Crash in login due to bot. How to prevent?

aronbos · November 5, 2015, 11:00am

I am getting this error in the log. The Ip address 198.20.69.74 is belonging to census1.shodan.io.

However, I cannot reproduce it by hand and I do not know what is causing the error.

Does anybody know how to prevent this crash?

[198.20.69.74][-][-][error][yii\web\HttpException:400] exception

‘yii\web\BadRequestHttpException’ with message 'It is not possible

to verify the data. (Translated by hand)’ in

/var/www/html/mysite.nl/vendor/yiisoft/yii2/web/Controller.php:110

Stack trace:

#0

/var/www/html/mysite.nl/vendor/yiisoft/yii2/base/Controller.php(149):

yii\web\Controller->beforeAction(Object(yii\base\InlineAction))

#1 /var/www/html/mysite.nl/vendor/yiisoft/yii2/base/Module.php(455):

yii\base\Controller->runAction(’’, Array)

#2

/var/www/html/mysite.nl/vendor/yiisoft/yii2/web/Application.php(84):

yii\base\Module->runAction(’’, Array)

#3

/var/www/html/mysite.nl/vendor/yiisoft/yii2/base/Application.php(375):

yii\web\Application->handleRequest(Object(yii\web\Request))

#4 /var/www/html/mysite.nl/web/index.php(12):

yii\base\Application->run()

#5 {main}

2015-11-02 02:15:03 [198.20.69.74][-][-][info][application] $_SERVER =

[

'HTTPS' =&gt; 'on'


'PATH' =&gt;

‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin’

'SERVER_SIGNATURE' =&gt; ''


'SERVER_SOFTWARE' =&gt; 'Apache/2.4.7'


'SERVER_NAME' =&gt; 'mysite.nl'


'SERVER_ADDR' =&gt; 'xxxxx'


'SERVER_PORT' =&gt; '443'


'REMOTE_ADDR' =&gt; '198.20.69.74'


'DOCUMENT_ROOT' =&gt; '/var/www/html/mysite.nl/web/'


'REQUEST_SCHEME' =&gt; 'https'


'CONTEXT_PREFIX' =&gt; ''


'CONTEXT_DOCUMENT_ROOT' =&gt; '/var/www/html/mysite.nl/web/'


'SCRIPT_FILENAME' =&gt; '/var/www/html/mysite.nl/web/index.php'


'REMOTE_PORT' =&gt; '46377'


'GATEWAY_INTERFACE' =&gt; 'CGI/1.1'


'SERVER_PROTOCOL' =&gt; 'HTTP/0.9'


'REQUEST_METHOD' =&gt; 'quit'


'QUERY_STRING' =&gt; ''


'REQUEST_URI' =&gt; ''


'SCRIPT_NAME' =&gt; '/index.php'


'PHP_SELF' =&gt; '/index.php'


'REQUEST_TIME_FLOAT' =&gt; 1446426903.984


'REQUEST_TIME' =&gt; 1446426903

]

jacmoe · November 5, 2015, 12:08pm

I didn’t know about that before, but now I do.

You have been hit by a junk-email robot.

                                         	The [url=&quot;http://tools.ietf.org/html/rfc2817#section-5.2&quot;]CONNECT[/url]  command can be used by HTTP proxy servers to point the client really  wants to just connect a socket straight to another server normally, this  is employed for tunneling TLS over an HTTP proxy, but tend to be  utilized for tunneling just about any protocol.
QUIT isn’t an HTTP command, but it’s an SMTP command. It’s possible that you’re getting these instructions from the bot that’s looking for open relays for delivering junk e-mail it’s trying to puzzle out for those who have a wide open SMTP relay, or perhaps an open HTTP proxy that enables the CONNECT command which doubles to tunnel SMTP traffic.

So, likely you are just being hit with a junk e-mail botnet looking for open relays. My advice is always to drop such demands as soon as possible, and never be worried about them.

http://codeblow.com/...d-to-my-server/

aronbos · November 5, 2015, 8:52pm

Thank you for the answer. But I still do not know what I have to do. Do I have to change Apache? The Yii2 configuration? The controller?

jacmoe · November 5, 2015, 10:29pm

ModSecurity, maybe?

Google around for info on that.

I have almost zero knowledge about webserver configuration.

What you want is something that can block the offending IP addresses.

jacmoe · November 5, 2015, 10:38pm

OK, try this:

http://stackoverflow…h-htaccess-file

And another alternative:

https://perishablepress.com/block-bad-queries/

Just pick the free script since you don’t need pro when you’re not using Wordpress…

Still, I think it is better handled in .htaccess

achillean · November 6, 2015, 2:13am

I’m the founder of Shodan and the “QUIT” command is actually part of closing an SSL connection to the server. It isn’t related to SMTP in this case. If you don’t send a QUIT command to an open SSL connection it won’t close nicely. You can replicate the way the crawlers operate using the command-line by using:

echo QUIT | openssl s_client -connect <YOUR IP>:443

It looks like the QUIT command is being interpreted as a regular HTTP request and that’s causing the service to crash. I hope that explains what’s going on at least from Shodan’s end!

Best regards,

-John

aronbos · November 6, 2015, 10:47am

This command retrieves the TLS-certificate of the site and generates no error. Moreover, the domain request in the error is a virtual subdomain. Can you explain what your software is really doing?

achillean · November 9, 2015, 12:50am

Shodan doesn’t look at domains or subdomains and it literally runs the above command. You should be able to replicate the issue by using the above command and entering your IP address (make sure it’s not the domain of your website). You can also email me at jmath@shodan.io with your IP address and I can investigate further, but I’ve described above what is going on from Shodan’s perspective.