[VoiceOps] Blacklist script
J. Oquendo
sil at infiltrated.net
Wed Oct 23 08:37:29 EDT 2013
Isn't much more than a bloated one line. Just parses
through apache logs to check for the following (so
far):
JCE - Joomla shell uploader)
Ahrefsbot - (spammer bot)
POST - (because no one should be posting stuff to my
site, I have no user logins, forms, etc. and after
analyzing what was being posted close to 100% were
things with malicious intent. Catches most things)
administrator - no one should be trying to log in
as administrator. They get nowhere trying, but they
still do.
55000 is the set amount of lines I chose to look
through, since I fluctuate between 25-40k visitors
at peak times. (This was written for my personal
site which sees about 2-3k ranDumb attacks per
day (must be the domain name)) Sorting uniquely
ensures I don't get dupes.
I may reconstruct it to aggregate data from others
once I get proper permission to do so. In which
event I'd be able to correlate data from a couple
hundred/thousandish webservers (unsure when this
will happen).
-----------
printf "
#
# The following addresses are web based attackers
# compiled on an hourly basis. Most are attempting
# XSS, SQLi, CSRF and other attacks. Compiled list
# to be used for blacklisting.
#
#" > /tmp/xssers/XSSATTACKERS
echo `date`|sed 's:^: :g' >> /tmp/xssers/XSSATTACKERS
printf "\n\n" >> /tmp/xssers/XSSATTACKERS
tail -n 55000 /var/logs/httpd/access_log|\
awk '/AhrefsBot|POST|administrator|JCE/{print $1}'|sort -u >> /tmp/xssers/bad.xxxers
cat /tmp/xssers/bad.xxxers >> /tmp/xssers/XSSATTACKERS
mv /tmp/xssers/XSSATTACKERS /var/www/html/infiltrated.net/webattackers.txt
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
More information about the VoiceOps
mailing list