Fuzz Faster U Fool attacks is a technique whereby attackers scan cPanels servers at incredibly high speed on ports 2083 and 2086 and look for vulnerable files. The attacks have these signatures:
- Ultra high speed scanning
- Ports 2083 and 2086 only
- Ports 2083 will return HTTP 200 and ports 2086 will return HTTP 301
- Flat filenames are returned, not actual paths
One way of picking up these attacks is if you see a sudden spike in CPU activity on your server. The next thing you’ll have to do to identify the culprit:
[root@server ~]# netstat -tn | grep ESTABLISHED | awk '{split($5,remote,":"); split($4,local,":"); print remote[1] " → " local[2]}' | sort | uniq -c | sort -nr
24 195.178.110.159 → 2083
As you can see, 24 requests from an unknown IP address to port 2083. At times we saw 40 requests in one second.
Next, you can either tail the log and/or start tallying the log:
# grep "195.178.110.159" /usr/local/cpanel/logs/access_log
Tallying the counts
Tallying ports 2083 and 2086
# grep "195.178.110.159" /usr/local/cpanel/logs/access_log | awk '{print $NF}' | sort | uniq -c
30004 2083
5573 2086
Tallying HTTP return codes
# grep "195.178.110.159" /usr/local/cpanel/logs/access_log | awk '{print $9}' | sort | uniq -c
30002 200
5572 301
3 401
Blocking
At this time I am not aware of a DoS solution that works with cPanel to detect and block these attacks. What further compounds the issue is the files that return 200 seem apparently random and all over the show, without clear visibility about the full pathname or website.
So block the attacker at your core or border firewall, since if they are attacking this server, they will be attacking other servers as well.