What is muieblackcat?

security iis

I've recently installed ELMAH on a small .NET MVC site and I keep receiving error reports

System.Web.HttpException: A public action method 'muieblackcat' was not found on controller...

This is obviously an attempt to access a page that doesn't exist. But why are there attempts to access this page?

Is this an attack or is it simply a bot scanning to see if I've been infected? What exactly is 'muieblackcat' and why is there an attempt to access this URL?


Solution 1:

It is just a hole finder script. The requests made are typically the following ones, if your servers answers all with a 404 error, you do not have anything to worry about.

111.221.1.140 - - [20/Nov/2013:10:15:56 +0000] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:55 +0000] "GET //websql/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:55 +0000] "GET //web/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:54 +0000] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:53 +0000] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:51 +0000] "GET //scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:50 +0000] "GET //pma/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:49 +0000] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:48 +0000] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:47 +0000] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:47 +0000] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:46 +0000] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:45 +0000] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:44 +0000] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:44 +0000] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:43 +0000] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:42 +0000] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:41 +0000] "GET //mysql/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:41 +0000] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:40 +0000] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:39 +0000] "GET //db/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:38 +0000] "GET //admin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:37 +0000] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:36 +0000] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:35 +0000] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 1787 "-" "-"
111.221.1.140 - - [20/Nov/2013:10:15:34 +0000] "GET /muieblackcat HTTP/1.1" 404 1787 "-" "-"

Solution 2:

muieblackcat is script/bot, supposedly of Ukrainian origin, that attempts to exploit PHP vulnerabilities or misconfigurations. See SUC027: Muieblackcat setup.php Web Scanner/Robot for more detail.

If you are not using PHP and have deactivated mod_php, you're safe. However, a request for /muieblackcat may mean that the bot has already, maybe successfully, visited your site. I suggest you carefully check your configuration and web content (if possible, erase all and reinstall from a trusted source set).

On the other hand, the originating IP address is likely to be useless. Most attacks come from unaware infected Windows users.

Solution 3:

I do it another way - redirect them on theirs IP on the same URI. Somethig like this:

redirect301 = http://hackerIP/muieblackcat

I think it's easier for the server to send a 301 redirect than to return a 404 page each time.

Related

Windows\Temp large amounts of cab_XXXX files
unable to write to mount point (nfs-server), getting "Permission denied"
Static IP address for outgoing traffic from AWS autoscaling group
How can I check the remaining disk quota?
Setting up default SSL site on IIS8
free tool for datacenter documentation [closed]
What backup solution you use for linux servers [closed]
Cygwin package management
Documentation As-A-Manual vs. Documentation As-A-Checklist
What are the most manageable and interesting server naming schemes being used? [closed]
Docker volume backup and restore
How to compare differences between directories (linux)