Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Brute Force Attacks

by ZlR (Chaplain)
on Nov 06, 2011 at 10:57 UTC ( #936261=note: print w/ replies, xml ) Need Help??


in reply to Brute Force Attacks

I must be missing something because i don't see "exodus" anywhere in the logfile.

If the log file is consistently built like the extract you show, it seems to me that a simple approach would work :

use strict ; use warnings ; my $login ; my $pass ; my $ip ; for my $line (<DATA>) { if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=( +[^\s]+)/ ) { $ip = $1 ; $login = $2 ; $pass = $3 ; } elsif ( $line =~ m/^Error: mod_security/) { print "Attacker : $ip\n" ; print "Login : $login, Password : $pass \n\n" ; } } __DATA__ Request: 10.122.11.235 - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2 +.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src +=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j +pager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0 +" 200 566 Handler: proxy-server Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/l +ogin?.redir_from=PROFILES?&amp;.tries=1&amp;.src=jpg&amp;.last=&amp;p +romo=&amp;.intl=us&amp;.bypass=&amp;.partner=&amp;.chkP=Y&amp;.done=h +ttp://jpager.yahoo.com/jpager/pager2.shtml&amp;login=loginc&amp;passw +d=PASS] for 50000 ms ---------------------------------------- GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES? +&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y& +.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd +=PASS HTTP/1.0 Accept: */* Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "pass +wd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close
Output:
Attacker : 10.122.11.235 Login : loginc, Password : PASS


Comment on Re: Brute Force Attacks
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://936261]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (8)
As of 2015-07-31 03:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (274 votes), past polls