[Nagiosplug-help] Nagios plugin used to scan my site

[Max]

On Thu, Jul 23, 2009 at 2:34 PM, Alex Bond<abond at theajinetwork.com> wrote:
> Sorry, this was called Nagiosplug-help, so I thought that this would be
> a list to contact the developers.  I don't really know what Nagios
> plugins do, so I thought that people might like to know how this
> software was being used for malicious purposes.  I also hoped that I
> could get some advice for defending against it.  Thanks for that.
>
> What's happening is users from a variety of IPs appear to be using these
> plugins to quickly attempt to view assorted administrative pages.  For
> example, I'll see 100 or more pageview attempts in under a minute, all
> attempting to access possible administrative pages like
> "websql/main.php" or "mysql-admin/main.php".  Whenever this occurs, of
> course I ban the IP, but the attack is just repeated a few days later
> from a different IP address.  I contact the owner of the IP block, but
> they've been less than helpful in stopping these attempts.
>
> Thanks for your suggestion about rejecting these user agents.

sounds like possibly the cracker is faking the User-Agent header to
show Nagios plugins as the user agent in an attempt to send you on a
wrong path, as Marc pointed out, the plugins are really a poor choice
for reconnaissance as they just check states .. there are tons of
better tools to use to scan organizations / sites for vulnerabilities,
so I would guess they are emitting fake User-Agent headers to throw
you off.

- Max