Versionen dieses Beitrags

"Solstice": missratene Sonnenwende der "1337-Elite" Scriptkiddies

ursus contionabundo
  • "Solstice": missratene Sonnenwende der "1337-Elite" Scriptkiddies
  • > Was hastn wieder angestellt?
  • Aus Versehen in die Logfiles geschaut...
  • - [fwblock4time](https://code.fastix.org/showFile.php?file=Projekte/Apache%2Cmod_evasive%2Ciptables%3AHelfer-Skripte%20zum%20%28zeitweisen%29%20Blockieren%20von%20IP-Adressen/fwblock4time)
  • Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...)
  • ~~~
  • ErrorDocument 404 /404.php
  • RewriteEngine on
  • RewriteRule ^/login\.cgi /404.php
  • ~~~
  • 404.php:
  • ~~~php
  • <?php
  • $noblocks = [
  • '192.168.1.',
  • '127.'
  • ];
  • $blocktime = 60; # Minuten
  • $angriffe=explode(
  • "\n",
  • '/a2billing/
  • /adm/
  • /admin/
  • /administrator.php
  • /backup/
  • /composer.php
  • /data.php
  • /db/
  • /dbadmin
  • /db.init.php
  • /db.php
  • /db_pma.php
  • /dmpr/
  • /drupal.php
  • /editor.php
  • /horde/
  • /login.cgi
  • /manager/
  • /msd/
  • /muhstik/
  • /mx.php
  • /myadmin/
  • /MyAdmin/
  • /myadmin2/
  • /mysql
  • /mysql/
  • /mysql_admin/
  • /mysql-admin/
  • /mysqladmin/
  • /mysqldump
  • /mysqldumper/
  • /mysqlmanager/
  • /mysql.php
  • /noxdir/
  • /.php/
  • /phpadmin/
  • /phpma/
  • /phpmy/
  • /phpmyadmin/
  • /phppma/
  • /pma/
  • /pma2/
  • /setup.php
  • /shell.php
  • /solstice
  • /spider.php
  • /sqlmanager/
  • /sqlweb/
  • /system.php
  • /thinkphp
  • /tomcat.php
  • /toor.php
  • /typo3/
  • /vhcs/
  • /vhcs2/
  • /webdav/
  • /websql/
  • /wp-admin/
  • /wp-admin.php
  • /wp-config.php
  • /wp-content/
  • /xampp/
  • HelloThinkPHP
  • ');
  • if ( empty( $_SERVER['REMOTE_ADDR'] ) ) {
  • echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL;
  • exit;
  • }
  • foreach ( $noblocks as $noblock ) {
  • if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) {
  • echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>';
  • iLoveSkriptKiddies();
  • exit;
  • }
  • }
  • $flagFound = false;
  • $haystack = strtolower( $_SERVER['REQUEST_URI'] );
  • foreach ( $angriffe as $s ) {
  • $needle = strtolower( trim( $needle ) );
  • if ( $needle && ! false === strpos( $haystack, $needle ) ) {
  • $flagFound = true;
  • break;
  • }
  • }
  • if ( $flagFound ) {
  • http_response_code(403);
  • ?><!DOCTYPE html>
  • <html lang="en">
  • <head>
  • <title>403 Forbidden</title>
  • </head>
  • <body>
  • <h1>403 Forbidden</h1>
  • <p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>';
  • <?php
  • iLoveSkriptKiddies();
  • echo '</body>
  • </html>';
  • $cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1';
  • $result = intval(`$cmd`);
  • if ( 0 == $result ) {
  • error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert.");
  • } else {
  • error_log( "Error $result from execute $cmd" );
  • }
  • } else {
  • http_response_code( 404 );
  • echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>';
  • }
  • function iLoveSkriptKiddies() {
  • ## sed a nice greeting image
  • }
  • ~~~
  • Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein.
  • Wer es testen will: http://77.180.117.82/myadmin/ (nur heute erreichbar)

"Solstice": missratene Sonnenwende der "1337-Elite" Scriptkiddies

ursus contionabundo
  • "Solstice": missratene Sonnenwende der "1337-Elite" Scriptkiddies
  • > Was hastn wieder angestellt?
  • Aus Versehen in die Logfiles geschaut...
  • - [fwblock4time](https://code.fastix.org/showFile.php?file=Projekte/Apache%2Cmod_evasive%2Ciptables%3AHelfer-Skripte%20zum%20%28zeitweisen%29%20Blockieren%20von%20IP-Adressen/fwblock4time)
  • Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...)
  • ~~~
  • ErrorDocument 404 /404.php
  • RewriteEngine on
  • RewriteRule ^/login\.cgi /404.php
  • ~~~
  • 404.php:
  • ~~~php
  • <?php
  • $noblocks = [
  • '192.168.1.',
  • '127.'
  • ];
  • $blocktime = 60; # Minuten
  • $angriffe=explode(
  • "\n",
  • '/a2billing/
  • /adm/
  • /admin/
  • /administrator.php
  • /backup/
  • /composer.php
  • /data.php
  • /db/
  • /dbadmin
  • /db.init.php
  • /db.php
  • /db_pma.php
  • /dmpr/
  • /drupal.php
  • /editor.php
  • /horde/
  • /login.cgi
  • /manager/
  • /msd/
  • /muhstik/
  • /mx.php
  • /myadmin/
  • /MyAdmin/
  • /myadmin2/
  • /mysql
  • /mysql/
  • /mysql_admin/
  • /mysql-admin/
  • /mysqladmin/
  • /mysqldump
  • /mysqldumper/
  • /mysqlmanager/
  • /mysql.php
  • /noxdir/
  • /.php/
  • /phpadmin/
  • /phpma/
  • /phpmy/
  • /phpmyadmin/
  • /phppma/
  • /pma/
  • /pma2/
  • /setup.php
  • /shell.php
  • /solstice
  • /spider.php
  • /sqlmanager/
  • /sqlweb/
  • /system.php
  • /thinkphp
  • /tomcat.php
  • /toor.php
  • /typo3/
  • /vhcs/
  • /vhcs2/
  • /webdav/
  • /websql/
  • /wp-admin/
  • /wp-admin.php
  • /wp-config.php
  • /wp-content/
  • /xampp/
  • HelloThinkPHP
  • ');
  • if ( empty( $_SERVER['REMOTE_ADDR'] ) ) {
  • echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL;
  • exit;
  • }
  • foreach ( $noblocks as $noblock ) {
  • if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) {
  • echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>';
  • iLoveSkriptKiddies();
  • exit;
  • }
  • }
  • $flagFound = false;
  • $haystack = strtolower( $_SERVER['REQUEST_URI'] );
  • foreach ( $angriffe as $s ) {
  • $needle = strtolower( trim( $needle ) );
  • if ( $needle && ! false === strpos( $haystack, $needle ) ) {
  • $flagFound = true;
  • break;
  • }
  • }
  • if ( $flagFound ) {
  • http_response_code(403);
  • ?><!DOCTYPE html>
  • <html lang="en">
  • <head>
  • <title>403 Forbidden</title>
  • </head>
  • <body>
  • <h1>403 Forbidden</h1>
  • <p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>';
  • <?php
  • iLoveSkriptKiddies();
  • echo '</body>
  • </html>';
  • $cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1';
  • $result = intval(`cmd`);
  • $result = intval(`$cmd`);
  • if ( 0 == $result ) {
  • error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert.");
  • } else {
  • error_log( "Error $result from execute $cmd" );
  • }
  • } else {
  • http_response_code( 404 );
  • echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>';
  • }
  • function iLoveSkriptKiddies() {
  • ## sed a nice greeting image
  • }
  • ~~~
  • Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein.

"Solstice": missratene Sonnenwende der "1337-Elite" Scriptkiddies

ursus contionabundo
  • "Solstice": missratene Sonnenwende der "1337-Elite" Scriptkiddies
  • > Was hastn wieder angestellt?
  • Aus Versehen in die Logfiles geschaut...
  • - [fwblock4time](https://code.fastix.org/showFile.php?file=Projekte/Apache%2Cmod_evasive%2Ciptables%3AHelfer-Skripte%20zum%20%28zeitweisen%29%20Blockieren%20von%20IP-Adressen/fwblock4time)
  • Apche-Config (.htacces):
  • Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...)
  • ~~~
  • ErrorDocument 404 /404.php
  • RewriteEngine on
  • RewriteRule ^/login\.cgi /404.php
  • ~~~
  • 404.php:
  • ~~~php
  • <?php
  • $noblocks = [
  • '192.168.1.',
  • '127.'
  • ];
  • $blocktime = 60; # Minuten
  • $angriffe=explode(
  • "\n",
  • '/a2billing/
  • /adm/
  • /admin/
  • /administrator.php
  • /backup/
  • /composer.php
  • /data.php
  • /db/
  • /dbadmin
  • /db.init.php
  • /db.php
  • /db_pma.php
  • /dmpr/
  • /drupal.php
  • /editor.php
  • /horde/
  • /login.cgi
  • /manager/
  • /msd/
  • /muhstik/
  • /mx.php
  • /myadmin/
  • /MyAdmin/
  • /myadmin2/
  • /mysql
  • /mysql/
  • /mysql_admin/
  • /mysql-admin/
  • /mysqladmin/
  • /mysqldump
  • /mysqldumper/
  • /mysqlmanager/
  • /mysql.php
  • /noxdir/
  • /.php/
  • /phpadmin/
  • /phpma/
  • /phpmy/
  • /phpmyadmin/
  • /phppma/
  • /pma/
  • /pma2/
  • /setup.php
  • /shell.php
  • /solstice
  • /spider.php
  • /sqlmanager/
  • /sqlweb/
  • /system.php
  • /thinkphp
  • /tomcat.php
  • /toor.php
  • /typo3/
  • /vhcs/
  • /vhcs2/
  • /webdav/
  • /websql/
  • /wp-admin/
  • /wp-admin.php
  • /wp-config.php
  • /wp-content/
  • /xampp/
  • HelloThinkPHP
  • ');
  • if ( empty( $_SERVER['REMOTE_ADDR'] ) ) {
  • echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL;
  • exit;
  • }
  • foreach ( $noblocks as $noblock ) {
  • if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) {
  • echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>';
  • iLoveSkriptKiddies();
  • exit;
  • }
  • }
  • $flagFound = false;
  • $haystack = strtolower( $_SERVER['REQUEST_URI'] );
  • foreach ( $angriffe as $s ) {
  • $needle = strtolower( trim( $needle ) );
  • if ( $needle && ! false === strpos( $haystack, $needle ) ) {
  • $flagFound = true;
  • break;
  • }
  • }
  • if ( $flagFound ) {
  • http_response_code(403);
  • ?><!DOCTYPE html>
  • <html lang="en">
  • <head>
  • <title>403 Forbidden</title>
  • </head>
  • <body>
  • <h1>403 Forbidden</h1>
  • <p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>';
  • <?php
  • iLoveSkriptKiddies();
  • echo '</body>
  • </html>';
  • $cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1';
  • $result = intval(`cmd`);
  • if ( 0 == $result ) {
  • error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert.");
  • } else {
  • error_log( "Error $result from execute $cmd" );
  • }
  • } else {
  • http_response_code( 404 );
  • echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>';
  • }
  • function iLoveSkriptKiddies() {
  • ## sed a nice greeting image
  • }
  • ~~~
  • Läuft.
  • Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein.