mitchellkrogza/Fail2Ban.WebExploits

Contributing Scan Signatures

mitchellkrogza opened this issue · 2 comments

mitchellkrogza commented

Anyone who wishes to contribute any scan signatures found in their web server logs, please send a Pull Request on the exploits.list file

troyengel commented

I'm not sure what this is, Google-fu is failing me - I'm finding hundreds of these attempts per week in my logs:

"GET /admin/assets/js/views/login.js HTTP/1.1" 301 260 "-" "python-requests/2.19.1"

All are coming from one single IP (some 2000 hits in the logs laying around for November) and it's been reported by others here: https://www.abuseipdb.com/check/87.251.81.86 (added my report as well just now)

I think this might be something related to Node.js, but as I can't seem to find definitive information it's unclear if this is a good addition to the exploits.list. I notice a very sharp uptick in my logs starting the week of 2018-11-11 to 2018-11-18, it went from around 10-50 per week before that to 700+ per week starting then, either it was my server "found" by the botnet, or it's some fresh exploit? $0.02 on a "maybe?" that's popped up, hope this helps!