last time was today. (101 URLs, in 9 seconds) I usually just call each of these “URLs” an “exploit attempt”.

    I block all “known” proxies, and all overseas IPs as well, (I don’t sell outside the US anyway). 🙂
    Previously it has always come from Brazil, Russia, or China – BUT….

    This time it came from “162.17.183.250”. Whois shows it’s in Seattle WA, and is a static Comcast Business IP, registered to Christopher Langdon?

    CIDR is -162.17.183.248/29
    Range is – (162.17.183.248 – 162.17.183.255)

    Maybe a machine at that address has been hacked?

    I saved the log, just in case. 🙂

    it hit one of my “back domains” (.info) which is currently down for maintenance, so it was all 503’d, but I wanted to let you know anyway.

    Hope this helps!

Comments are closed.