Tag Archives: logfile

w00tw00t.at.blackhats.romanian.anti-sec – WTF!?

Leave a reply

One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – http://www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications.

It is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL. This is how logs looked like:

Log from nginx access.log
[email protected]:~# grep -r w00t /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”

Another log from nginx access.log
[email protected]:~# grep -r ZmEu /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /db/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /dbadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /mysql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /mysqladmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin1/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin2/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /php-my-admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:35 +0800] “GET /websql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”

Dayuumm. You as*h**e run into my server with this so-called script.
You scan me server. Me block you long time. Come. Here I share with you how to mitigate this attack.

First, we install fail2ban on our server. For those who don’t know what is fail2ban, fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.

Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.

Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.

So, to install it, open up your terminal and type:
sudo apt-get install fail2ban

After that, create new file called w00tw00t.conf in /etc/fail2ban/filter.d/
nano /etc/fail2ban/filter.d/w00tw00t.conf

Put this code inside that file:
[Definition]
failregex = ^ .*”GET \/w00tw00t*

ignoreregex =

Edit /etc/fail2ban/jail.conf file:
nano /etc/fail2ban/jail.conf

At the last line of the file, put this code:
[w00tw00t-scans]

enabled = true
action = iptables-allports
sendmail-whois[name=SSH, dest=root, [email protected]]
filter = w00tw00t

##### set the log path ######
logpath = /var/log/nginx/access.log
maxretry = 1

###### ban for 24 hour ######
bantime = 86400

Restart fail2ban service:
/etc/init.d/fail2ban restart

Check fail2ban client status:

[email protected]:~# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: w00tw00t-scans, ssh

credit to:
http://sharadchhetri.com/2013/06/27/protect-from-w00tw00t-at-blackhats-romanian-anti-sec/
http://myatus.com/p/blocking-w00tw00t-scans/

Extract unique IP address from Apache & Nginx log file

2 Replies

Lets say you wanted to count the number of unique IP addresses hitting your Apache server. It’s very easy to do in a Linux (or compatible) shell. In this tutorial, I’m using Ubuntu server.

First, locate the log file that you want to extract. For example, apache2 log file is located at /var/log/apache2 (depending on your distro). For nginx, the log file is located at /var/log/nginx.

Here I give you the first example on how to extract & count unique IP address in Nginx log file.

Nginx Access Log file

cat access.log | awk '{print $1}' | sort -r | uniq -c | sort -nr

Nginx Error Log file

cat error.log | grep -o 'client: [0-9.]*' | sort -r | uniq -c | sort -nr

Next, is the step on how to extract & count unique IP address from Apache log file.
Apache access & error log file

Apache Access Log file

cat access.log | awk '{print $1}' | sort -r | uniq -c | sort -nr

Apache Error Log file

cat error.log | grep -o 'client [0-9.]*' | sort -r | uniq -c | sort -nr

If you have any other step, you can share with me in the comment section. Hope it helps!

Extracting unique IPs from logfile

Leave a reply

Extracting IP from logfile sometimes can give you headache. Especially the logfile is more than thousand line.

So here I share with you trick to extract IP in terminal:

This one is shows the IPs with the count: