PowWeb Forums - The Perfect Community for the Perfect Host  

Register now to interact with over 11,000 members! Registered users have Posting Privileges, free access to Private Messaging, Email Notifications and more.

Go Back   PowWeb Community Forums > The PowWeb Platform > Statistics / Logs
User Name
Password
Register FAQ Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
Old 9-11-16, 12:35 PM   #1
louboumian
 
louboumian's Avatar
 
Join Date: Feb 2004
Location: Vancouver, Canada
Posts: 187
Reputation: 11
access logs swamped by hackers... Powweb firewall?

My access logs are totally swamped by zillions of hackers attempt to randomly access sensitive file (e.g. php_admin). My Stats, using these polluted acccess log, become of course nonsensical.

Access log extract from last week:

192.185.83.137 - - [08/Sep/2016:23:46:22 -0400] "GET / HTTP/1.1" 301 232 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:46:22 -0400] "GET / HTTP/1.1" 403 2050 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:46:27 -0400] "POST /wp-check.php HTTP/1.1" 301 244 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:27 -0400] "POST /wp-check.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:27 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15136 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /start.php HTTP/1.1" 301 241 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /start.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15136 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /general.php HTTP/1.1" 301 243 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /general.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:28 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:38 -0400] "POST /ooimg.php HTTP/1.1" 301 241 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:38 -0400] "POST /ooimg.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:39 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15136 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:49 -0400] "POST /get.php?key=sdfadsgh4513sdGG435341FDGWWDFGDFHDFGDS FGDFSGDFG HTTP/1.1" 301 291 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:49 -0400] "POST /get.php?key=sdfadsgh4513sdGG435341FDGWWDFGDFHDFGDS FGDFSGDFG HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:49 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:59 -0400] "POST /upgrade.php HTTP/1.1" 301 243 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:46:59 -0400] "POST /upgrade.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:47:00 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15111 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:47:40 -0400] "POST /news.php HTTP/1.1" 301 240 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:47:40 -0400] "POST /news.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:47:40 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:47:50 -0400] "POST /configbak.php HTTP/1.1" 301 245 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:47:51 -0400] "POST /configbak.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:47:51 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:48:11 -0400] "POST /adodb.class.php HTTP/1.1" 301 247 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:48:11 -0400] "POST /adodb.class.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:48:11 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:49:03 -0400] "POST /wp-checking.php HTTP/1.1" 301 247 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:49:03 -0400] "POST /wp-checking.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:49:03 -0400] "POST /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-object-cache.php HTTP/1.1" 301 251 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-object-cache.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15206 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-installation.php HTTP/1.1" 301 251 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:04 -0400] "GET /wp-installation.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15111 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /filess.php HTTP/1.1" 301 242 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /filess.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /mide.php HTTP/1.1" 301 240 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /mide.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /popup-pomo.php HTTP/1.1" 301 246 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:05 -0400] "GET /popup-pomo.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /uu.php HTTP/1.1" 301 238 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /uu.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15053 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /license.php HTTP/1.1" 301 243 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /license.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /tempfs.php HTTP/1.1" 301 242 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:06 -0400] "GET /tempfs.php HTTP/1.1" 302 228 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
192.185.83.137 - - [08/Sep/2016:23:50:07 -0400] "GET /errors/error-404.php HTTP/1.1" 200 15412 "-" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"


I tried to deny IP access through .htaccess but this is not working as they shift IPs over large ranges and use proxies. The above IP comes from Houston, Tx!! It's a futile cat-mouse game. Also, attempting to block entire countries IP ranges imposes too much server load.

Is there a firewall that Powweb can activate to block these activities upstream? Or a method that works, like http://configserver.com/cp/csf.html ?

Any suggestion welcome.
louboumian is offline   Reply With Quote
Old 9-12-16, 12:16 AM   #2
snowmaker
target='_blank'
 
snowmaker's Avatar
 
Join Date: Nov 2002
Location: Not in Solomons anymore.
Posts: 3,433
Reputation: 326
A tool similar to CSF is Fail2ban. I am not sure if it works in this shared hosting environment though. I was going to try and implement it once a while ago, and I can't remember why I didn't try it out. Another script that I was using successfully for a while is SpambotSecurity. It only works with PHP based sites, especially blog and forum types. I would highly recommend it if you can use it.
__________________
-bruce /* somdcomputerguy */
'If you change the way you look at things, the things you look at change.'
snowmaker is offline   Reply With Quote
Old 9-27-16, 01:02 AM   #3
louboumian
 
louboumian's Avatar
 
Join Date: Feb 2004
Location: Vancouver, Canada
Posts: 187
Reputation: 11
Thanks for the suggestion Bruce.
I have tried zbblock on one pointed site but the implementation is a bit tricky.
On the root, I have nothing other than ip block rules and a honneypot right now.
I am going to give fail2ban a try.

But I think Powweb should really implement a firewall upstream, or something configurable in Control Pannel if the user want to fine tune it, if it's feasible in a shared environment (not sure).

Cheers
louboumian is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:18 AM.


Contents ©PowWeb, Inc. ~ vBulletin, Copyright 2000-2007 Jelsoft Enterprises Limited.