Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re: Brute Force Attacks

by ZlR (Chaplain)
on Nov 06, 2011 at 10:57 UTC ( [id://936261]=note: print w/replies, xml ) Need Help??


in reply to Brute Force Attacks

I must be missing something because i don't see "exodus" anywhere in the logfile.

If the log file is consistently built like the extract you show, it seems to me that a simple approach would work :

use strict ; use warnings ; my $login ; my $pass ; my $ip ; for my $line (<DATA>) { if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=( +[^\s]+)/ ) { $ip = $1 ; $login = $2 ; $pass = $3 ; } elsif ( $line =~ m/^Error: mod_security/) { print "Attacker : $ip\n" ; print "Login : $login, Password : $pass \n\n" ; } } __DATA__ Request: 10.122.11.235 - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2 +.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src +=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j +pager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0 +" 200 566 Handler: proxy-server Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/l +ogin?.redir_from=PROFILES?&amp;.tries=1&amp;.src=jpg&amp;.last=&amp;p +romo=&amp;.intl=us&amp;.bypass=&amp;.partner=&amp;.chkP=Y&amp;.done=h +ttp://jpager.yahoo.com/jpager/pager2.shtml&amp;login=loginc&amp;passw +d=PASS] for 50000 ms ---------------------------------------- GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES? +&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y& +.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd +=PASS HTTP/1.0 Accept: */* Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "pass +wd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close
Output:
Attacker : 10.122.11.235 Login : loginc, Password : PASS

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://936261]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others musing on the Monastery: (3)
As of 2025-02-07 14:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Which URL do you most often use to access this site?












    Results (94 votes). Check out past polls.