ACDC
I made a batch file:
findscum.bat
this is inside \aware\tomcat\logs
You can just drop a logfile on it and you're done.
inside it:
grep -v favicon %1 | grep -v robots.txt | grep -v R3 > a2
grep -e "GET /img" -e "php" a2 | cut --fields=1 --delim=" " | sort -g | uniq > a3
sed s/$/\t2018-01-01T00:00:01.0000001Z/ a3 > a4
cat a4 >> c:\IPBan\banlog.txt
Of course this could be condensed, but its clearer being a little wordy.
My AppDirectory was renamed to R3 (instead of AwareIM).
So the 1st 3 lines remove "valid" log lines for clarity, leaving only [possibly] troublesome lines to further examine.
2nd line is to examine only the "php" or "GET /img" lines - shouldn't be any of that on my system, so if you're doing this, you're a scumbag.
Thats finds lots of lines, which are then sorted and outputs only Unique IPs.
Then we add a TAB and a timestamp for IPBan.
Then append that onto his file.
final result is this list of scumbags:
50.193.24.141 2018-01-01T00:00:01.0000001Z
50.196.171.161 2018-01-01T00:00:01.0000001Z
50.242.78.14 2018-01-01T00:00:01.0000001Z
54.198.50.92 2018-01-01T00:00:01.0000001Z
64.113.101.107 2018-01-01T00:00:01.0000001Z
added to the end of his banlist.
You'll need GnuWin32 utilities to run these unix commands.
I installed to "\Program Files\GnuWin"
then modified system PATH to include: c:\Program Files\GnuWin\bin;
I figure you only have to run this once a day and the next day, all prior-day scumbags will be banned.
His program runs every 30 seconds and you could do this more frequently, but people are already hammering the server and we're doing nothing about it - at least NOW they might only hit it that 1st day and then buh-bye!
jaymer...
