get those web-scanning / script kiddies

WTF, it seems that some web-scanning kiddies forgot the IP address, the domain name, and all passwords of their grandma's recipes' hosting site. They just remember that they did a really bad job setting it up.

I find it amusing looking at what web-scanning kiddies are looking for in my logs but I just figured that a 3% of the total hits on a relatively busy site I "legally" own was due to their scans. Their scans were run from the same IP addresses doing the same thing over and over again. Bad configured scanners run by clueless morons -not interesting.

That 3% does a huge difference on the size of my logs. Hmm, I will block them. I would not, if they were providing me with versatile scan traces but these guys are boring. Actually I am going to take a better look at who they are and then just block them in all my servers.

The get-web-scanners script
n:~#cat get-webscanners.sh
#!/bin/bash
#find web-scanning kiddies, g0 2011

#good chance to practice my Spanish counting skills
CERO='phpMyAdmin-2.2.6'
UNO='phpMyAdmin-2.2.3'
DOS='webadmin'
TRES='sqlmanager'
CUATRO='phpMyAdmin-2.8.1-rc1'
CINCO='databaseadmin'
SEIS='scripts/setup.php'
SIETE='/phpmyadmin/scripts/setup.php'
OCHO='/php-my-admin/scripts/setup.php'
NUEVE='/p/m/a/scripts/setup.php'

LOG="./apache.log"

#hits,IP address list
DUMMIES="./dummies.ip"

#hits,url to more info about the IP address
DIPHTM="./dummies.htm"

cat $LOG | egrep "$CERO|$UNO|$DOS|$TRES|$CUATRO|$CINCO|$SEIS|$SIETE|$OCHO|$NUEVE" | awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $1","$2}' > $DUMMIES
cat $DUMMIES | awk -F"," '{print $1",<a href=http://ipduh.com/ip/?"$2">"$2"</a>
"}' > $DIPHTM

it seems good, let's run it
n:~$./get-webscanners.sh
n:~$cat dummies.ip |wc -l
59
n:~$cat dummies.ip
210,69.90.135.132
152,81.91.214.93
107,212.116.138.195
103,72.167.39.179
...
1, 


Looking, through my logs I figured that 10 positives mean at least a few hundred hits coming from this scanner. I will block whatever has 10 or more positives. The dudes using the IPs with less than 10 positives tried to be stealthy. Let them play. IPs with 1 or 2 positives may be false positives.

Let 's take a better look at who had more than 10 positives

dummies.htm
210,69.90.135.132
152,81.91.214.93
107,212.116.138.195
103,72.167.39.179
103,216.13.56.89
101,188.165.248.104
100,91.121.159.201
100,82.145.32.50
100,178.63.70.145
99,211.20.239.143
96,208.75.212.234
93,203.170.248.54
91,72.34.233.19
82,94.23.228.116
81,94.102.156.222
60,222.122.140.80
55,91.121.81.16
48,80.66.162.92
43,82.145.32.40
40,148.235.132.22
27,85.25.142.53
20,85.132.162.10
20,83.170.110.241
20,74.220.23.203
20,208.109.108.50
20,203.150.230.195
20,184.73.64.52
19,219.94.197.114
15,91.121.243.113
10,94.23.69.61
10,88.191.72.5
10,188.138.92.62

Cool, let's block them
n:~$cat -n dummies.ip 
1 210,69.90.135.132
2 152,81.91.214.93
3 107,212.116.138.195
4 103,72.167.39.179
5 103,216.13.56.89
...
32 10,188.138.92.62
...
59 1,

n:~$for i in `cat dummies.ip |head -32|awk -F"," '{print $2}'`;do iptables -A INPUT -s $i -j DROP;iptables -A OUTPUT -d $i -j DROP;done

done