MJ12Bot Virus Robot

There seems to be a “virus bot” out there just now starting to attack servers in Japan. It spoofs the distributed open source search engine Majestic 12 with a user agent string of MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+. (The real Majestic 12 is up to version 1.2.x.)

Use mod_rewrite in Apache to block it:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^MJ12bot/v1\.0\.8.*$
RewriteRule .* - [F]

Add the above to either httpd.conf or a local .htaccess config file. See the Majestic 12 FAQ for more information.

Note that the way the virus has been hitting some of our sites appears as though it actually attempts to coordinate DOS attacks from multiple servers. Scary if true. And it seems to be smart enough to stop attacking as soon as it realizes that access has been denied.

Update: If you run mod_security, consider appending evil MJ12’s user agent string to the rogue web crawler portion of the bad robots conf file modsecurity_crs_35_bad_robots.conf:

SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro\
|o browse)|m(?:ozilla\/4\.0 \(compatible; advanced email extractor|ailto:craftbot\@yahoo\.com)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?\
:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|\bdatacha0s\b|hhjhj@yahoo|chinac\
law|rsync|shai|zeus|mj12bot/v1\.0\.8)" \
"deny,log,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',severity:'2'"

mod_security returns a 404 Not Found error instead of Access Denied which should further help to confound the virus.

One thought on “MJ12Bot Virus Robot

Leave a Reply

Your email address will not be published. Required fields are marked *