1327681194
But ... it works on IPduh Search
Google suscribed links will be taken down in 15 days
Great, I just finished creating mine, well it took me 2 days to do and it was done a week ago but I could not set up the description page. I had big plans for my suscribed link. Good, I did not invest more time on it. Oh well here is my button. Enjoy for 15 days.
1327681194
But ... it works on IPduh Search
1327681194
But ... it works on IPduh Search
get those web-scanning / script kiddies
WTF, it seems that some web-scanning kiddies forgot the IP address, the domain name, and all passwords of their grandma's recipes' hosting site. They just remember that they did a really bad job setting it up.
I find it amusing looking at what web-scanning kiddies are looking for in my logs but I just figured that a 3% of the total hits on a relatively busy site I "legally" own was due to their scans. Their scans were run from the same IP addresses doing the same thing over and over again. Bad configured scanners run by clueless morons -not interesting.
That 3% does a huge difference on the size of my logs. Hmm, I will block them. I would not, if they were providing me with versatile scan traces but these guys are boring. Actually I am going to take a better look at who they are and then just block them in all my servers.
The get-web-scanners script
it seems good, let's run it
Looking, through my logs I figured that 10 positives mean at least a few hundred hits coming from this scanner. I will block whatever has 10 or more positives. The dudes using the IPs with less than 10 positives tried to be stealthy. Let them play. IPs with 1 or 2 positives may be false positives.
Let 's take a better look at who had more than 10 positives
dummies.htm
210,69.90.135.132
152,81.91.214.93
107,212.116.138.195
103,72.167.39.179
103,216.13.56.89
101,188.165.248.104
100,91.121.159.201
100,82.145.32.50
100,178.63.70.145
99,211.20.239.143
96,208.75.212.234
93,203.170.248.54
91,72.34.233.19
82,94.23.228.116
81,94.102.156.222
60,222.122.140.80
55,91.121.81.16
48,80.66.162.92
43,82.145.32.40
40,148.235.132.22
27,85.25.142.53
20,85.132.162.10
20,83.170.110.241
20,74.220.23.203
20,208.109.108.50
20,203.150.230.195
20,184.73.64.52
19,219.94.197.114
15,91.121.243.113
10,94.23.69.61
10,88.191.72.5
10,188.138.92.62
Cool, let's block them
done
I find it amusing looking at what web-scanning kiddies are looking for in my logs but I just figured that a 3% of the total hits on a relatively busy site I "legally" own was due to their scans. Their scans were run from the same IP addresses doing the same thing over and over again. Bad configured scanners run by clueless morons -not interesting.
That 3% does a huge difference on the size of my logs. Hmm, I will block them. I would not, if they were providing me with versatile scan traces but these guys are boring. Actually I am going to take a better look at who they are and then just block them in all my servers.
The get-web-scanners script
n:~#cat get-webscanners.sh
#!/bin/bash
#find web-scanning kiddies, g0 2011
#good chance to practice my Spanish counting skills
CERO='phpMyAdmin-2.2.6'
UNO='phpMyAdmin-2.2.3'
DOS='webadmin'
TRES='sqlmanager'
CUATRO='phpMyAdmin-2.8.1-rc1'
CINCO='databaseadmin'
SEIS='scripts/setup.php'
SIETE='/phpmyadmin/scripts/setup.php'
OCHO='/php-my-admin/scripts/setup.php'
NUEVE='/p/m/a/scripts/setup.php'
LOG="./apache.log"
#hits,IP address list
DUMMIES="./dummies.ip"
#hits,url to more info about the IP address
DIPHTM="./dummies.htm"
cat $LOG | egrep "$CERO|$UNO|$DOS|$TRES|$CUATRO|$CINCO|$SEIS|$SIETE|$OCHO|$NUEVE" | awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $1","$2}' > $DUMMIES
cat $DUMMIES | awk -F"," '{print $1",<a href=http://ipduh.com/ip/?"$2">"$2"</a>
"}' > $DIPHTM
it seems good, let's run it
n:~$./get-webscanners.sh n:~$cat dummies.ip |wc -l 59 n:~$cat dummies.ip 210,69.90.135.132 152,81.91.214.93 107,212.116.138.195 103,72.167.39.179 ... 1,
Looking, through my logs I figured that 10 positives mean at least a few hundred hits coming from this scanner. I will block whatever has 10 or more positives. The dudes using the IPs with less than 10 positives tried to be stealthy. Let them play. IPs with 1 or 2 positives may be false positives.
Let 's take a better look at who had more than 10 positives
dummies.htm
210,69.90.135.132
152,81.91.214.93
107,212.116.138.195
103,72.167.39.179
103,216.13.56.89
101,188.165.248.104
100,91.121.159.201
100,82.145.32.50
100,178.63.70.145
99,211.20.239.143
96,208.75.212.234
93,203.170.248.54
91,72.34.233.19
82,94.23.228.116
81,94.102.156.222
60,222.122.140.80
55,91.121.81.16
48,80.66.162.92
43,82.145.32.40
40,148.235.132.22
27,85.25.142.53
20,85.132.162.10
20,83.170.110.241
20,74.220.23.203
20,208.109.108.50
20,203.150.230.195
20,184.73.64.52
19,219.94.197.114
15,91.121.243.113
10,94.23.69.61
10,88.191.72.5
10,188.138.92.62
Cool, let's block them
n:~$cat -n dummies.ip
1 210,69.90.135.132
2 152,81.91.214.93
3 107,212.116.138.195
4 103,72.167.39.179
5 103,216.13.56.89
...
32 10,188.138.92.62
...
59 1,
n:~$for i in `cat dummies.ip |head -32|awk -F"," '{print $2}'`;do iptables -A INPUT -s $i -j DROP;iptables -A OUTPUT -d $i -j DROP;done
done
arin IPv6 address whois lookup
So, it's an Arin IPv6 address, and your whois client kind of broke.
To get basic whois information like the owner organization and the network try
To see a detailed whois report try
1327681276
Or use the IPduh IPv6 whois client who knows what to do.
To get basic whois information like the owner organization and the network try
n:~#whois -h whois.arin.net "n 2001:500:1::dead:beef"
To see a detailed whois report try
n:~#whois -h whois.arin.net "n + 2001:500:1::dead:beef"
1327681276
Or use the IPduh IPv6 whois client who knows what to do.
Cute one liner IP intel and hit stats
We need IP intel from huge logs and we need it fast
The logs look like
The one-liner is
ip.htm looks like
23228,66.249.66.181
9358,77.88.25.28
...
hits,IP address
The logs look like
n:~#cat ./apache.log |head -1 192.0.2.4 - - [27/Apr/2011:17:51:21 +0200] "GET / HTTP/1.1" 200 2150 "-" "funky browser"
The one-liner is
n:~#cat ./apache.log | awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $1",<a href="http://ipduh.com/ip/?$2">"$2"</a>
"}' > ip.htm
ip.htm looks like
23228,66.249.66.181
9358,77.88.25.28
...
hits,IP address
Check the syntax of a BIND zone file
root@n:~# named-checkzone -d zone.example.com /PATH/db.zone.example.com
Subscribe to:
Posts (Atom)