Currently Viewing Posts Tagged abuse

Report the bad IP address to the AbuseIPDB

I have a VPS on DigitalOcean.  Web server is Nginx web server. I checked the web server log files, including an access log and error log.

The error log always gives information about the strange activities from some IP address.

2019/03/17 03:08:02 [error] 781#781: *140434 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/.zip HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/.zip"
2019/03/17 03:08:04 [error] 781#781: *140451 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/..zip HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/..zip"
2019/03/17 03:08:06 [error] 781#781: *140452 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //www.yinfor.com/..zip HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//www.yinfor.com/..zip"
2019/03/17 03:08:07 [error] 781#781: *140453 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/.rar HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/.rar"
2019/03/17 03:08:08 [error] 781#781: *140454 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //com/..rar HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//com/..rar"
2019/03/17 03:08:10 [error] 781#781: *140456 access forbidden by rule, client: 183.240.196.121, server: www.yinfor.com, request: "HEAD //www.yinfor.com/..rar HTTP/1.1", host: "www.yinfor.com", referrer: "http://www.yinfor.com//www.yinfor.com/..rar"
2019/03/17 06:10:41 [error] 781#781: *145806 access forbidden by rule, client: 192.99.35.63, server: www.yinfor.com, request: "GET /wp-content/uploads/2019/03/settings_auto.php HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:21:35 [error] 781#781: *160016 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.htaccess?c=askjhGQVFcrwqevq&q=ZWNobyA0Mzc0NTc1NDc7 HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:22:21 [error] 781#781: *160124 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.well-known.zip HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:22:22 [error] 781#781: *160125 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.well-known.tar.gz HTTP/1.1", host: "www.yinfor.com"
2019/03/17 13:22:22 [error] 781#781: *160126 access forbidden by rule, client: 139.99.121.91, server: www.yinfor.com, request: "GET /.well-known.gz HTTP/1.1", host: "www.yinfor.com"

You can see the URL requested is so strange. Actually, I banned these IP address already. So the Nginx server recorded the access forbidden log.

I am not banning these IP address, but also want to report it to the AbusedIPDB.

When finding a bad IP address, I will sign in the AbuseIPDB site and report it.

Please enter the information of the behave and the details of the IP log.

 

AbuseIPDB is not just a reporting tool. The registered users can also use its API to check the IP if it is bad or spam IP. It works with Fail2Ban.

Abuse Alert from Burst.net – HTML/PicFrame.Gen

It is the first time, I received the abuse alert form Burst.net, the VPS service provider.
They said there is some malicious content on my VPS. Their backbone providers found it and reported to them and Burst ask me to respond in 24 hours.

abuse-alert-1

I click the like they provided. It is a picture. It is just an image file with jpg extension. I can open it in the browser. But I want to do even more to investigate.
So I download it and use Notepad++, which is a free open source text editor software, to open it. At the end of the file, the harmful content is shown as below:

Continue reading “Abuse Alert from Burst.net – HTML/PicFrame.Gen”

  • Archives