search

mitchellkrogza / Fail2Ban.WebExploits

This custom Fail2Ban filter and jail will deal with all scans for common Wordpress, Joomla and other Web Exploits being scanned for by automated bots and those seeking to find exploitable web sites.
Other
169 stars 36 forks source link

Contributing Scan Signatures #1

Open mitchellkrogza opened 6 years ago

mitchellkrogza commented 6 years ago

Anyone who wishes to contribute any scan signatures found in their web server logs, please send a Pull Request on the exploits.list file

troyengel commented 5 years ago

I'm not sure what this is, Google-fu is failing me - I'm finding hundreds of these attempts per week in my logs:

"GET /admin/assets/js/views/login.js HTTP/1.1" 301 260 "-" "python-requests/2.19.1"

All are coming from one single IP (some 2000 hits in the logs laying around for November) and it's been reported by others here: https://www.abuseipdb.com/check/87.251.81.86 (added my report as well just now)

I think this might be something related to Node.js, but as I can't seem to find definitive information it's unclear if this is a good addition to the exploits.list. I notice a very sharp uptick in my logs starting the week of 2018-11-11 to 2018-11-18, it went from around 10-50 per week before that to 700+ per week starting then, either it was my server "found" by the botnet, or it's some fresh exploit? $0.02 on a "maybe?" that's popped up, hope this helps!

yuriyvolkov commented 4 years ago

@troyengel I think it might be FreePBX https://git.freepbx.org/projects/FREEPBX/repos/framework/browse/amp_conf/htdocs/admin/assets/js/views/login.js?at=bfb36fa7ac70c2e642257dbcd99a1799e19ea743

Source of login.js - framework - FreePBX GIT