Isn't much more than a bloated one line. Just parses through apache logs to check for the following (so far): JCE - Joomla shell uploader) Ahrefsbot - (spammer bot) POST - (because no one should be posting stuff to my site, I have no user logins, forms, etc. and after analyzing what was being posted close to 100% were things with malicious intent. Catches most things) administrator - no one should be trying to log in as administrator. They get nowhere trying, but they still do. 55000 is the set amount of lines I chose to look through, since I fluctuate between 25-40k visitors at peak times. (This was written for my personal site which sees about 2-3k ranDumb attacks per day (must be the domain name)) Sorting uniquely ensures I don't get dupes. I may reconstruct it to aggregate data from others once I get proper permission to do so. In which event I'd be able to correlate data from a couple hundred/thousandish webservers (unsure when this will happen). ----------- printf " # # The following addresses are web based attackers # compiled on an hourly basis. Most are attempting # XSS, SQLi, CSRF and other attacks. Compiled list # to be used for blacklisting. # #" > /tmp/xssers/XSSATTACKERS echo `date`|sed 's:^: :g' >> /tmp/xssers/XSSATTACKERS printf "\n\n" >> /tmp/xssers/XSSATTACKERS tail -n 55000 /var/logs/httpd/access_log|\ awk '/AhrefsBot|POST|administrator|JCE/{print $1}'|sort -u >> /tmp/xssers/bad.xxxers cat /tmp/xssers/bad.xxxers >> /tmp/xssers/XSSATTACKERS mv /tmp/xssers/XSSATTACKERS /var/www/html/infiltrated.net/webattackers.txt -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF