Script Kiddies in log

Question

webhat opened this issue 8 years ago · 2 comments

Seeing this in my logs from a Script Kiddie.

80.15.195.28 - - [30/Apr/2017:10:34:21 +0000] "GET / HTTP/1.1" 200 0 "-" "struts-pwn (https://github.com/mazen160/struts-pwn)"

Answer 1 · 2017-05-01T03:48:25.000Z

Hi,

The UA is made intentionally so that sysadmins who would like to block struts-pwn when being used by script-kiddies.

Since struts-pwn is like any security testing tool (or any tool in general), you can not control the intentions of users, I can not do much on it.

I recommend:

Blocking the IP.
Blocking requests with struts-pwn (https://github.com/mazen160/struts-pwn) UA # Consider it as a script-kiddie filter.
Block requests for CVE-2017-5638.

You can also report the IP to blacklisting sites, and send an email to ISP abuse@.

Best,
Mazin

Answer 2 · 2017-05-01T13:54:56.000Z

Already reported. 👍