[VoiceOps] Blacklist script

J. Oquendo sil at infiltrated.net
Wed Oct 23 08:37:29 EDT 2013

Isn't much more than a bloated one line. Just parses
through apache logs to check for the following (so

JCE - Joomla shell uploader)

Ahrefsbot - (spammer bot)

POST - (because no one should be posting stuff to my
site, I have no user logins, forms, etc. and after
analyzing what was being posted close to 100% were
things with malicious intent. Catches most things)

administrator - no one should be trying to log in
as administrator. They get nowhere trying, but they
still do.

55000 is the set amount of lines I chose to look
through, since I fluctuate between 25-40k visitors
at peak times. (This was written for my personal
site which sees about 2-3k ranDumb attacks per
day (must be the domain name)) Sorting uniquely
ensures I don't get dupes.

I may reconstruct it to aggregate data from others
once I get proper permission to do so. In which
event I'd be able to correlate data from a couple
hundred/thousandish webservers (unsure when this
will happen).


printf "

# The following addresses are web based attackers
# compiled on an hourly basis. Most are attempting
# XSS, SQLi, CSRF and other attacks. Compiled list
# to be used for blacklisting.
#" > /tmp/xssers/XSSATTACKERS

echo `date`|sed 's:^: :g' >> /tmp/xssers/XSSATTACKERS

printf "\n\n" >> /tmp/xssers/XSSATTACKERS

tail -n 55000 /var/logs/httpd/access_log|\
awk '/AhrefsBot|POST|administrator|JCE/{print $1}'|sort -u >> /tmp/xssers/bad.xxxers

cat /tmp/xssers/bad.xxxers >> /tmp/xssers/XSSATTACKERS

mv /tmp/xssers/XSSATTACKERS /var/www/html/infiltrated.net/webattackers.txt

J. Oquendo

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF

More information about the VoiceOps mailing list