Code: Select all
% check_attacks.pl --srcip '188.191.164.43|47.244.18.107|85.27.246.48|47.75.249.121|95.179.215.180|18.18.248.17|112.118.155.15|47.75.173.76|159.69.81.117|212.51.217.211|112.118.155.15'
% check_attacks.pl --pstatus=400
% check_attacks.pl | grep -A2 -i autodiscover
% check_attacks.pl --search autodiscover
Code: Select all
% wget https://raw.githubusercontent.com/JimDunphy/ZimbraScripts/master/src/check_attacks.pl
% chmod 755 check_attacks.pl
% ./check_attacks.pl
Code: Select all
% check_attacks.pl -h
usage: % check_attacker.pl
[--fcolor=<color name (i.e. RED)>]
[--srcip=<ip address>]
[--localUser ]
[--IPlist ]
[--statuscnt]
[--display="date|upstream|bytes|port|referrer]
[--usertype=<attacker|local|all>
[--pstatus=<regex of status codes>
[--help]
[--version]
where:
--srcip|sr: print only records matching ip addresses
--statuscnt: prints out the count for each status return code found
--help|h: this message
examples: (-- or - or first few characters of option so not ambigous)
% check_attacker.pl -srcip 10.10.10.1 #only this ip address
% check_attacker.pl -srcip '10.10.10.1|20.20.20.2' #only these ip addresses
% check_attacker.pl -statuscnt #print status codes
% check_attacker.pl --statuscnt #print status codes #same
% check_attacker.pl --localUser #include local users accounts
% check_attacker.pl --IPlist # print list of ips
% check_attacker.pl --IPlist --ipset # print list of ips in ipset format
% check_attacker.pl --IPlist -pstatus='40.' --ipset # print list of ips in ipset format with status code 400..409
% check_attacker.pl --localUser --IPlist # print list of local ips used by local users
% check_attacker.pl --IPlist --ipset | sh # install ip's into ipset
% check_attacker.pl --initIPset # show how to create ipset
% check_attacker.pl -fc RED #change color
% check_attacker.pl --usertype=local # print out strings of only local users
% check_attacker.pl --pstatus='4..' # print out only those requests with a code of 4XX (ie 403, 404, 499)
% check_attacker.pl --usertype=all --pstatus='403|500' # print out only those requests with a code of 403 or 500 for all types (local & attacker)
% check_attacker.pl --display=date # default is to display the user agent
% check_attacker.pl --display=referrer # default is to display the user agent
Code: Select all
% check_attacker.pl --status
Codes 200 Total: 67
Codes 302 Total: 1
Codes 400 Total: 58
Codes 404 Total: 23
Codes 501 Total: 1
Code: Select all
% check_attacker.pl --pstatus='400'
[ 400] |\x005\x00|\x00z\x00W\x00\xB0\x00|\x00|\x00\xEB\x00\xEA\x005\x00\xB0\x00\xE9\x00\xEB\x00V\x00W\x00V\x00!\x00\x06\x00Y\x00V\x00Y\x00\xB0\x00\xE9\x00\xE9\x00\x06\x00Y\x00W\x00\xEA\x00Y\x00|\x00\xE9\x00(\x005\x00\xA5\x00W\x00V\x00\xEB\x00\xEB\x005\x00!\x00{\x00{\x00{\x005\x00\xEA\x00\xA5\x00|\x00!\x00!\x00\xA5\x00V\x00W\x005\x00\xCC\x00(\x00W\x00\x06\x00\xEB\x00(\x00{\x00Y\x005\x00\x06\x00\xEA\x00(\x00\xCC\x00\xA5\x00\xA5\x00\xB0\x00{\x00\xB0\x00\xE9\x00\xE9\x00\xA5\x00\xE9\x00\xE9\x00!\x00\xA5\x00\xCC\x00Y\x00\xA5\x00\xB0\x00Y\x00(\x00\xEA\x00{\x00\x06\x00\xA5\x00\xA5\x00\x06\x00\xB0\x00{\x00W\x00\xEA\x00\x06\x00Y\x00z\x00\xEA\x00W\x00Y\x00\xEB\x00{\x00\xCC\x00|\x00\xB0\x00\xE9\x00|\x00(\x00(\x00\xEA\x00V\x00\xB0\x00!\x00\xB0\x00\x06\x00\xB0\x00z\x00\xA5\x00!