Raketenwilli: mod_evasive wurde frisch getestet: Möchtergernhackerchen macht woanders weiter

Beitrag lesen

Wie um mir zu beweisen, dass es geht, wollte ein Möchtergernhackerchen das mal testen: mod_evasive hat dann „zugebissen“:

(Die IP 13.80.71.19 gehört zur Microsoft-Cloud (MSFT), das sind also keine „personenbezogenen Daten“)

13.80.71.19 - - [26/Jul/2022:09:24:45 +0000] "GET /showFile.php?file=/etc/passwd HTTP/1.1" 404 12928 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:46 +0000] "GET /showFile.php?file=../etc/passwd HTTP/1.1" 404 8178 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:46 +0000] "GET /showFile.php?file=../../etc/passwd HTTP/1.1" 404 8190 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:47 +0000] "GET /showFile.php?file=../../../etc/passwd HTTP/1.1" 404 8202 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:48 +0000] "GET /showFile.php?file=../../../../etc/passwd HTTP/1.1" 404 8214 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:48 +0000] "GET /showFile.php?file=../../../../../etc/passwd HTTP/1.1" 404 8255 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:49 +0000] "GET /showFile.php?file=/etc/passwd%00 HTTP/1.1" 500 1536 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:49 +0000] "GET /showFile.php?file=../etc/passwd%00 HTTP/1.1" 500 6294 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:49 +0000] "GET /showFile.php?file=../../etc/passwd%00 HTTP/1.1" 500 6294 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:49 +0000] "GET /showFile.php?file=../../../etc/passwd%00 HTTP/1.1" 500 6294 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:49 +0000] "GET /showFile.php?file=../../../../etc/passwd%00 HTTP/1.1" 500 6294 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:49 +0000] "GET /showFile.php?file=../../../../../etc/passwd%00 HTTP/1.1" 500 6294 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:50 +0000] "GET /showFile.php?file=%2Fetc%2Fpasswd HTTP/1.1" 404 12928 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:50 +0000] "GET /showFile.php?file=..%2Fetc%2Fpasswd HTTP/1.1" 404 8178 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:51 +0000] "GET /showFile.php?file=..%2F..%2Fetc%2Fpasswd HTTP/1.1" 404 8190 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:52 +0000] "GET /showFile.php?file=..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1" 404 8202 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:52 +0000] "GET /showFile.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1" 404 8214 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:53 +0000] "GET /showFile.php?file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1" 404 8255 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:53 +0000] "GET /showFile.php?file=%2Fetc%2Fpasswd%2500 HTTP/1.1" 404 7678 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:54 +0000] "GET /showFile.php?file=..%2Fetc%2Fpasswd%2500 HTTP/1.1" 404 7688 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:54 +0000] "GET /showFile.php?file=..%2F..%2Fetc%2Fpasswd%2500 HTTP/1.1" 404 7703 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:55 +0000] "GET /showFile.php?file=..%2F..%2F..%2Fetc%2Fpasswd%2500 HTTP/1.1" 404 7718 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:55 +0000] "GET /showFile.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd%2500 HTTP/1.1" 404 7733 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:56 +0000] "GET /showFile.php?file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%2500 HTTP/1.1" 404 7748 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:56 +0000] "GET /showFile.php?file=\\etc\\passwd HTTP/1.1" 404 6072 "-" "-"
13.80.71.19 - - [26/Jul/2022:09:24:56 +0000] "GET /showFile.php?file=..\\etc\\passwd HTTP/1.1" 403 7273 "-" "-"

Letzte Zeile: Status 403 (Peng)

Und:

grep '13.80.71.19' /var/log/syslog
Jul 26 09:24:56 raspi4 mod_evasive[2105]: Blacklisting address 13.80.71.19: possible DoS attack.
Jul 26 09:24:57 raspi4 fwblock4time: IP 13.80.71.19 will blocked temporary. Block end in 'now +10minutes'

(Alle Zeiten in GMT)