Fuzz Faster U Fool attacks overloading server with 200s and more

vander.host

• June 24, 2025 08:39

Any advice on Fuzz Faster U Fool attacks exploiting shared servers on port 2083 with many sites? The proxy on port 2083 is my bother as it that seems to serve successful 200 requests:

195.178.110.159 - - [06/24/2025:08:11:02 -0000] "GET /floorplans HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:02 -0000] "GET /flow HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:05 -0000] "GET /flvplayer HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:05 -0000] "GET /fo HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:09 -0000] "GET /footers HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:12 -0000] "GET /grande HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:12 -0000] "GET /vecio HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:15 -0000] "GET /fotomagasinet HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:18 -0000] "GET /fotomax HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:18 -0000] "GET /fotopoint HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:22 -0000] "GET /fotovideo HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:25 -0000] "GET /fox HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:25 -0000] "GET /fr_virgin HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:28 -0000] "GET /frauenzimmer HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:28 -0000] "GET /free-estimate HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:28 -0000] "GET /freetrial HTTP/1.1" 301 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2086
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /components HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /test HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /images HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /xmlrpc HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /language HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /wp-content HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /admin HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /password HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
195.178.110.159 - - [06/24/2025:08:11:29 -0000] "GET /templates HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083

These attacks come hard and fast and are not being blocked by the "default" cPHulk firewall. The only way you'll know it is if you do SNMP monitoring of your CPU and you have abnormal spike detection notifications.

Then you'll need this `netstat` to find top talkers:

[root@server ~]# netstat -tn | grep ESTABLISHED | awk '{split($5,remote,":"); split($4,local,":"); print remote[1] " → " local[2]}' | sort | uniq -c | sort -nr
     24 195.178.110.159 → 2083

It will give you the IP address and then you can find the rest of the attack here:

grep "195.178.110.159" /usr/local/cpanel/logs/access_log

I find it interesting how they transition from 2086 to 2083, and from 301s to 200s:

I would like to hear why my default cPanel server isn't hardened for this kind of attack?

• 

  cPRex Jurassic Moderator

  • June 24, 2025 17:27

  Hey there!  Since all the connections seem to be coming from the 195.178.110.159 IP address, I would just block that IP.

  0
• 

  vander.host

  • June 24, 2025 18:29
  • Edited

  Sure, I did that already. But will cPanel always respond to every site site's `/file` with `HTTP 200` success on port 2083 across all shared sites? Or am I doing something wrong, since maybe I have forgotten a security setting?

  0
• 

  quietFinn

  • June 24, 2025 18:42

  Yes you will get the 200 status code, because it will go to the cPanel login page, that "/file" is ignored.

   

  0
• 

  cPRex Jurassic Moderator

  • June 24, 2025 21:07

  Right, this bot is just looking for random URLs on the server.

  0
• 

  vander.host

  • June 25, 2025 07:26

  I'm not sure I have articulated the problem good enough, or maybe I just don't really understand how:

  > this bot is just looking for random URLs on the server.

  Let me sketch the scenario again, and then let me re-articulate my concerns.

  - The attack is visible in at `/usr/local/cpanel/logs/access_log`. These are the cPanel logs that return data on cPanel ports 2083 and 2086, not port 80 or 443 logs that return end user website activity.

  - The attack is not visible on "some client's shared host", but rather, the attack is visible on two well known cPanel ports, namely 2083 and 2086.

  - The attack started at 05:22 and ended at 08:21 (thee hours). During these three hours around ~35 000 requests were made:

  30004 requests on port 2083
  5573 requests on port 2086
  
  4. Of these requests:

  30002 returned HTTP status code 200 (so mostly port 2083)
  5572 returned HTTP status code 301 (so mostly port 2086)
  3 returned HTTP status code 401

  5. Of these requests, not a single one returned a 403 nor did a single request have the full path to any shared server file on the system. Everything is returned at flat files.

  On point 5, for example, at 08:20:49 the attacker was able to 40 times (in 1 second) get 200s:

  195.178.110.159 - - [06/24/2025:08:20:49 -0000] "GET /siteManager HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
  195.178.110.159 - - [06/24/2025:08:20:49 -0000] "GET /size-guide HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
  195.178.110.159 - - [06/24/2025:08:20:49 -0000] "GET /soderzhanie-1969 HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
  195.178.110.159 - - [06/24/2025:08:20:49 -0000] "GET /sor HTTP/1.1" 200 0 "-" "Fuzz Faster U Fool v1.5.0-dev" "-" "-" 2083
  .... 35 more ....

  So here are my concerns again:

  My shared web hosts have protection, WAFs. But since this attackers are coming in at cPanel ports, other than port 80 and 443, why is it they get 200s?

  How am I suppose to detect problems on port 2083 and 2086 if filenames are returned flat?

  Does cPanel proxy all files on those ports, and is that why it returns HTTP 200 for only port 2083?

  > I would just block that IP

  Right. So play cat and mouse until I figure out why cPanel proxies flat files on port 2083 and return 200 instead of 403? I'm glad for the replies but I'm still concerned about the situation.

  Also, I had to manually use NFT to block the attacker, and I get an DoS solutions from cPanel. Let me assure you all our cPanel servers have DoS attacks and I am just happy we have a border firewall.

  0
• 

  cPRex Jurassic Moderator

  • June 30, 2025 14:53

  cPanel listens on those ports and presents a login page to users - they are getting the 200 response because it's a successful connection.  This all sounds like normal server behavior to me as it's returning the expected response on those ports.

  0

Please sign in to leave a comment.