LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-22-2014, 03:41 AM   #1
baldur2630
Member
 
Registered: Jan 2007
Location: Belgium
Distribution: CentOS & Ubuntu
Posts: 132

Rep: Reputation: 17
Bitcoin Script Kiddy attack


We seem to have a new target for the script kiddies now!

Today I got the following in my logs. Does anyone have a solution for stopping this similar to phpmyadmin attacks?

Code:
       /.365coin/365coin.conf: 1 Time(s)
       /.bfgminer/bfgminer.conf: 1 Time(s)
       /.bitcoin/bitcoin.conf: 1 Time(s)
       /.bitcoin/wallet.dat: 1 Time(s)
       /.cgminer/cgminer.conf: 1 Time(s)
       /.feathercoin/wallet.dat: 1 Time(s)
       /.litecoin/bitcoin.conf: 1 Time(s)
       /.litecoin/litecoin.conf: 1 Time(s)
       /.litecoin/wallet.dat: 1 Time(s)
       /.namecoin/bitcoin.conf: 1 Time(s)
       /.namecoin/namecoin.conf: 1 Time(s)
       /.namecoin/wallet.dat: 1 Time(s)
       /.novacoin/bitcoin.conf: 1 Time(s)
       /.novacoin/novacoin.conf: 1 Time(s)
       /.novacoin/wallet.dat: 1 Time(s)
       /.ppcoin/bitcoin.conf: 1 Time(s)
       /.ppcoin/ppcoin.conf: 1 Time(s)
       /.ppcoin/wallet.dat: 1 Time(s)
       /.primecoin/bitcoin.conf: 1 Time(s)
       /.primecoin/primecoin.conf: 1 Time(s)
       /.primecoin/wallet.dat: 1 Time(s)
       /.terracoin/wallet.dat: 1 Time(s)
       /365coin.7z: 1 Time(s)
       /365coin.bkp: 1 Time(s)
       /365coin.bz2: 1 Time(s)
       /365coin.conf: 1 Time(s)
       /365coin.dump: 1 Time(s)
       /365coin.gz: 1 Time(s)
       /365coin.lzma: 1 Time(s)
       /365coin.rar: 1 Time(s)
       /365coin.tar: 1 Time(s)
       /365coin.tar.bz: 1 Time(s)
       /365coin.tar.bz2: 1 Time(s)
       /365coin.tar.gz: 1 Time(s)
       /365coin.tar.lzma: 1 Time(s)
       /365coin.tar.xz: 1 Time(s)
       /365coin.tbz: 1 Time(s)
       /365coin.tbz2: 1 Time(s)
       /365coin.tgz: 1 Time(s)
       /365coin.txz: 1 Time(s)
       /365coin.xz: 1 Time(s)
       /365coin.zip: 1 Time(s)
       /_wallet.dat: 1 Time(s)
       /a%3E: 1 Time(s)
       /backup.wallet.7z: 1 Time(s)
       /backup.wallet.bkp: 1 Time(s)
       /backup.wallet.bz2: 1 Time(s)
       /backup.wallet.dump: 1 Time(s)
       /backup.wallet.gz: 1 Time(s)
       /backup.wallet.lzma: 1 Time(s)
       /backup.wallet.rar: 1 Time(s)
       /backup.wallet.tar: 1 Time(s)
       /backup.wallet.tar.bz: 1 Time(s)
       /backup.wallet.tar.bz2: 1 Time(s)
       /backup.wallet.tar.gz: 1 Time(s)
       /backup.wallet.tar.lzma: 1 Time(s)
       /backup.wallet.tar.xz: 1 Time(s)
       /backup.wallet.tbz: 1 Time(s)
       /backup.wallet.tbz2: 1 Time(s)
       /backup.wallet.tgz: 1 Time(s)
       /backup.wallet.txz: 1 Time(s)
       /backup.wallet.xz: 1 Time(s)
       /backup.wallet.zip: 1 Time(s)
       /backup/wallet.dat: 1 Time(s)
       /backups/wallet.dat: 1 Time(s)
       /bfgminer.7z: 1 Time(s)
       /bfgminer.bkp: 1 Time(s)
       /bfgminer.bz2: 1 Time(s)
       /bfgminer.conf: 1 Time(s)
       /bfgminer.dump: 1 Time(s)
       /bfgminer.gz: 1 Time(s)
       /bfgminer.lzma: 1 Time(s)
       /bfgminer.rar: 1 Time(s)
       /bfgminer.tar: 1 Time(s)
       /bfgminer.tar.bz: 1 Time(s)
       /bfgminer.tar.bz2: 1 Time(s)
       /bfgminer.tar.gz: 1 Time(s)
       /bfgminer.tar.lzma: 1 Time(s)
       /bfgminer.tar.xz: 1 Time(s)
       /bfgminer.tbz: 1 Time(s)
       /bfgminer.tbz2: 1 Time(s)
       /bfgminer.tgz: 1 Time(s)
       /bfgminer.txz: 1 Time(s)
       /bfgminer.xz: 1 Time(s)
       /bfgminer.zip: 1 Time(s)
       /bitcoin.7z: 1 Time(s)
       /bitcoin.bkp: 1 Time(s)
       /bitcoin.bz2: 1 Time(s)
       /bitcoin.conf: 1 Time(s)
       /bitcoin.dat: 1 Time(s)
       /bitcoin.dump: 1 Time(s)
       /bitcoin.gz: 1 Time(s)
       /bitcoin.lzma: 1 Time(s)
       /bitcoin.rar: 1 Time(s)
       /bitcoin.tar: 1 Time(s)
       /bitcoin.tar.bz: 1 Time(s)
       /bitcoin.tar.bz2: 1 Time(s)
       /bitcoin.tar.gz: 1 Time(s)
       /bitcoin.tar.lzma: 1 Time(s)
       /bitcoin.tar.xz: 1 Time(s)
       /bitcoin.tbz: 1 Time(s)
       /bitcoin.tbz2: 1 Time(s)
       /bitcoin.tgz: 1 Time(s)
       /bitcoin.txz: 1 Time(s)
       /bitcoin.xz: 1 Time(s)
       /bitcoin.zip: 1 Time(s)
       /bitcoin01.dat: 1 Time(s)
       /bitcoind.7z: 1 Time(s)
       /bitcoind.bkp: 1 Time(s)
       /bitcoind.bz2: 1 Time(s)
       /bitcoind.dump: 1 Time(s)
       /bitcoind.gz: 1 Time(s)
       /bitcoind.lzma: 1 Time(s)
       /bitcoind.rar: 1 Time(s)
       /bitcoind.tar: 1 Time(s)
       /bitcoind.tar.bz: 1 Time(s)
       /bitcoind.tar.bz2: 1 Time(s)
       /bitcoind.tar.gz: 1 Time(s)
       /bitcoind.tar.lzma: 1 Time(s)
       /bitcoind.tar.xz: 1 Time(s)
       /bitcoind.tbz: 1 Time(s)
       /bitcoind.tbz2: 1 Time(s)
       /bitcoind.tgz: 1 Time(s)
       /bitcoind.txz: 1 Time(s)
       /bitcoind.xz: 1 Time(s)
       /bitcoind.zip: 1 Time(s)
       /blockchain.7z: 1 Time(s)
       /blockchain.bkp: 1 Time(s)
       /blockchain.bz2: 1 Time(s)
       /blockchain.dump: 1 Time(s)
       /blockchain.gz: 1 Time(s)
       /blockchain.lzma: 1 Time(s)
       /blockchain.rar: 1 Time(s)
       /blockchain.tar: 1 Time(s)
       /blockchain.tar.bz: 1 Time(s)
       /blockchain.tar.bz2: 1 Time(s)
       /blockchain.tar.gz: 1 Time(s)
       /blockchain.tar.lzma: 1 Time(s)
       /blockchain.tar.xz: 1 Time(s)
       /blockchain.tbz: 1 Time(s)
       /blockchain.tbz2: 1 Time(s)
       /blockchain.tgz: 1 Time(s)
       /blockchain.txz: 1 Time(s)
       /blockchain.xz: 1 Time(s)
       /blockchain.zip: 1 Time(s)
       /browserconfig.xml: 1 Time(s)
       /btc.7z: 1 Time(s)
       /btc.bkp: 1 Time(s)
       /btc.bz2: 1 Time(s)
       /btc.dat: 1 Time(s)
       /btc.dump: 1 Time(s)
       /btc.gz: 1 Time(s)
       /btc.lzma: 1 Time(s)
       /btc.rar: 1 Time(s)
       /btc.tar: 1 Time(s)
       /btc.tar.bz: 1 Time(s)
       /btc.tar.bz2: 1 Time(s)
       /btc.tar.gz: 1 Time(s)
       /btc.tar.lzma: 1 Time(s)
       /btc.tar.xz: 1 Time(s)
       /btc.tbz: 1 Time(s)
       /btc.tbz2: 1 Time(s)
       /btc.tgz: 1 Time(s)
       /btc.txz: 1 Time(s)
       /btc.xz: 1 Time(s)
       /btc.zip: 1 Time(s)
       /cgminer.7z: 1 Time(s)
       /cgminer.bkp: 1 Time(s)
       /cgminer.bz2: 1 Time(s)
       /cgminer.conf: 1 Time(s)
       /cgminer.dump: 1 Time(s)
       /cgminer.gz: 1 Time(s)
       /cgminer.lzma: 1 Time(s)
       /cgminer.rar: 1 Time(s)
       /cgminer.tar: 1 Time(s)
       /cgminer.tar.bz: 1 Time(s)
       /cgminer.tar.bz2: 1 Time(s)
       /cgminer.tar.gz: 1 Time(s)
       /cgminer.tar.lzma: 1 Time(s)
       /cgminer.tar.xz: 1 Time(s)
       /cgminer.tbz: 1 Time(s)
       /cgminer.tbz2: 1 Time(s)
       /cgminer.tgz: 1 Time(s)
       /cgminer.txz: 1 Time(s)
       /cgminer.xz: 1 Time(s)
       /cgminer.zip: 1 Time(s)
       /checknfurl123: 1 Time(s)
       /coin.7z: 1 Time(s)
       /coin.bkp: 1 Time(s)
       /coin.bz2: 1 Time(s)
       /coin.dat: 1 Time(s)
       /coin.dump: 1 Time(s)
       /coin.gz: 1 Time(s)
       /coin.lzma: 1 Time(s)
       /coin.rar: 1 Time(s)
       /coin.tar: 1 Time(s)
       /coin.tar.bz: 1 Time(s)
       /coin.tar.bz2: 1 Time(s)
       /coin.tar.gz: 1 Time(s)
       /coin.tar.lzma: 1 Time(s)
       /coin.tar.xz: 1 Time(s)
       /coin.tbz: 1 Time(s)
       /coin.tbz2: 1 Time(s)
       /coin.tgz: 1 Time(s)
       /coin.txz: 1 Time(s)
       /coin.xz: 1 Time(s)
       /coin.zip: 1 Time(s)
       /coins.7z: 1 Time(s)
       /coins.bkp: 1 Time(s)
       /coins.bz2: 1 Time(s)
       /coins.dat: 1 Time(s)
       /coins.dump: 1 Time(s)
       /coins.gz: 1 Time(s)
       /coins.lzma: 1 Time(s)
       /coins.rar: 1 Time(s)
       /coins.tar: 1 Time(s)
       /coins.tar.bz: 1 Time(s)
       /coins.tar.bz2: 1 Time(s)
       /coins.tar.gz: 1 Time(s)
       /coins.tar.lzma: 1 Time(s)
       /coins.tar.xz: 1 Time(s)
       /coins.tbz: 1 Time(s)
       /coins.tbz2: 1 Time(s)
       /coins.tgz: 1 Time(s)
       /coins.txz: 1 Time(s)
       /coins.xz: 1 Time(s)
       /coins.zip: 1 Time(s)
       /feathercoin.conf: 1 Time(s)
       /litecoin.7z: 1 Time(s)
       /litecoin.bkp: 1 Time(s)
       /litecoin.bz2: 1 Time(s)
       /litecoin.conf: 1 Time(s)
       /litecoin.dat: 1 Time(s)
       /litecoin.dump: 1 Time(s)
       /litecoin.gz: 1 Time(s)
       /litecoin.lzma: 1 Time(s)
       /litecoin.rar: 1 Time(s)
       /litecoin.tar: 1 Time(s)
       /litecoin.tar.bz: 1 Time(s)
       /litecoin.tar.bz2: 1 Time(s)
       /litecoin.tar.gz: 1 Time(s)
       /litecoin.tar.lzma: 1 Time(s)
       /litecoin.tar.xz: 1 Time(s)
       /litecoin.tbz: 1 Time(s)
       /litecoin.tbz2: 1 Time(s)
       /litecoin.tgz: 1 Time(s)
       /litecoin.txz: 1 Time(s)
       /litecoin.xz: 1 Time(s)
       /litecoin.zip: 1 Time(s)
       /money.7z: 1 Time(s)
       /money.bkp: 1 Time(s)
       /money.bz2: 1 Time(s)
       /money.dump: 1 Time(s)
       /money.gz: 1 Time(s)
       /money.lzma: 1 Time(s)
       /money.rar: 1 Time(s)
       /money.tar: 1 Time(s)
       /money.tar.bz: 1 Time(s)
       /money.tar.bz2: 1 Time(s)
       /money.tar.gz: 1 Time(s)
       /money.tar.lzma: 1 Time(s)
       /money.tar.xz: 1 Time(s)
       /money.tbz: 1 Time(s)
       /money.tbz2: 1 Time(s)
       /money.tgz: 1 Time(s)
       /money.txz: 1 Time(s)
       /money.xz: 1 Time(s)
       /money.zip: 1 Time(s)
       /namecoin.7z: 1 Time(s)
       /namecoin.bkp: 1 Time(s)
       /namecoin.bz2: 1 Time(s)
       /namecoin.conf: 1 Time(s)
       /namecoin.dat: 1 Time(s)
       /namecoin.dump: 1 Time(s)
       /namecoin.gz: 1 Time(s)
       /namecoin.lzma: 1 Time(s)
       /namecoin.rar: 1 Time(s)
       /namecoin.tar: 1 Time(s)
       /namecoin.tar.bz: 1 Time(s)
       /namecoin.tar.bz2: 1 Time(s)
       /namecoin.tar.gz: 1 Time(s)
       /namecoin.tar.lzma: 1 Time(s)
       /namecoin.tar.xz: 1 Time(s)
       /namecoin.tbz: 1 Time(s)
       /namecoin.tbz2: 1 Time(s)
       /namecoin.tgz: 1 Time(s)
       /namecoin.txz: 1 Time(s)
       /namecoin.xz: 1 Time(s)
       /namecoin.zip: 1 Time(s)
       /novacoin.7z: 1 Time(s)
       /novacoin.bkp: 1 Time(s)
       /novacoin.bz2: 1 Time(s)
       /novacoin.conf: 1 Time(s)
       /novacoin.dump: 1 Time(s)
       /novacoin.gz: 1 Time(s)
       /novacoin.lzma: 1 Time(s)
       /novacoin.rar: 1 Time(s)
       /novacoin.tar: 1 Time(s)
       /novacoin.tar.bz: 1 Time(s)
       /novacoin.tar.bz2: 1 Time(s)
       /novacoin.tar.gz: 1 Time(s)
       /novacoin.tar.lzma: 1 Time(s)
       /novacoin.tar.xz: 1 Time(s)
       /novacoin.tbz: 1 Time(s)
       /novacoin.tbz2: 1 Time(s)
       /novacoin.tgz: 1 Time(s)
       /novacoin.txz: 1 Time(s)
       /novacoin.xz: 1 Time(s)
       /novacoin.zip: 1 Time(s)
       /ppcoin.7z: 1 Time(s)
       /ppcoin.bkp: 1 Time(s)
       /ppcoin.bz2: 1 Time(s)
       /ppcoin.conf: 1 Time(s)
       /ppcoin.dump: 1 Time(s)
       /ppcoin.gz: 1 Time(s)
       /ppcoin.lzma: 1 Time(s)
       /ppcoin.rar: 1 Time(s)
       /ppcoin.tar: 1 Time(s)
       /ppcoin.tar.bz: 1 Time(s)
       /ppcoin.tar.bz2: 1 Time(s)
       /ppcoin.tar.gz: 1 Time(s)
       /ppcoin.tar.lzma: 1 Time(s)
       /ppcoin.tar.xz: 1 Time(s)
       /ppcoin.tbz: 1 Time(s)
       /ppcoin.tbz2: 1 Time(s)
       /ppcoin.tgz: 1 Time(s)
       /ppcoin.txz: 1 Time(s)
       /ppcoin.xz: 1 Time(s)
       /ppcoin.zip: 1 Time(s)
       /primecoin.7z: 1 Time(s)
       /primecoin.bkp: 1 Time(s)
       /primecoin.bz2: 1 Time(s)
       /primecoin.conf: 1 Time(s)
       /primecoin.dump: 1 Time(s)
       /primecoin.gz: 1 Time(s)
       /primecoin.lzma: 1 Time(s)
       /primecoin.rar: 1 Time(s)
       /primecoin.tar: 1 Time(s)
       /primecoin.tar.bz: 1 Time(s)
       /primecoin.tar.bz2: 1 Time(s)
       /primecoin.tar.gz: 1 Time(s)
       /primecoin.tar.lzma: 1 Time(s)
       /primecoin.tar.xz: 1 Time(s)
       /primecoin.tbz: 1 Time(s)
       /primecoin.tbz2: 1 Time(s)
       /primecoin.tgz: 1 Time(s)
       /primecoin.txz: 1 Time(s)
       /primecoin.xz: 1 Time(s)
       /primecoin.zip: 1 Time(s)
       /robots.txt: 1 Time(s)
       /terracoin.conf: 1 Time(s)
       /w.7z: 1 Time(s)
       /w.bkp: 1 Time(s)
       /w.bz2: 1 Time(s)
       /w.dat: 1 Time(s)
       /w.dump: 1 Time(s)
       /w.gz: 1 Time(s)
       /w.lzma: 1 Time(s)
       /w.rar: 1 Time(s)
       /w.tar: 1 Time(s)
       /w.tar.bz: 1 Time(s)
       /w.tar.bz2: 1 Time(s)
       /w.tar.gz: 1 Time(s)
       /w.tar.lzma: 1 Time(s)
       /w.tar.xz: 1 Time(s)
       /w.tbz: 1 Time(s)
       /w.tbz2: 1 Time(s)
       /w.tgz: 1 Time(s)
       /w.txz: 1 Time(s)
       /w.xz: 1 Time(s)
       /w.zip: 1 Time(s)
       /wallet.7z: 1 Time(s)
       /wallet.bkp: 1 Time(s)
       /wallet.bz2: 1 Time(s)
       /wallet.dat: 1 Time(s)
       /wallet.dat_: 1 Time(s)
       /wallet.dump: 1 Time(s)
       /wallet.gz: 1 Time(s)
       /wallet.lzma: 1 Time(s)
       /wallet.old.7z: 1 Time(s)
       /wallet.old.bkp: 1 Time(s)
       /wallet.old.bz2: 1 Time(s)
       /wallet.old.dump: 1 Time(s)
       /wallet.old.gz: 1 Time(s)
       /wallet.old.lzma: 1 Time(s)
       /wallet.old.rar: 1 Time(s)
       /wallet.old.tar: 1 Time(s)
       /wallet.old.tar.bz: 1 Time(s)
       /wallet.old.tar.bz2: 1 Time(s)
       /wallet.old.tar.gz: 1 Time(s)
       /wallet.old.tar.lzma: 1 Time(s)
       /wallet.old.tar.xz: 1 Time(s)
       /wallet.old.tbz: 1 Time(s)
       /wallet.old.tbz2: 1 Time(s)
       /wallet.old.tgz: 1 Time(s)
       /wallet.old.txz: 1 Time(s)
       /wallet.old.xz: 1 Time(s)
       /wallet.old.zip: 1 Time(s)
       /wallet.rar: 1 Time(s)
       /wallet.tar: 1 Time(s)
       /wallet.tar.bz: 1 Time(s)
       /wallet.tar.bz2: 1 Time(s)
       /wallet.tar.gz: 1 Time(s)
       /wallet.tar.lzma: 1 Time(s)
       /wallet.tar.xz: 1 Time(s)
       /wallet.tbz: 1 Time(s)
       /wallet.tbz2: 1 Time(s)
       /wallet.tgz: 1 Time(s)
       /wallet.txz: 1 Time(s)
       /wallet.xz: 1 Time(s)
       /wallet.zip: 1 Time(s)
       /wallet/wallet.dat: 1 Time(s)
       /wallet_dat: 1 Time(s)
       /wallets.7z: 1 Time(s)
       /wallets.bkp: 1 Time(s)
       /wallets.bz2: 1 Time(s)
       /wallets.dump: 1 Time(s)
       /wallets.gz: 1 Time(s)
       /wallets.lzma: 1 Time(s)
       /wallets.rar: 1 Time(s)
       /wallets.tar: 1 Time(s)
       /wallets.tar.bz: 1 Time(s)
       /wallets.tar.bz2: 1 Time(s)
       /wallets.tar.gz: 1 Time(s)
       /wallets.tar.lzma: 1 Time(s)
       /wallets.tar.xz: 1 Time(s)
       /wallets.tbz: 1 Time(s)
       /wallets.tbz2: 1 Time(s)
       /wallets.tgz: 1 Time(s)
       /wallets.txz: 1 Time(s)
       /wallets.xz: 1 Time(s)
       /wallets.zip: 1 Time(s)
       /wallets/wallet.dat: 1 Time(s)
       /wp-login.php: 1 Time(s)
We don't use Bitcoin but these morons just p**s me off!

Last edited by unSpawn; 06-22-2014 at 03:42 AM. Reason: //Add vBB code tags
 
Old 06-22-2014, 03:52 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by baldur2630 View Post
Does anyone have a solution for stopping this similar to phpmyadmin attacks?
Saying "similar" suggests you already have a way you block PMA scans.
So why shouldn't that method apply here?
Else see mod_security or fail2ban or equivalent.


Quote:
Originally Posted by baldur2630 View Post
We don't use Bitcoin but these morons just p**s me off!
Oh come on, that's not a real problem (and even less something to be pissed off about given the amount of scans one sees on a daily basis): they're in your log once and since it's a non-existent URI they get 404s back. Only a problem if they got 200's back or if you get visited by hundreds of unique IP addresses scanning for the same.
 
Old 06-22-2014, 04:08 AM   #3
baldur2630
Member
 
Registered: Jan 2007
Location: Belgium
Distribution: CentOS & Ubuntu
Posts: 132

Original Poster
Rep: Reputation: 17
I tried Fail2Ban several times, but I've never got it to work other than for SSH.

I find it a great shame that Americans have nothing better to do than to try to commit computer fraud. Almost every would-be hacker seems to be from the USA! I got almost 60 blocked IP Addresses for spam yesterday all from the USA and UK.

Canada brags that spam is illegal, yet the amount of blocked Canadian spam IP addresses has actually INCREASED, same in Europe since the EU made spam illegal. Like the spammers and hackers are giving them all the one-finger salute.

If it's true that these people are supposedly 'victims' and they don't realize that they are part of a spam / hacker-bot, they must be the dumbest on planet earth!
 
1 members found this post helpful.
Old 06-22-2014, 05:55 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by baldur2630 View Post
I tried Fail2Ban several times, but I've never got it to work other than for SSH.
That nfo doesn't help me help you. please post details of what configuration you actually tried, how you tested it and what the results were.

BTW please don't rant. If you want to rant please post in your own LQ web log or see /General.
 
Old 06-22-2014, 08:37 AM   #5
cwizardone
Senior Member
 
Registered: Feb 2007
Distribution: Slackware64-current with "True Multilib" & Xfce.
Posts: 4,725
Blog Entries: 1

Rep: Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087Reputation: 2087
Quote:
Originally Posted by baldur2630 View Post
...I find it a great shame that Americans have nothing better to do than to try to commit computer fraud. Almost every would-be hacker seems to be from the USA!...
Figures, you're Belgian. This "let's us blame everything on the Americans" attitude is often seen on the expat boards where almost every balded headed, tattooed, Belgian lager lout thinks he is an expert on everything American. How is that for an uniformed, bigoted statement?

Actually, on the board where I'm a system administrator, better than 90% of our "troubles" come from China and Russia, more Russian than anything else.

Last edited by cwizardone; 06-22-2014 at 08:43 AM.
 
Old 06-22-2014, 11:07 AM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
baldur:
I have a very simple fail2ban walk-through if you care to have a look on my blog here at LQ.
Most of this nonsense can be stopped on the very first try using fail2ban
eg: custom filter with custom action:
Code:
cp /etc/fail2ban/action.d/iptables.conf /etc/fail2ban/action.d/bitcoin.conf
This is the same action that the default ssh jail uses.

in jail.local:
Code:
[bitcoin] 

enabled =  true
filter = bitcoin 
action = bitcoin[name=bitcoin, port="http,https"]
maxretry = 1 
logpath = /path/to/your/http_access.log
bantime  = 31556926 ; 1 year in seconds

create /etc/fail2ban/filter.d/bitcoin.conf and add:
Code:
[Definition]

docroot = /var/www/html
badadmin = coin|miner|wallet|blockchain|phpmyadmin
# Option:  failregex
# Notes.:  I will stop bashing Americans when asking for help.
# Values:  TEXT
#
failregex = ^<HOST> .*"GET \/(?:%(badadmin)s).*?"
                  ^<HOST> .*"POST \/(?:%(badadmin)s).*?"

ignoreregex =
Check the regex using
Code:
fail2ban-regex /path/to/your/http_access.log /etc/fail2ban/filter.d/bitcoin.conf
if|when you see "Success, the total number of match is xx" your filter is good to go, else verify.
Restart fail2ban.
NOTE: This will flush your iptables, so save them first.

I hope this American has helped you out.

DO NOT BLINDLY USE THIS without reading either my 2 blog posts on fail2ban or the fail2ban doc|wiki
wrt: "ignoreip = "

Last edited by Habitual; 06-22-2014 at 11:12 AM.
 
Old 06-22-2014, 11:24 AM   #7
baldur2630
Member
 
Registered: Jan 2007
Location: Belgium
Distribution: CentOS & Ubuntu
Posts: 132

Original Poster
Rep: Reputation: 17
CWizardOne Wake up! http://www.spamhaus.org/statistics/countries/

I also have 1342 IP Addresses of would-be hackers!
 
Old 06-22-2014, 11:27 AM   #8
baldur2630
Member
 
Registered: Jan 2007
Location: Belgium
Distribution: CentOS & Ubuntu
Posts: 132

Original Poster
Rep: Reputation: 17
Hi Habitual - Thanks a stack. I'll give your suggestion a try and get back to you. I found a couple of lines to put in the .htaccess file some months ago that stopped all the phpmyadmin kiddies, but it seems it must have been specific to phpmyadmin.
 
Old 06-22-2014, 12:40 PM   #9
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Spam != hackers

I doubt seriously that you have any hacker's IP.
 
Old 06-22-2014, 12:52 PM   #10
baldur2630
Member
 
Registered: Jan 2007
Location: Belgium
Distribution: CentOS & Ubuntu
Posts: 132

Original Poster
Rep: Reputation: 17
I use admin tools and it gives me the IP Address of EVERY hack attempt before it locks the out with .htaccess. It also gives me ALL the info, regarding country, location, ISP, Lat & Lon etc. even when the 'clever' crooks, strip off everything except the IP, I can still locate the country. Once again, the most originate from the USA.
 
Old 06-22-2014, 01:49 PM   #11
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Bear in mind that any halfway-decent attacker is probably going through a series of at least 2-3 already-compromised boxes, so the IP where an attack originates from is not necessarily the location where the computer criminal is sitting.
 
Old 06-22-2014, 01:58 PM   #12
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
The real crooks are hiding behind multiple facets of layered insulation.
No real botherder would expose himself by attempting to hack anything directly, when all he has to do is instruct his bot-net to do it for him, these IPs you have are most likely the "victims" you mentioned in
Quote:
Originally Posted by baldur2630 View Post
If it's true that these people are supposedly 'victims' and they don't realize that they are part of a spam / hacker-bot, they must be the dumbest on planet earth!
How's the fail2ban coming along?
 
Old 06-22-2014, 02:03 PM   #13
baldur2630
Member
 
Registered: Jan 2007
Location: Belgium
Distribution: CentOS & Ubuntu
Posts: 132

Original Poster
Rep: Reputation: 17
I can show you a list of passwords that attackers try. These have all been picked up by hackers via things like keystroke loggers etc. funny that they try American passwords even on Dutch sites. If you don 't bother to install one of the many FREE virus / root-kit checkers and you use passwords like 'password., 'bonnet', 'redskins', 'broads', 'tits', 'xxx', does it really matter, where the real attacker is?

There's a word for people like this . . .
 
Old 06-22-2014, 03:06 PM   #14
baldur2630
Member
 
Registered: Jan 2007
Location: Belgium
Distribution: CentOS & Ubuntu
Posts: 132

Original Poster
Rep: Reputation: 17
Habitual - They don't seem to have a Private Mail here and no contact on your site. Pity. I was going to give you a list of more than 350 pathetic passwords that people use on their PC's. Not surprising that they get taken over by the hackers.

The question is, who to blame, the hacker or the *$%^&$# that uses a password like one of these and has no anti-virus?
 
Old 06-22-2014, 03:18 PM   #15
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
If you spent as much time working on the solution I suggested,
as you do trying to defend your definition of "hacker", "spam", and "victim", you'd be done by now.

How's that going by the way?

Edit:
Quote:
Originally Posted by baldur2630 View Post
I was going to give you a list of more than 350 pathetic passwords that people use on their PC's. Not surprising that they get taken over by the hackers.
Don't need them.
They are well documented and used by every dictionary-enabled bot out there.

Last edited by Habitual; 06-22-2014 at 03:21 PM.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Tales of a reformed Script kiddy/Programmer hybrid (Or How I learned to love C) abcde597 Programming 5 12-05-2012 05:27 AM
Attack Log Script AsadMoeen Linux - Networking 1 06-21-2012 02:49 AM
Tracing an attack with a wireshark script SupermanInNY Programming 4 06-20-2009 08:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration