Was hastn wieder angestellt?
Aus Versehen in die Logfiles geschaut...
Apche-Config (.htacces) des Default-Hosts: (Aufruf mit IP...)
ErrorDocument 404 /404.php
RewriteEngine on
RewriteRule ^/login\.cgi /404.php
404.php:
<?php
$noblocks = [
'192.168.1.',
'127.'
];
$blocktime = 60; # Minuten
$angriffe=explode(
"\n",
'/a2billing/
/adm/
/admin/
/administrator.php
/backup/
/composer.php
/data.php
/db/
/dbadmin
/db.init.php
/db.php
/db_pma.php
/dmpr/
/drupal.php
/editor.php
/horde/
/login.cgi
/manager/
/msd/
/muhstik/
/mx.php
/myadmin/
/MyAdmin/
/myadmin2/
/mysql
/mysql/
/mysql_admin/
/mysql-admin/
/mysqladmin/
/mysqldump
/mysqldumper/
/mysqlmanager/
/mysql.php
/noxdir/
/.php/
/phpadmin/
/phpma/
/phpmy/
/phpmyadmin/
/phppma/
/pma/
/pma2/
/setup.php
/shell.php
/solstice
/spider.php
/sqlmanager/
/sqlweb/
/system.php
/thinkphp
/tomcat.php
/toor.php
/typo3/
/vhcs/
/vhcs2/
/webdav/
/websql/
/wp-admin/
/wp-admin.php
/wp-config.php
/wp-content/
/xampp/
HelloThinkPHP
');
if ( empty( $_SERVER['REMOTE_ADDR'] ) ) {
echo __FILE__ . " executed in CLI: Nothing to do." . PHP_EOL;
exit;
}
foreach ( $noblocks as $noblock ) {
if ( false !== strpos( $_SERVER['REMOTE_ADDR'], $noblock ) ) {
echo '<p>REMOTE_ADDR "' . $_SERVER['REMOTE_ADDR'] . '" matching "' . $noblock . '" : Nothing to do!</p>';
iLoveSkriptKiddies();
exit;
}
}
$flagFound = false;
$haystack = strtolower( $_SERVER['REQUEST_URI'] );
foreach ( $angriffe as $s ) {
$needle = strtolower( trim( $needle ) );
if ( $needle && ! false === strpos( $haystack, $needle ) ) {
$flagFound = true;
break;
}
}
if ( $flagFound ) {
http_response_code(403);
?><!DOCTYPE html>
<html lang="en">
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>403 Forbidden</h1>
<p>Nice try! Requests from <?=$_SERVER['REMOTE ADDR']; ?> are blocked now.</p>';
<?php
iLoveSkriptKiddies();
echo '</body>
</html>';
$cmd = '/usr/bin/sudo /usr/sbin/fwblock4time ' . $_SERVER['REMOTE_ADDR'] . ' ' . $blocktime . '; echo $? | tail -n1';
$result = intval(`$cmd`);
if ( 0 == $result ) {
error_log('Angriffsversuch: ' . $_SERVER['REMOTE_ADDR'] . " wurde fuer $blocktime Minuten in der Firewall blockiert.");
} else {
error_log( "Error $result from execute $cmd" );
}
} else {
http_response_code( 404 );
echo '<h1>Not found</h1><p>Warning: This is a honeypot...</p>';
}
function iLoveSkriptKiddies() {
## sed a nice greeting image
}
Läuft. Wirft Angreifer für eine Stunde bei IP-Tables ein.
Wer es testen will: http://77.180.117.82/myadmin/ (nur heute erreichbar)