Google suscribed links will be taken down in 15 days

Great, I just finished creating mine, well it took me 2 days to do and it was done a week ago but I could not set up the description page. I had big plans for my suscribed link. Good, I did not invest more time on it. Oh well here is my button. Enjoy for 15 days.



1327681194
But ... it works on IPduh Search

get those web-scanning / script kiddies

WTF, it seems that some web-scanning kiddies forgot the IP address, the domain name, and all passwords of their grandma's recipes' hosting site. They just remember that they did a really bad job setting it up.

I find it amusing looking at what web-scanning kiddies are looking for in my logs but I just figured that a 3% of the total hits on a relatively busy site I "legally" own was due to their scans. Their scans were run from the same IP addresses doing the same thing over and over again. Bad configured scanners run by clueless morons -not interesting.

That 3% does a huge difference on the size of my logs. Hmm, I will block them. I would not, if they were providing me with versatile scan traces but these guys are boring. Actually I am going to take a better look at who they are and then just block them in all my servers.

The get-web-scanners script
n:~#cat get-webscanners.sh
#!/bin/bash
#find web-scanning kiddies, g0 2011

#good chance to practice my Spanish counting skills
CERO='phpMyAdmin-2.2.6'
UNO='phpMyAdmin-2.2.3'
DOS='webadmin'
TRES='sqlmanager'
CUATRO='phpMyAdmin-2.8.1-rc1'
CINCO='databaseadmin'
SEIS='scripts/setup.php'
SIETE='/phpmyadmin/scripts/setup.php'
OCHO='/php-my-admin/scripts/setup.php'
NUEVE='/p/m/a/scripts/setup.php'

LOG="./apache.log"

#hits,IP address list
DUMMIES="./dummies.ip"

#hits,url to more info about the IP address
DIPHTM="./dummies.htm"

cat $LOG | egrep "$CERO|$UNO|$DOS|$TRES|$CUATRO|$CINCO|$SEIS|$SIETE|$OCHO|$NUEVE" | awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $1","$2}' > $DUMMIES
cat $DUMMIES | awk -F"," '{print $1",<a href=http://ipduh.com/ip/?"$2">"$2"</a>
"}' > $DIPHTM

it seems good, let's run it
n:~$./get-webscanners.sh
n:~$cat dummies.ip |wc -l
59
n:~$cat dummies.ip
210,69.90.135.132
152,81.91.214.93
107,212.116.138.195
103,72.167.39.179
...
1, 


Looking, through my logs I figured that 10 positives mean at least a few hundred hits coming from this scanner. I will block whatever has 10 or more positives. The dudes using the IPs with less than 10 positives tried to be stealthy. Let them play. IPs with 1 or 2 positives may be false positives.

Let 's take a better look at who had more than 10 positives

dummies.htm
210,69.90.135.132
152,81.91.214.93
107,212.116.138.195
103,72.167.39.179
103,216.13.56.89
101,188.165.248.104
100,91.121.159.201
100,82.145.32.50
100,178.63.70.145
99,211.20.239.143
96,208.75.212.234
93,203.170.248.54
91,72.34.233.19
82,94.23.228.116
81,94.102.156.222
60,222.122.140.80
55,91.121.81.16
48,80.66.162.92
43,82.145.32.40
40,148.235.132.22
27,85.25.142.53
20,85.132.162.10
20,83.170.110.241
20,74.220.23.203
20,208.109.108.50
20,203.150.230.195
20,184.73.64.52
19,219.94.197.114
15,91.121.243.113
10,94.23.69.61
10,88.191.72.5
10,188.138.92.62

Cool, let's block them
n:~$cat -n dummies.ip 
1 210,69.90.135.132
2 152,81.91.214.93
3 107,212.116.138.195
4 103,72.167.39.179
5 103,216.13.56.89
...
32 10,188.138.92.62
...
59 1,

n:~$for i in `cat dummies.ip |head -32|awk -F"," '{print $2}'`;do iptables -A INPUT -s $i -j DROP;iptables -A OUTPUT -d $i -j DROP;done

done

arin IPv6 address whois lookup

So, it's an Arin IPv6 address, and your whois client kind of broke.

To get basic whois information like the owner organization and the network try
n:~#whois -h whois.arin.net "n 2001:500:1::dead:beef"

To see a detailed whois report try
n:~#whois -h whois.arin.net "n + 2001:500:1::dead:beef"



1327681276

Or use the IPduh IPv6 whois client who knows what to do.

Cute one liner IP intel and hit stats

We need IP intel from huge logs and we need it fast

The logs look like
n:~#cat ./apache.log |head -1
192.0.2.4 - - [27/Apr/2011:17:51:21 +0200] "GET / HTTP/1.1" 200 2150 "-" "funky browser"

The one-liner is
n:~#cat ./apache.log | awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $1",<a href="http://ipduh.com/ip/?$2">"$2"</a>
"}' > ip.htm

ip.htm looks like
23228,66.249.66.181
9358,77.88.25.28
...
hits,IP address

Check the syntax of a BIND zone file

root@n:~# named-checkzone -d zone.example.com /PATH/db.zone.example.com

hello world

testing my redundant easy-blogging setup.