\x00W\x00\xEA\x00V\x00z\x00\xEA\x00z\x00\x06\x00\xCC\x00\xCC\x00|\x005\x00(\x00\x06\x00z\x00{\x00|\x00z\x005\x00\xEB\x00|\x00!\x00\xE9\x005\x00{\x00|\x00V\x00z\x00\xCC\x00{\x00(\x00\xEB\x00Y\x00\xE9\x00z\x00|\x00!\x00\xCC\x00V\x00\xB0\x00V\x00\x06\x00\xEA\x00z\x00\xE9\x00{\x00\xEB\x00!\x00\xEA\x00\xEB\x00\x06\x00\xEA\x00|\x00Y\x00|\x005\x00z\x00Y\x00Y\x00V\x00V\x005\x00!\x00z\x00W\x00\xCC\x00W\x00!\x00|\x00V\x00\xCC\x00\xEA\x00\xB0\x00\x06\x00{\x00\xEA\x00\xCC\x005\x00\xCC\x00(\x00{\x00z\x00V\x00\x06\x00\xE9\x00\xEA\x00\xEA\x00\xEA\x00!\x00|\x00\x06\x00W\x00(\x00\xA5\x00z\x00\x06\x00W\x00V\x00\xEA\x00\x06\x00\xEB\x00!\x00\xA5\x00Y\x005\x00{\x00!\x00V\x00\xE9\x00\xCC\x005\x00\xEB\x00z\x00\xB0\x00\xEB\x00\x06\x00V\x00\xB0\x00\xA5\x00!\x00(\x00Y\x00(\x00(\x00V\x00z\x00\xB0\x00\xEB\x00\xEB\x00\xCC\x00!\x00\xCC\x00\xCC\x00\xCC\x00\xE9\x00(\x00|\x005\x00\xEB\x00\xEA\x005\x00\xEB\x00\xE9\x00\xA5\x00(\x00W\x00Y\x00Y\x00\xCC\x00|\x00Y\x00W\x00|\x00|\x00\xEB\x005\x00Y\x00\xE9\x00\xEA\x00\xA5\x00\x06\x00Y\x00{\x00\xEA\x00\xA5\x00\xE9\x00\xB0\x00!\x00\xEB\x00W\x00\xA5\x00z\x00\xA5\x00\xEB\x00\xA5\x00!\x00z\x00\xCC\x00\xB0\x00\xEB\x00V\x00\xCC\x00\xEA\x00\xCC\x00{\x00V\x00!\x00\x06\x00Y\x00\xEA\x00\xB0\x00\xB0\x00V\x00\xE9\x00\xEB\x00\xEA\x00V\x005\x00\xB0\x00W\x00\xEA\x00Y\x00(\x00\xCC\x00z\x00!\x00z\x00\x06\x005\x00\x06\x00z\x00\x06\x00\xEB\x00\xCA\x00 bot
[ 400] \x09\x00\xB0\x00\xF3\x00\xD9\x00\x8E\x00\x09\x00\xA7\x00\xEC\x00\x8B\x00\xD9\x00\xF3\x00\x8E\x00\xD9\x00\xB0\x00z\x00\xB0\x00\xC5\x00\xFC\x00\xA7\x00z\x00\x09\x00\x17\x00\xC5\x00\xEC\x00H\x00\xFE\x00\xFE\x00j\x00\xFE\x00\x8E\x00\xC5\x00\xC5\x00\xFE\x00z\x00\xEC\x00\xA7\x00z\x00\xC5\x00\xF3\x00H\x00\xD9\x00\xA7\x00\xEC\x00\xD9\x00\x8B\x00\xFE\x00H\x00z\x00\xFB\x00H\x00\xFB\x00\x17\x00\xB0\x00\xF3\x00\xFC\x00\xFC\x00\x09\x00j\x00\x17\x00\xFB\x00\xFC\x00\x8E\x00\xEC\x00\xFB\x00\xF3\x00\xB0\x00\x8E\x00\x17\x00\x17\x00\xFC\x00\xC5\x00H\x00\xA7\x00\xFE\x00\xC5\x00\xF3\x00\xC5\x00\xA7\x00\xB0\x00\xFC\x00\xD9\x00\xFC\x00\xB0\x00\xFE\x00H\x00j\x00\xC5\x00\x17\x00z\x00\x17\x00\xFC\x00\xA7\x00\xD9\x00\xF3\x00\xEC\x00\xFE\x00\xA7\x00\xA7\x00\xFB\x00\xB0\x00\x8E\x00\xC5\x00\xB0\x00H\x00\x17\x00\xC5\x00\x8B\x00j\x00\x8E\x00\xEC\x00\xF3\x00\xFE\x00\xD9\x00\xF3\x00\xA7\x00j\x00\xEC\x00\xA7\x00\xB0\x00\x17\x00\xFC\x00H\x00H\x00\x09\x00\x09\x00\x09\x00H\x00\x8E\x00\xCE\x00 bot
Attacker from 108.178.16.154 2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 400] POST /Autodiscover/Autodiscover.xml python-requests/2.21.0
Attacker from 112.118.155.15 1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 400] HEAD / bot
[ 400] HEAD / bot
Attacker from 138.246.253.5 3 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 400] )S\xC3b=\xE0)\x1Bp\x91K\xED\x88\x8FY\xC2 bot
Attacker from 155.94.222.12 1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 400] POST /Autodiscover/Autodiscover.xml Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17
Attacker from 159.69.81.117 2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 400] GET / Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
[ 400] GET / Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Attacker from 164.52.24.162 2 Requests - Score 25%
Code: Select all
% check_attacks.pl --pstatus='400' --srcip='164.52.24.162' --display=date
[ 400] GET / 30/Apr/2019:13:28:02
[ 400] GET / 24/Apr/2019:05:15:56
Attacker from 164.52.24.162 2 Requests - Score 25%
------------------------------------------------------------------------------------------------------------
Code: Select all
% check_attacks.pl --iplist | head -5
107.170.202.34
107.170.204.68
108.178.16.154
112.118.155.15
112.64.199.58
Code: Select all
% check_attacks.pl --iplist --ipset | head -5
ipset add blacklist24hr 107.170.202.34 -exists
ipset add blacklist24hr 107.170.204.68 -exists
ipset add blacklist24hr 108.178.16.154 -exists
ipset add blacklist24hr 112.118.155.15 -exists
ipset add blacklist24hr 112.64.199.58 -exists
Code: Select all
% check_attacks.pl --iplist --pstatus='400|501' |head -5
108.178.16.154
112.118.155.15
138.246.253.5
155.94.222.12
159.69.81.117
% check_attacks.pl --iplist --ipset --pstatus='400' |head -5
ipset add blacklist24hr 108.178.16.154 -exists
ipset add blacklist24hr 112.118.155.15 -exists
ipset add blacklist24hr 138.246.253.5 -exists
ipset add blacklist24hr 155.94.222.12 -exists
ipset add blacklist24hr 159.69.81.117 -exists
Code: Select all
% check_attackers.pl
[ 200] GET / bot
Attacker from 178.73.215.171 1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 400] POST /Autodiscover/Autodiscover.xml python-requests/2.21.0
[ 400] GET /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 python-requests/2.21.0
Attacker from 18.18.248.17 2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 200] GET / bot
Attacker from 184.105.139.69 1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 200] GET / bot
Attacker from 184.105.247.194 1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 200] GET / bot
[ 200] GET / bot
Attacker from 184.105.247.196 2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 200] GET / Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
[ 400] stealth request - exploit attemped bot
[ 400] stealth request - exploit attemped bot
[ 400] stealth request - exploit attemped bot
[ 400] stealth request - exploit attemped bot
[ 200] GET /robots.txt bot
[ 404] GET /sitemap.xml bot
[ 404] GET /.well-known/security.txt bot
[ 400] stealth request - exploit attemped bot
Attacker from 185.142.236.34 9 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
[ 200] GET / Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
[ 400] stealth request - exploit attemped bot
[ 400] stealth request - exploit attemped bot
[ 400] stealth request - exploit attemped bot
[ 400] stealth request - exploit attemped bot
[ 200] GET /robots.txt bot
[ 404] GET /sitemap.xml bot
[ 404] GET /.well-known/security.txt bot
[ 400] stealth request - exploit attemped bot
Attacker from 185.142.236.35 9 Requests - Score 100%
...
...
It has been enlightening to learn how zimbra is behaving from nginx's eyes. If you are having problems with customizing STEP 1', it isn't necessary to have the full logs for me... use the program to generate a few lines. I would like to incorporate those additions to the code so future users may not have to perform any customization and the program completely understands zimbra user session streams.
Code: Select all
% check_attacks.pl --srcip=X.X.X.X | head -50
Enjoy.
Jim