OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

I have just noted, already commented on this sometime back in this thread :oops:
Last edited by ACDC on Sun Aug 25, 2019 10:47 am, edited 2 times in total.
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

ACDC wrote:I have just noted, already commented on this sometime back in this thread :oops:
and you supplied a solution which i never got around to trying :oops:


i think its called ADD :shock:
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

I just noticed this on one of IPBan's config panels in their new Web Admin tool:
Screen Shot 2019-08-28 at 9.26.43 PM.png
Screen Shot 2019-08-28 at 9.26.43 PM.png (160.41 KiB) Viewed 9109 times
It looks like you could point to any log you want and use a pattern matching rule to extract what you need...
then Ban them Bastards!!!
<and I bet you could send him a Tomcat log and $25 and let him figure it out and send you back the code to paste in>
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

Well, i DID contact Jeff (the author) and he kindly gave me some code to check the Tomcat logs.
So now the bastards that hit my Tomcat trying to guess "php" and "cgi-bin" endpoints get smacked down - makes me feel good.

gonna make a new thread
Last edited by Jaymer on Mon Mar 23, 2020 8:34 pm, edited 1 time in total.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Anatomy of new rules

Post by Jaymer »

02:23:47
asshole started hitting my server:

Code: Select all

	Line 1472: 123.58.236.228 - - [22/Mar/2020:02:23:47 -0400] "GET / HTTP/1.1" 200 7763
	Line 1475: 123.58.236.228 - - [22/Mar/2020:02:23:48 -0400] "GET /robots.txt HTTP/1.1" 404 1084
	Line 1476: 123.58.236.228 - - [22/Mar/2020:02:23:49 -0400] "POST /Admin2a2a2c98/Login.php HTTP/1.1" 404 1101
	Line 1477: 123.58.236.228 - - [22/Mar/2020:02:23:50 -0400] "GET / HTTP/1.1" 200 7763
	Line 1478: 123.58.236.228 - - [22/Mar/2020:02:23:51 -0400] "GET /l.php HTTP/1.1" 404 1079
	Line 1479: 123.58.236.228 - - [22/Mar/2020:02:23:55 -0400] "GET /phpinfo.php HTTP/1.1" 404 1085
	Line 1480: 123.58.236.228 - - [22/Mar/2020:02:23:55 -0400] "GET /test.php HTTP/1.1" 404 1082
	Line 1481: 123.58.236.228 - - [22/Mar/2020:02:23:56 -0400] "POST /index.php HTTP/1.1" 404 1083
	Line 1482: 123.58.236.228 - - [22/Mar/2020:02:23:59 -0400] "POST /bbs.php HTTP/1.1" 404 1081
	Line 1483: 123.58.236.228 - - [22/Mar/2020:02:24:00 -0400] "POST /forum.php HTTP/1.1" 404 1083
	Line 1484: 123.58.236.228 - - [22/Mar/2020:02:24:03 -0400] "POST /forums.php HTTP/1.1" 404 1084
	Line 1485: 123.58.236.228 - - [22/Mar/2020:02:24:03 -0400] "POST /bbs/index.php HTTP/1.1" 404 1091
	Line 1486: 123.58.236.228 - - [22/Mar/2020:02:24:04 -0400] "POST /forum/index.php HTTP/1.1" 404 1093
	Line 1487: 123.58.236.228 - - [22/Mar/2020:02:24:07 -0400] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1089
	Line 1488: 123.58.236.228 - - [22/Mar/2020:02:24:07 -0400] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1090
	Line 1489: 123.58.236.228 - - [22/Mar/2020:02:24:08 -0400] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1093
	Line 1493: 123.58.236.228 - - [22/Mar/2020:02:24:15 -0400] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 1090
	Line 1494: 123.58.236.228 - - [22/Mar/2020:02:24:15 -0400] "POST /%62%61%73%65/%70%6F%73%74%2E%70%68%70 HTTP/1.1" 404 1115
	Line 1498: 123.58.236.228 - - [22/Mar/2020:02:24:23 -0400] "GET /help.php HTTP/1.1" 404 1082
	Line 1499: 123.58.236.228 - - [22/Mar/2020:02:24:27 -0400] "GET /_query.php HTTP/1.1" 404 1084
	Line 1500: 123.58.236.228 - - [22/Mar/2020:02:24:31 -0400] "GET /test.php HTTP/1.1" 404 1082
	Line 1501: 123.58.236.228 - - [22/Mar/2020:02:24:31 -0400] "GET /db_cts.php HTTP/1.1" 404 1084
	Line 1502: 123.58.236.228 - - [22/Mar/2020:02:24:32 -0400] "GET /db_pma.php HTTP/1.1" 404 1084
	Line 1503: 123.58.236.228 - - [22/Mar/2020:02:24:35 -0400] "GET /help-e.php HTTP/1.1" 404 1084
	Line 1504: 123.58.236.228 - - [22/Mar/2020:02:24:35 -0400] "GET /license.php HTTP/1.1" 404 1085
	Line 1505: 123.58.236.228 - - [22/Mar/2020:02:24:36 -0400] "GET /log.php HTTP/1.1" 404 1081
	Line 1506: 123.58.236.228 - - [22/Mar/2020:02:24:36 -0400] "GET /hell.php HTTP/1.1" 404 1082

02:24:22
IP BAN PRO flags him - gives him "2" hits - gonna have to check why so low, I think it should have banned him right now

02:24:37
15 seconds later checks again and he's over my limit so IP is banned

from IP BAN LOG:
2020-03-22 02:24:22.1600|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 2
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Login failure: 123.58.236.228, , Apache, 4
2020-03-22 02:24:37.2240|WARN|DigitalRuby.IPBan.IPBanLog|Banning ip address: 123.58.236.228, user name: , config black listed: False, count: 4, extra info:
2020-03-22 02:24:37.2469|WARN|DigitalRuby.IPBan.IPBanLog|Updating firewall with 1 entries...


I was messing around with them to catch some other events - I might have messed up something on the PHP check. Seems like it only caught the cgi-bin illegals attempts.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
PointsWell
Posts: 1457
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by PointsWell »

ACDC wrote:
So it doesn't interact with any specific web server or ports.
I thought so, I get hundreds of attempts to hack into Tomcat. I have resorted to banning the IP address by manually changing the rules in the windows firewall on the Tomcat ports. But its a challenge you can imagine

It would be great if IP BAN could monitor the Tomcat logs in the same way it monitors the windows events and then based on some perceived bad behaviour in the log record set the firewall rules accordingly, It should be an easy plug-in feature upgrade.

I wonder if they would be open to adding this functionality.

It could even be a standalone utility that periodically imports the tomcat logs, makes an assessment of the suspect entries and then updates the windows firewall. A simple rule for me is ban ip address by country, this would get rid of most of the bad guys
If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.
NGINX seems a nice option but it seems it doesn't run under windows, any other suggestion ?
PointsWell
Posts: 1457
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by PointsWell »

ACDC wrote:
If you setup a proxy forwarding web server (NGINX for example) in front of Tomcat you can use IPBan on port 80/443 ports and the aggressor never know that they are interrogating Tomcat.
NGINX seems a nice option but it seems it doesn't run under windows, any other suggestion ?
You'd run it as a Linux server in front of your windows box not on the same machine
Post Reply