Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much

Re: Brute Force Attacks

by ZlR (Chaplain)
on Nov 06, 2011 at 10:57 UTC ( #936261=note: print w/replies, xml ) Need Help??

in reply to Brute Force Attacks

I must be missing something because i don't see "exodus" anywhere in the logfile.

If the log file is consistently built like the extract you show, it seems to me that a simple approach would work :

use strict ; use warnings ; my $login ; my $pass ; my $ip ; for my $line (<DATA>) { if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=( +[^\s]+)/ ) { $ip = $1 ; $login = $2 ; $pass = $3 ; } elsif ( $line =~ m/^Error: mod_security/) { print "Attacker : $ip\n" ; print "Login : $login, Password : $pass \n\n" ; } } __DATA__ Request: - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2 +=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j HTTP/1.0 +" 200 566 Handler: proxy-server Error: mod_security: pausing [ +ogin?.redir_from=PROFILES?&amp;.tries=1&amp;.src=jpg&amp;.last=&amp;p +romo=&amp;.intl=us&amp;.bypass=&amp;.partner=&amp;.chkP=Y&amp;.done=h +ttp://;login=loginc&amp;passw +d=PASS] for 50000 ms ---------------------------------------- GET +&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y& +.done= +=PASS HTTP/1.0 Accept: */* Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "pass +wd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close
Attacker : Login : loginc, Password : PASS

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://936261]
[zentara]: Strange, on clicking a link in a node, I am taken to that node, but my votes and login are lost. Should I post a Permonks Discussion?
[choroba]: that just means someone used a wrong link format
[choroba]: msg them or consider to fix
[zentara]: Gratias
[LanX]: pm != tk ;)
[Corion]: zentara: Most likely they used something like [http://www. node=123456] instead of [id://123456], which uses whatever domain you're visiting from

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (6)
As of 2017-05-26 12:34 GMT
Find Nodes?
    Voting Booth?