Get back at exploit crawler – Digitalmunition




Home Forums Get back at exploit crawler

This topic contains 1 reply, has 2 voices, and was last updated by  disasterhost 1 month ago.

  • Author
    Posts
  • #322879

    anonymous
    Participant

    So I have this raspberrypi at my parents home facing internet with nginx for personal usage only.
    I have setted up a robot.txt to tell everyone that I don’t want bots and the main domain is not even supposed to be used as I use subdomains for my services.

    However, logs are FULL of requests from all around the world for things like wordpress admin pages, php exploit and so on. This represents a waste of energy and bandwidth for my parents and is clearly driven with bad intentions.

    So, since I don’t really like what these guys are trying to do (make zombies or stealing data or something like that), I would like to set up an automatic (legal) way to f*ck with them a bit just like they f*ck with me. (I already have fail2ban setup)

    My idea is to put a zip bomb at the commonly checked end points, like /phpmyadmin/scripts/setup.php, /myadmin/scripts/setup.php,
    /boaform/admin/formLogin?username=user&psd=user…

    What do you guys think ?
    Is this feasible ? I never used the tools that are scanning my server, so I don’t even know if they would fall for it.

    I think the nginx config would be simple enough but I don’t know which kind of zipbomb would work better.

    PS:
    Also, there is this: /w00tw00t.at.blackhats.romanian.anti-sec:). Is this guys trying to tell me something ?

    EDIT:
    I found the worst guy, he tried all sorts of .sql files like /credit_card.sql, like 50 of them…

  • #322880

    disasterhost

    You can install fail2ban and ban IPs when get 404 X times.

  • #322881

    juan0cena

    Those log entries aren’t coming from “guys” they are compromised hosts running automated scans on the entire internet. Any host on the internet with open ports will see the same thing in their logs. There’s nothing you can do to “get back” at the people who are behind these exploit campaigns/bots.

    The w00tw00t thing isn’t some guys trying to tell you something. It’s coming from the ZmEu vulnerability scanner ([https://en.wikipedia.org/wiki/ZmEu_(vulnerability_scanner)](https://en.wikipedia.org/wiki/ZmEu_(vulnerability_scanner))). It’s most likely being run from another hacked/compromised host.

  • #322882

    DrinkMoreCodeMore

    You really cant do anything to slow them down or stop their scanning campaigns.

    It’s all automated bots and completely normal for any internet facing server to see these in their logs.

    The best thing you could do that would put a small dent in their operations is to setup a honeypot like Cowrie and report the malicious IPs found scanning your honeypot to some of the major abuse feeds or blacklists.

    https://github.com/paralax/awesome-honeypots

You must be logged in to reply to this topic.