Russian Script Kiddies.

My home server is Apache, and sees fairly sparse traffic. Still, I’m constantly seeing IP addresses that resolve to Russian control in the log files, looking for whatever they can find in “/admin/” or “/manager/”, then leaving disappointed. Today, I set up a special treat for them; now they can see themselves when they visit the ‘/admin/’ directory at any of the sites I run from home. Here’s how:

#!/bin/bash
echo 'Most recent assholes to check for an administrative app at this URL:'
tail -n500 /var/log/apache2/access_log | grep -v "my_ip_address" | grep '/admin/' | awk '{ print $2 }'

First, I knocked up the script shown above, which I named “mostrecentassholes.sh”, and placed it in a “safe” executable location. It should be fairly obvious what this script does, but if you’re not familiar with scripting, the ‘echo’ line prints that statement that follows it, then I “tail” the last 500 lines of my web server access log, exclude all instances of my own IP address, and include only access log lines generated by people looking for the ‘admin’ directory, finally using awk to print only the second field of the access_log entries, which in my instance of apache, happens to be the originating IP address a request was made from.

Then I created a subdirectory in the web documents directory called “admin“, and added the following chunk of PHP to a file in that directory called “index.php“:

<?php
$output = shell_exec('/pathtomyscript/mostrecentassholes.sh');
echo "<pre>$output</pre>";
?>

Finally, I spiced it up a little and added the other template crap, which includes my CSS formatting info, the surrounding text, images, etc. from my normal PHP page format, so it looks a little prettier.

If this continues to be a problem, I may automate the process of adding firewall rules preventing people from looking in the /admin/ directory, but for now, this should do.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s