NodeBB

Misère. # grep "robots.txt" /var/log/apache2/access*.log | awk '{print $12}' | sort -n | uniq -c 2 "-" 3 "caveman-hunter/0.0.0 2367 "CCBot" 3 "facebookexternalhit/1.1 2 "FediDB/0.5.0; 4 "FediIndex/1.0 1 "Go-http-client/1.1" 1 "Mastodon/4.6.0-nightly.2025-11-06 1 "Minoru's 80 "Mozilla/5.0 6 "Mozilla/5.0"

Voir : https://xtom.com/blog/what-is-nethogs-and-how-to-monitor-network-traffic/

Toujours pas de crash … # wc -l /etc/pve/firewall/cluster.fw 10288 /etc/pve/firewall/cluster.fw # grep "# CCBot" /etc/pve/firewall/cluster.fw > iptables-CCbot.txt # wc -l iptables-CCbot.txt 8994 iptables-CCbot.txt Le gros est la pollution de CCBot ( Brésil, Argentine, Vietnam, … )

$ cat full-reject.txt | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g' 1 AO, Angola 1 BE, Belgium 1 BN, Brunei Darussalam 1 can't resolve hostname ( 2606:4700:3037::ac43:cc71 ) 1 CI, Cote D'Ivoire 1 GH, Ghana 1 HR, Croatia 1 JM, Jamaica 1 LT, Lithuania 1 LV, Latvia 1 MD, Moldova, Republic of 1 MM, Myanmar 1 MN, Mongolia 1 NG, Nigeria 1 PT, Portugal 1 SA, Saudi Arabia 1 SI, Slovenia 1 SO, Somalia 1 SY, Syrian Arab Republic 1 UG, Uganda 1 GeoIP Country V6 Edition: can't resolve hostname ( 2606:4700:3037::ac43:cc71 ) 2 GE, Georgia 2 KN, Saint Kitts and Nevis 2 MK, Macedonia 2 PR, Puerto Rico 2 SK, Slovakia 3 CY, Cyprus 3 ET, Ethiopia 3 HU, Hungary 3 KG, Kyrgyzstan 3 MC, Monaco 3 MU, Mauritius 3 QA, Qatar 3 SN, Senegal 3 SV, El Salvador 4 AL, Albania 4 AM, Armenia 4 GA, Gabon 4 JO, Jordan 4 LB, Lebanon 4 OM, Oman 4 TT, Trinidad and Tobago 5 BW, Botswana 9 BA, Bosnia and Herzegovina 9 CZ, Czech Republic 10 KW, Kuwait 11 DZ, Algeria 12 BO, Bolivia 12 GT, Guatemala 16 IS, Iceland 18 AZ, Azerbaijan 20 UZ, Uzbekistan 27 TN, Tunisia 34 AT, Austria 34 EE, Estonia 37 IQ, Iraq 39 EG, Egypt 40 UY, Uruguay 42 MA, Morocco 258 AP, Asia/Pacific Region 258 EU, Europe 260 PA, Panama 260 TR, Turkey 261 CR, Costa Rica 265 RS, Serbia 267 KZ, Kazakhstan 270 KE, Kenya 513 FI, Finland 513 NI, Nicaragua 770 PL, Poland 770 RO, Romania 1024 PF, French Polynesia 1026 PS, Palestinian Territory 1027 SC, Seychelles 1036 BG, Bulgaria 1040 KP, Korea, Democratic People's Republic of 1125 IL, Israel 1341 PE, Peru 1972 NL, Netherlands 2048 VU, Vanuatu 2050 KH, Cambodia 2058 HN, Honduras 2848 VE, Venezuela 2941 CH, Switzerland 3095 IP Address not found 3140 CL, Chile 3239 ZA, South Africa 3432 BH, Bahrain 3608 DO, Dominican Republic 3663 PY, Paraguay 3696 CO, Colombia 3891 UA, Ukraine 4162 NZ, New Zealand 8192 FJ, Fiji 8195 LK, Sri Lanka 11264 NC, New Caledonia 13849 PK, Pakistan 16384 MO, Macau 17785 SE, Sweden 19555 ES, Spain 24887 AR, Argentina 34823 NP, Nepal 35697 BD, Bangladesh 67514 EC, Ecuador 67840 TH, Thailand 68776 IT, Italy 78941 MX, Mexico 81409 PH, Philippines 101737 ID, Indonesia 113413 TW, Taiwan 133730 AE, United Arab Emirates 170330 MY, Malaysia 285170 FR, France 526851 BY, Belarus 538991 CA, Canada 671345 HK, Hong Kong 697025 IN, India 1340962 KR, Korea, Republic of 1344984 GB, United Kingdom 1416874 AU, Australia 1450519 IR, Iran, Islamic Republic of 1481058 BR, Brazil 1922796 SG, Singapore 2180768 RU, Russian Federation 3433168 DE, Germany 4220007 IE, Ireland 4266170 JP, Japan 7136014 VN, Vietnam 13160884 CN, China 31585710 US, United States

Mais aussi : # grep "^217.154.8.45 " /var/log/apache2/access.*.log | awk '{print $6 " " $7 " " $8}' "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" "POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" "GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" "GET /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" "GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" "GET /index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" "GET /public/index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\"hi\"));?>+/tmp/index1.php HTTP/1.1" "GET /index.php?lang=../../../../../../../../tmp/index1 HTTP/1.1" "GET /containers/json HTTP/1.1"

Huawei devant ccbot : # cat /var/log/pve-firewall.log | awk '{print $3}' | sort -n | uniq -c 867 GROUP-attack-IN 721 GROUP-attackmail-IN 3452 GROUP-ccbot-IN 12 GROUP-honeypot-IN 6027 GROUP-huawei-IN 47 GROUP-russian-IN

Scan sur chosen.php : # grep "/chosen.php" /var/log/apache2/access.*.log | sed 's/:/ /g' | awk '{print $2}' | sort | uniq -c 2 5.188.167.226 2 89.21.132.85 2 95.165.10.241

# zgrep "GET /_app/immutable/chunks" //var/log/apache2/access.photo-ssl.log*gz | grep "python-httpx/0.28.1" | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq -c 10 84.20.18.75 10 192.159.99.155 30 196.251.69.173