Results 1 to 3 of 3

Thread: access logs swamped by hackers... Powweb firewall?

  1. #1
    louboumian's Avatar
    Join Date
    Feb 2004
    Location
    Vancouver, Canada
    Posts
    187
    Rep Power
    14

    access logs swamped by hackers... Powweb firewall?

    My access logs are totally swamped by zillions of hackers attempt to randomly access sensitive file (e.g. php_admin). My Stats, using these polluted acccess log, become of course nonsensical.

    Access log extract from last week:

    192.185.83.137 - - [08/Sep/2016:23:46:22 -0400] "GET / HTTP/1.1" 301 232 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:46:22 -0400] "GET / HTTP/1.1" 403 2050 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:46:27 -0400] "POST /wp-check.php HTTP/1.1" 301 244 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:27 -0400] "POST /wp-check.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:27 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15136 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /start.php HTTP/1.1" 301 241 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /start.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15136 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /general.php HTTP/1.1" 301 243 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /general.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:38 -0400] "POST /ooimg.php HTTP/1.1" 301 241 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:38 -0400] "POST /ooimg.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:39 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15136 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:49 -0400] "POST /get.php?key=sdfadsgh4513sdGG435341FDGWWDFGDFHDFGDS FGDFSGDFG HTTP/1.1" 301 291 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:49 -0400] "POST /get.php?key=sdfadsgh4513sdGG435341FDGWWDFGDFHDFGDS FGDFSGDFG HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:49 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:59 -0400] "POST /upgrade.php HTTP/1.1" 301 243 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:46:59 -0400] "POST /upgrade.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:47:00 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15111 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:47:40 -0400] "POST /news.php HTTP/1.1" 301 240 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:47:40 -0400] "POST /news.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:47:40 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:47:50 -0400] "POST /configbak.php HTTP/1.1" 301 245 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:47:51 -0400] "POST /configbak.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:47:51 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:48:11 -0400] "POST /adodb.class.php HTTP/1.1" 301 247 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:48:11 -0400] "POST /adodb.class.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:48:11 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:49:03 -0400] "POST /wp-checking.php HTTP/1.1" 301 247 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:49:03 -0400] "POST /wp-checking.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:49:03 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
    192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-object-cache.php HTTP/1.1" 301 251 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-object-cache.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-installation.php HTTP/1.1" 301 251 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-installation.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15111 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /filess.php HTTP/1.1" 301 242 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /filess.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /mide.php HTTP/1.1" 301 240 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /mide.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /popup-pomo.php HTTP/1.1" 301 246 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /popup-pomo.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /uu.php HTTP/1.1" 301 238 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /uu.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /license.php HTTP/1.1" 301 243 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /license.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /tempfs.php HTTP/1.1" 301 242 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /tempfs.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
    192.185.83.137 - - [08/Sep/2016:23:50:07 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"


    I tried to deny IP access through .htaccess but this is not working as they shift IPs over large ranges and use proxies. The above IP comes from Houston, Tx!! It's a futile cat-mouse game. Also, attempting to block entire countries IP ranges imposes too much server load.

    Is there a firewall that Powweb can activate to block these activities upstream? Or a method that works, like http://configserver.com/cp/csf.html ?

    Any suggestion welcome.

  2. #2
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    West Virginia
    Posts
    3,455
    Rep Power
    21
    A tool similar to CSF is Fail2ban. I am not sure if it works in this shared hosting environment though. I was going to try and implement it once a while ago, and I can't remember why I didn't try it out. Another script that I was using successfully for a while is SpambotSecurity. It only works with PHP based sites, especially blog and forum types. I would highly recommend it if you can use it.
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  3. #3
    louboumian's Avatar
    Join Date
    Feb 2004
    Location
    Vancouver, Canada
    Posts
    187
    Rep Power
    14
    Thanks for the suggestion Bruce.
    I have tried zbblock on one pointed site but the implementation is a bit tricky.
    On the root, I have nothing other than ip block rules and a honneypot right now.
    I am going to give fail2ban a try.

    But I think Powweb should really implement a firewall upstream, or something configurable in Control Pannel if the user want to fine tune it, if it's feasible in a shared environment (not sure).

    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •