If you have questions or if you want to share your opinion about Aware IM post your message on this forum
#51466 by Jaymer
Thu Aug 29, 2019 1:27 am
I just noticed this on one of IPBan's config panels in their new Web Admin tool:
Screen Shot 2019-08-28 at 9.26.43 PM.png
Screen Shot 2019-08-28 at 9.26.43 PM.png (160.41 KiB) Viewed 2456 times


It looks like you could point to any log you want and use a pattern matching rule to extract what you need...
then Ban them Bastards!!!
<and I bet you could send him a Tomcat log and $25 and let him figure it out and send you back the code to paste in>
#53560 by Jaymer
Mon Mar 23, 2020 8:25 pm
Well, i DID contact Jeff (the author) and he kindly gave me some code to check the Tomcat logs.
So now the bastards that hit my Tomcat trying to guess "php" and "cgi-bin" endpoints get smacked down - makes me feel good.

gonna make a new thread
Last edited by Jaymer on Mon Mar 23, 2020 8:34 pm, edited 1 time in total.
#53561 by Jaymer
Mon Mar 23, 2020 8:33 pm
02:23:47
asshole started hitting my server:
Code: Select all   Line 1472: 123.58.236.228 - - [22/Mar/2020:02:23:47 -0400] "GET / HTTP/1.1" 200 7763
   Line 1475: 123.58.236.228 - - [22/Mar/2020:02:23:48 -0400] "GET /robots.txt HTTP/1.1" 404 1084
   Line 1476: 123.58.236.228 - - [22/Mar/2020:02:23:49 -0400] "POST /Admin2a2a2c98/Login.php HTTP/1.1" 404 1101
   Line 1477: 123.58.236.228 - - [22/Mar/2020:02:23:50 -0400] "GET / HTTP/1.1" 200 7763
   Line 1478: 123.58.236.228 - - [22/Mar/2020:02:23:51 -0400] "GET /l.php HTTP/1.1" 404 1079
   Line 1479: 123.58.236.228 - - [22/Mar/2020:02:23:55 -0400] "GET /phpinfo.php HTTP/1.1" 404 1085
   Line 1480: 123.58.236.228 - - [22/Mar/2020:02:23:55 -0400] "GET /test.php HTTP/1.1" 404 1082
   Line 1481: 123.58.236.228 - - [22/Mar/2020:02:23:56 -0400] "POST /index.php HTTP/1.1" 404 1083
   Line 1482: 123.58.236.228 - - [22/Mar/2020:02:23:59 -0400] "POST /bbs.php HTTP/1.1" 404 1081
   Line 1483: 123.58.236.228 - - [22/Mar/2020:02:24:00 -0400] "POST /forum.php HTTP/1.1" 404 1083
   Line 1484: 123.58.236.228 - - [22/Mar/2020:02:24:03 -0400] "POST /forums.php HTTP/1.1" 404 1084
   Line 1485: 123.58.236.228 - - [22/Mar/2020:02:24:03 -0400] "POST /bbs/index.php HTTP/1.1" 404 1091
   Line 1486: 123.58.236.228 - - [22/Mar/2020:02:24:04 -0400] "POST /forum/index.php HTTP/1.1" 404 1093
   Line 1487: 123.58.236.228 - - [22/Mar/2020:02:24:07 -0400] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1089
   Line 1488: 123.58.236.228 - - [22/Mar/2020:02:24:07 -0400] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1090
   Line 1489: 123.58.236.228 - - [22/Mar/2020:02:24:08 -0400] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1093
   Line 1493: 123.58.236.228 - - [22/Mar/2020:02:24:15 -0400] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1090
   Line 1494: 123.58.236.228 - - [22/Mar/2020:02:24:15 -0400] "POST /%62%61%73%65/%70%6F%73%74%2E%70%68%70 HTTP/1.1" 404 1115
   Line 1498: 123.58.236.228 - - [22/Mar/2020:02:24:23 -0400] "GET /help.php HTTP/1.1" 404 1082
   Line 1499: 123.58.236.228 - - [22/Mar/2020:02:24:27 -0400] "GET /_query.php HTTP/1.1" 404 1084
   Line 1500: 123.58.236.228 - - [22/Mar/2020:02:24:31 -0400] "GET /test.php HTTP/1.1" 404 1082
   Line 1501: 123.58.236.228 - - [22/Mar/2020:02:24:31 -0400] "GET /db_cts.php HTTP/1.1" 404 1084
   Line 1502: 123.58.236.228 - - [22/Mar/2020:02:24:32 -0400] "GET /db_pma.php HTTP/1.1" 404 1084
   Line 1503: 123.58.236.228 - - [22/Mar/2020:02:24:35 -0400] "GET /help-e.php HTTP/1.1" 404 1084
   Line 1504: 123.58.236.228 - - [22/Mar/2020:02:24:35 -0400] "GET /license.php HTTP/1.1" 404 1085
   Line 1505: 123.58.236.228 - - [22/Mar/2020:02:24:36 -0400] "GET /log.php HTTP/1.1" 404 1081
   Line 1506: 123.58.236.228 - - [22/Mar/2020:02:24:36 -0400] "GET /hell.php HTTP/1.1" 404 1082



02:24:22
IP BAN PRO flags him - gives him "2" hits - gonna have to check why so low, I think it should have banned him right now

02:24:37
15 seconds later checks again and he's over my limit so IP is banned

from IP BAN LOG:
2020-03-22 02:24:22.1600|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 2
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 4
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Banning ip address: 123.58.236.228, user name: , config black listed: False, count: 4, extra info:
2020-03-22 02:24:37.2469|WARN|DigitalRuby.IPBan.IPBanLog|Updating firewall with 1 entries...


I was messing around with them to catch some other events - I might have messed up something on the PHP check. Seems like it only caught the cgi-bin illegals attempts.
#53564 by PointsWell
Mon Mar 23, 2020 11:00 pm
ACDC wrote:
So it doesn't interact with any specific web server or ports.


I thought so, I get hundreds of attempts to hack into Tomcat. I have resorted to banning the IP address by manually changing the rules in the windows firewall on the Tomcat ports. But its a challenge you can imagine

It would be great if IP BAN could monitor the Tomcat logs in the same way it monitors the windows events and then based on some perceived bad behaviour in the log record set the firewall rules accordingly, It should be an easy plug-in feature upgrade.

I wonder if they would be open to adding this functionality.

It could even be a standalone utility that periodically imports the tomcat logs, makes an assessment of the suspect entries and then updates the windows firewall. A simple rule for me is ban ip address by country, this would get rid of most of the bad guys


If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.
#53567 by ACDC
Tue Mar 24, 2020 11:07 am
If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.


NGINX seems a nice option but it seems it doesn't run under windows, any other suggestion ?
#53568 by PointsWell
Tue Mar 24, 2020 11:24 am
ACDC wrote:
If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.


NGINX seems a nice option but it seems it doesn't run under windows, any other suggestion ?


You'd run it as a Linux server in front of your windows box not on the same machine

Who is online

Users browsing this forum: eagles9999, Google [Bot] and 37 guests