Oct 4, 2023
seen from Malaysia
seen from Russia
seen from Pakistan
seen from Germany
seen from United States
seen from United States
seen from China
seen from Malaysia
seen from United Kingdom
seen from Bosnia & Herzegovina
seen from China
seen from Russia
seen from Malaysia
seen from United States
seen from Mexico
seen from United States
seen from Malaysia
seen from Malaysia
seen from United States
seen from United Kingdom
Bash script to find Apache Misfits
There are bad web robots (or crawlers) that scan for vulnerable wordpress admin panels, phpMyAdmin, or other popular scripts.
If you've been affected by these bad robots, spiders, or crawlers your Apache error logs will look something like this:
grep -Hni phpmyadmin /var/log/apache2/error.log
error.log:5442:[Thu Aug 14 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:5443:[Thu Aug 14 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7080:[Fri Sep 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7081:[Fri Sep 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7232:[Fri Sep 12 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7233:[Fri Sep 12 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7351:[Sun Sep 14 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7352:[Sun Sep 14 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7365:[Tue Sep 16 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7366:[Tue Sep 16 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7371:[Tue Sep 16 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7372:[Tue Sep 16 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7494:[Sun Sep 21 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7495:[Sun Sep 21 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7505:[Tue Sep 23 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7509:[Wed Sep 24 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7562:[Sun Sep 28 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7563:[Sun Sep 28 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7593:[Thu Oct 02 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7607:[Fri Oct 03 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin error.log:7608:[Fri Oct 03 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin error.log:7644:[Sat Oct 04 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpMyAdmin-2.11.3
Here's a section of Apache's error.log from a single attacker:
[Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/BingSiteAuth.xml [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/bingsiteauth.xml [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/LiveSearchSiteAuth.xml [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/muieblackcat [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/phpmyadmin [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/mysqladmin [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/scripts [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/websql [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/pma [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/php [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/PHPMYADMIN [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/pHpMyAdMiN [Mon May 05 00:00:00 2014] [error] [client 0.0.0.0] File does not exist: /www/SQL
Have you ever wondered what country these bad robots were connecting from?
Wonder no more!
I wrote a bash script that will geo locate all Apache Misfits in a jiffy*. Unlike many of these ugly solutions at commandlinefu, my script doesn't require you to scrape geoip-lookup websites, so it runs much faster.
Presenting: misfits.sh
You will first need to install geoip-bin from the Debian repositories.
apt-get update && apt-get install geoip-bin
Grab my code:
cd git clone https://gist.github.com/d77bd25be45c1865ad3b.git cd d77bd25be45c1865ad3b chmod +x misfits.sh
Note: You can run this script without being root but you'll need to make a copy of your apache error.log.
To run:
Print a long unformatted list from geoiplookup: (pretty useless, imho) ./misfits.sh
Example output:
GeoIP Country Edition: JP, Japan GeoIP Country Edition: CN, China GeoIP Country Edition: CN, China GeoIP Country Edition: CN, China GeoIP Country Edition: CN, China ...
Print a simplified list of stats: ./misfits.sh stats
Example output:
... 7 IN, India 6 TH, Thailand 6 KR, Korea, Republic of 6 HK, Hong Kong 5 ES, Spain 5 CZ, Czech Republic 4 RO, Romania 4 AU, Australia 3 PE, Peru ...
Print the Top Ten Offending Countries: ./misfits.sh top10
327 US, United States 191 CN, China 62 IP Address not found 47 RU, Russian Federation 37 NL, Netherlands 28 FR, France 22 UA, Ukraine 21 DE, Germany 11 GB, United Kingdom 9 CA, Canada
Enjoy!
* actual running time varies, of course, depending on the size of error.log. Here's my running time:
real 0m0.765s user 0m0.104s sys 0m0.116s