Hi Nick Yup, I did see that, sounds a bit fishy to me, this IP comes back every day at least 2-3 times a day and the injection strings are all different and sometimes they are so long I would not even dream of pasting one of them in an email :)
I did actually email their email address on that page and have had no reply whatsoever. Any idea on any regex's for this and the other PROPFIND and PRI attack types? Kind Regards Mitchell On 2016/07/08 3:26 PM, Nick Howitt wrote: > Have you seen this <http://169.229.3.91/>? Up to you if you believe it. > > On 08/07/2016 14:13, Mitchell Krog wrote: >> Hi all >> >> I have been noting the following sequence in my nginx logs. >> >> 169.229.3.91 - - [06/Jul/2016:10:26:00 +0200] >> "\xF1)1\xB0\x0E\xD6\xCEOSb`\xE3E\x90\xE1A\xB3\x7F\x8C\x0B\x02\xBF\x05RN\xD0\x87\x8F%=\x83(\x16\x9A\xDF5\x1D\xC8\x81<\x80l\xC6\xD8\xCD9\xA0\xE9\xDF~\xCEC\xFB\xF0\xCB\xB5\xD2\x85I\xAAVT\x98F" >> >> 400 166 "-" "-" >> >> A bit of searching led me to the following info about it: >> https://www.abuseipdb.com/check/169.229.3.91 >> >> Nginx generates a 400 error as expected but I would like to be able >> to detect these attempts using Fail2Ban and ban it after X attempts. >> I would think the best place to add this would be in the >> nginx-botsearch.conf or botsearch-common.conf file but I am really >> not good with regex at all and will probably break Fail2Ban in the >> process. >> >> Anyone have any idea on a regex string to deal with this? Important >> to note the string sent is all back slashes \ not the usual / used in >> url structures and they also pass lots of special characters in the >> string. I DID try myself and came up with this "^<HOST> \- \S+ \[.*] >> \"[\\]+.* >> " but it does not work (my regex sucks) >> >> Also very important to note is that Nginx records no GET, POST or >> HEAD either. >> >> And here are some other one's I would also like to be able to detect >> and ban. >> >> 192.99.144.140 - - [08/Jul/2016:14:45:19 +0200] "*PROPFIND* /webdav/ >> HTTP/1.1" 301 178 "-" "WEBDAV Client" PORT:80 0.000 - . "-" >> >> 54.149.78.218 - - [08/Jul/2016:09:38:35 +0200] "*PRI ** HTTP/2.0" 400 >> 166 "-" "-" PORT:80 5.005 - . "-" >> >> Any help? >> >> Kind Regards >> Mitchell >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
