#!/bin/bash
{
curl "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"; |\
egrep "^[0-9]" | awk '{print $1":ZeuS IP blocklist"}'curl "https://reputation.alienvault.com/reputation.generic"; |\ egrep "^[0-9]" | cut -d, -f1 | sed 's/ # /:/' } > ip_blacklist On 7/24/2015 7:46 PM, Santiago Bassett wrote:
Hi Theresa,my guess is that you are probably victim of web crawlers more than anything else. In any case it would be interesting to search those source IPs info in IP reputation databases to see if those are well known attackers.Has anyone in this list use an IP reputation database in a CDB list? I would probably try something like that and see how it goes.BestOn Fri, Jul 24, 2015 at 12:32 PM, theresa mic-snare <[email protected] <mailto:[email protected]>> wrote:hi folks, i need some help with intepreting webserver logfiles (apache logs). while setting up my ossec-test environment for my thesis project, I've also setup a wordpress on an apache webserver as a "honeypot". although there's no real content, except the standard wordpress posts & pages that comes with the installation, I already have some "visitors". I see these dubious looking requests. I'm not sure if these are threats/attacks against my wordpress installation. I'm not really familiar with apache logs, but I need some threats/attacks to explain in my thesis. I thought this would be the best way to get started. I have PLENTY of the following requests in my httpd logs | SrcIP:115.239.228.8 115.239.228.8--[24/Jul/2015:19:22:42+0200]"GET http://zc.qq.com/cgi-bin/common/attr?id=260714&r=0.7636925813952972 HTTP/1.1"404292"-""Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 360SE)" | Judging by the HTTP status code it's not really a threat, right? it's probaly just some hacker with a tool who's looking for vulnerabilities? or is this just nonsense/junk? | ReceivedFrom:tron->/var/log/httpd/access_log Rule:31515fired (level 6)->"PHPMyAdmin scans (looking for setup.php)." Portionof the log(s): 178.33.154.144--[24/Jul/2015:11:55:15+0200]"GET /phpMyAdmin/scripts/setup.php HTTP/1.1"403309"-""-" | also this | ReceivedFrom:tron->/var/log/httpd/access_log Rule:31101fired (level 5)->"Web server 400 error code." Portionof the log(s): 202.137.235.243--[24/Jul/2015:07:34:11+0200]"HEAD /ossec-wui/index.php HTTP/1.1"401-"-""-" | i'm surprised they found out about it.....glad i protected it with htaccess and they didn't come in. ;) and lots of other requests that return HTTP 403 (forbidden) or 404 (not found) i'm not quite sure what to make of it. i didn't realise my server was so exposed....did they just find the IP by scanning for http ports?! looking to some feedback, theresa----- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- ---You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>.For more options, visit https://groups.google.com/d/optout.
----- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
