How to mitigate or stop the Gootkit auto-rooter scanner

Published December 7th, 2011 | categories include: Security, Varnish | Share on Twitter

The “Gootkit auto-rooter scanner” is a pesky little bot that scans for various admin, phpmyadmin and other related directories. If the scanner finds a vulnerability, the Gootkit malware places obfuscated malicious JavaScript into a website’s web pages. Thus far, three days have passed and Gootkit is still trying to get in my servers.

My webserver log files show a User Agent of “Gootkit auto-rooter scanner,” which points to the National Information Technology Centre in Jorndan.

193.188.86.192 – - [07/Dec/2011:06:48:54 -0800] “GET http://domain.com/ HTTP/1.1″ 200 4128 “-” “Gootkit auto-rooter scanner”
193.188.86.192 – - [07/Dec/2011:06:48:54 -0800] “GET http://domain.com/3rdparty/admin/ HTTP/1.1″ 404 287 “-” “Gootkit auto-rooter scanner”
193.188.86.192 – - [07/Dec/2011:06:48:54 -0800] “GET http://domain.com/3rdparty/dbadmin/ HTTP/1.1″ 404 289 “-” “Gootkit auto-rooter scanner”
193.188.86.192 – - [07/Dec/2011:06:48:54 -0800] “GET http://domain.com/3rdparty/admin/ HTTP/1.1″ 404 287 “-” “Gootkit auto-rooter scanner”
193.188.86.192 – - [07/Dec/2011:06:48:55 -0800] “GET http://domain.com/3rdparty/dbadmin/ HTTP/1.1″ 404 289 “-” “Gootkit auto-rooter scanner”

The IP address resolves to the following.

organisation: ORG-NIC1-RIPE
org-name: National Information Technology Center
org-type: LIR
address: National Information Technology Centre
Royal Scientific Society (RSS) Street
11941 Al-Jubaiha, Amman
Jordan
phone: +962 6 5300222
fax-no: +962 6 5300277
e-mail: mohammad.f@nitc.gov.jo
admin-c: CTO913-RIPE
admin-c: DG2795-RIPE
admin-c: MF1077-RIPE
admin-c: NA913-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: NA-NITC-JO
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

Mitigating the Scans

IPTABLES

There are a couple of methods to mitigate scans and protect your webserver. You need to cover the basics first, then you can implement these more advanced measures. If you are using a Linux based server, you can always use iptables to block the offending IP address.

iptables -A INPUT -s 65.55.44.100 -j DROP

APACHE MODULES

I am not aware of a method to block user headers using iptables or other tools. If you know of one, please leave a comment below. If you are running into a DDoS type of attack from Gootkit, you might take a look at Apache’s mod_headers or mod_evasive. If you operate a home server network and you don’t already have Varnish Cache installed, you are just wrong.

VARNISH CACHE

I use Varnish Cache, not only as a web cache, but as a security gate for my primary webservers. Using Varnish, you can block specific user headers and offending IP’s with ease. Adding the following statement to your .VCL will allow you to deny access to your server based on the user header.

vcl_rec {if (req.http.user-agent ~ “^$” || req.http.user-agent ~ “^Gootkit auto-rooter scanner”)
{error 403 “You are banned from this site”;}}

RATE LIMITING

Consider rate limiting HTTP traffic with fail2ban. Although I consider this tactic a last resort, fail2ban can be effective for blocking or limiting access to services, especially in a DoS scenario, where the offending IP address does not change.

OTHERS

My particular experience with Gootkit was fairly simple to resolve using Varnish. Additionally, the domain name that Gootkit was scanning was no longer in use. I ended up changing the DNS to point to Google’s DNS, and the FBI servers at one point, to redirect the traffic.

If you have additional suggestions on dealing with mischievous bots like this, drop a comment below.

Previous Post: « Will your Small Business Outsource I.T. Needs to the Cloud?
Next Post: Find a Command using apropos »

Do you have something to say? Send me a message on my Google Plus profile.