search

mitchellkrogza / nginx-ultimate-bad-bot-blocker

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Other
3.81k stars 472 forks source link

[User-Agent] Add botnet user-agent (brute force attacks) #468

Open CyberCr33p opened 2 years ago

CyberCr33p commented 2 years ago

Paste the full User-Agent String here


Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Is this for Addition / Removal?

Did the User-Agent request robots.txt first?

Post Log Excerpt to show User-Agent behavior (10-20 lines is enough)


34.201.72.208 - - [27/Mar/2022:20:30:17 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36" (8.929)
13.126.52.120 - - [27/Mar/2022:20:37:37 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" (7.875)
80.74.147.43 - - [27/Mar/2022:21:07:03 +0300] "POST /wp-login.php HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" (10.093)
85.214.225.219 - - [27/Mar/2022:21:14:19 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" (2.877)
52.57.79.245 - - [27/Mar/2022:21:28:27 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" (9.260)
69.163.186.158 - - [27/Mar/2022:21:35:16 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" (0.267)
188.166.225.235 - - [27/Mar/2022:21:55:42 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36" (1.655)
31.172.80.144 - - [27/Mar/2022:22:09:55 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" (1.162)
20.64.155.18 - - [27/Mar/2022:22:16:47 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" (0.317)
18.192.115.42 - - [27/Mar/2022:22:23:53 +0300] "POST /wp-login.php HTTP/1.1" 200 2335 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" (0.202)

Additional information

https://blog.paranoidpenguin.net/2019/03/a-digital-ocean-of-bots/

CyberCr33p commented 2 years ago

No this user agent is used only by bots. I grep the access logs (many thousand of websites) on all my servers for several days and not used by normal browsers.

zakirkun commented 2 years ago

You can set captcha in form wordpress login, this brute force attack for login.