Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine

Re: Brute Force Attacks

by ZlR (Chaplain)
on Nov 06, 2011 at 10:57 UTC ( #936261=note: print w/replies, xml ) Need Help??

in reply to Brute Force Attacks

I must be missing something because i don't see "exodus" anywhere in the logfile.

If the log file is consistently built like the extract you show, it seems to me that a simple approach would work :

use strict ; use warnings ; my $login ; my $pass ; my $ip ; for my $line (<DATA>) { if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=( +[^\s]+)/ ) { $ip = $1 ; $login = $2 ; $pass = $3 ; } elsif ( $line =~ m/^Error: mod_security/) { print "Attacker : $ip\n" ; print "Login : $login, Password : $pass \n\n" ; } } __DATA__ Request: - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2 +=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j HTTP/1.0 +" 200 566 Handler: proxy-server Error: mod_security: pausing [ +ogin?.redir_from=PROFILES?&amp;.tries=1&amp;.src=jpg&amp;.last=&amp;p +romo=&amp;.intl=us&amp;.bypass=&amp;.partner=&amp;.chkP=Y&amp;.done=h +ttp://;login=loginc&amp;passw +d=PASS] for 50000 ms ---------------------------------------- GET +&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y& +.done= +=PASS HTTP/1.0 Accept: */* Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "pass +wd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close
Attacker : Login : loginc, Password : PASS

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://936261]
[MidLifeXis]: Beer o'clock. Have a good weekend all. o/

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (9)
As of 2017-02-24 22:43 GMT
Find Nodes?
    Voting Booth?
    Before electricity was invented, what was the Electric Eel called?

    Results (364 votes). Check out past polls.