Hacker detection module?

Some entries in my log file show hackers looking for php
vulnerabilities:

216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /ads/adxmlrpc.php HTTP/1.0" 404 294 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc.php HTTP/1.0" 404 288 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 295 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 295 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /blog/xmlrpc.php HTTP/1.0" 404 293 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /drupal/xmlrpc.php HTTP/1.0" 404 295 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /community/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /blogs/xmlrpc.php HTTP/1.0" 404 294 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 300 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 304 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 301 "-" "-"


Is there some way (a module perhaps) to quickly detect such hack attacks and block the IP?

i

write a script that you run in your crontab that rips out the ip addresses
of requests that match a certain string, email them to you and then you
would need to add them into your firewall..

Andrew

"Ignoramus19605" <ignoramus19605@NOSPAM.19605.invalid> wrote in message
news:du38g.31035$j33.10410@fe84.usenetserver.com.. .
> Some entries in my log file show hackers looking for php
> vulnerabilities:
>
> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /ads/adxmlrpc.php
HTTP/1.0" 404 294 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc.php
HTTP/1.0" 404 288 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc/xmlrpc.php
HTTP/1.0" 404 295 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlsrv/xmlrpc.php
HTTP/1.0" 404 295 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /blog/xmlrpc.php
HTTP/1.0" 404 293 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /drupal/xmlrpc.php
HTTP/1.0" 404 295 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
/community/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /blogs/xmlrpc.php
HTTP/1.0" 404 294 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
/blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
/blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 300 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
/blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 304 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
/b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
/b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
/wordpress/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
/phpgroupware/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
>
>
> Is there some way (a module perhaps) to quickly detect such hack attacks
and block the IP?
>
> i
>

On Thu, 11 May 2006 12:49:56 +1000, Andrew Kenna <akenna@westnet.com.au> wrote:
> write a script that you run in your crontab that rips out the ip addresses
> of requests that match a certain string, email them to you and then you
> would need to add them into your firewall..

I want it to work much faster than that, there is no point in blocking
those IPs many minutes after attacks already occurred.

I will just write a tailing perl script, I think, that would tail
/var/log/httpd/access_log and match patterns.

i

> Andrew
>
> "Ignoramus19605" <ignoramus19605@NOSPAM.19605.invalid> wrote in message
> news:du38g.31035$j33.10410@fe84.usenetserver.com.. .
>> Some entries in my log file show hackers looking for php
>> vulnerabilities:
>>
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /ads/adxmlrpc.php
> HTTP/1.0" 404 294 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc.php
> HTTP/1.0" 404 288 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc/xmlrpc.php
> HTTP/1.0" 404 295 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlsrv/xmlrpc.php
> HTTP/1.0" 404 295 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /blog/xmlrpc.php
> HTTP/1.0" 404 293 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /drupal/xmlrpc.php
> HTTP/1.0" 404 295 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
> /community/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /blogs/xmlrpc.php
> HTTP/1.0" 404 294 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
> /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
> /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 300 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 304 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /wordpress/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /phpgroupware/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
>>
>>
>> Is there some way (a module perhaps) to quickly detect such hack attacks
> and block the IP?
>>
>> i
>>
>
>

On 2006-05-11 04:49:56 +0200, "Andrew Kenna" <akenna@westnet.com.au> said:

> write a script that you run in your crontab that rips out the ip addresses
> of requests that match a certain string, email them to you and then you
> would need to add them into your firewall..
>
> Andrew
>
> "Ignoramus19605" <ignoramus19605@NOSPAM.19605.invalid> wrote in message
> news:du38g.31035$j33.10410@fe84.usenetserver.com.. .
>> Some entries in my log file show hackers looking for php
>> vulnerabilities:
>>
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /ads/adxmlrpc.php
> HTTP/1.0" 404 294 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc.php
> HTTP/1.0" 404 288 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlrpc/xmlrpc.php
> HTTP/1.0" 404 295 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /xmlsrv/xmlrpc.php
> HTTP/1.0" 404 295 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:48 -0500] "GET /blog/xmlrpc.php
> HTTP/1.0" 404 293 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /drupal/xmlrpc.php
> HTTP/1.0" 404 295 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
> /community/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET /blogs/xmlrpc.php
> HTTP/1.0" 404 294 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
> /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:49 -0500] "GET
> /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 300 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 304 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /wordpress/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
>> 216.206.179.136 - - [09/May/2006:11:17:50 -0500] "GET
> /phpgroupware/xmlrpc.php HTTP/1.0" 404 301 "-" "-"
>>
>>
>> Is there some way (a module perhaps) to quickly detect such hack attacks
> and block the IP?
>>
>> i

write an email to : abuse@qwest.net
qwest communications corp
and tell tthem than someone is using their server for hacking....

Ignoramus19605 wrote:

> Is there some way (a module perhaps) to quickly detect such hack attacks and block the IP?

Automatically blocking IPs is a dangerous practice. What if they spoof
as 127.0.0.1 or a DNS server you use?