I had the occasion to download a blacklist of IPs. The problem was that this machine generated list padded zeros in front of it. For example, instead of 1.2.3.4 it was listed as 001.002.003.004. I didnt relish having to manually edit all 10,000 IP addresses. So I did research.
This post gave a formula to do it: =INT(MID(A1,1,3)) & “.” & INT(MID(A1,5,3)) & “.” & INT(MID(A1,9,3)) & “.” & INT(MID(A1,13,3))
My splunk enterprise shows that the main index is growing much faster than the squid access logs i sent to squid-access-log index. Upon review, it seems that during setup of the splunkforwarder service, i added the entire c:\squid\var\logs folder as a directory to be ‘monitored’ This directive was stored in the default splunk directory/etc/app/splunk_TA_Windows/local/input.conf
All i had to do was to remove the entries there then go to the splunk server and enter: ./splunk clean eventdata
Have you been hit with a lot of xmlrpc based attacks on your wordpress installation? Are attackers planning to insert malware into your wordpress installation (soak-soak)?
I have a simple solution to share with you.
Since this website uses BNShosting web mirror service, i thought of using the squid service to block the tons of WordPress attacks using XMLRPC from ever getting to the origin server.
On your squid proxy configuration (squid.conf) add the following entries:
# for Identifying WordPress xmlrpc attacks in URL acl wordpressAttackers url_regex xmlrpc acl wordpressAttackers1 url_regex wp-includes/template-loader.php
Save the file, then restart the squid service. The next time a hacker attempts to brute force your password or insert malware via the xmlrpc or /template-loader.php, the squid service will deny the attempt and filter these attacks before it even gets to the source server.
I had to search through a 400++ gb squid proxy log file. The problem here is that you can’t use Notepad or Wordpad on such a large file. It wont open due to the large size. Quick idea: use GREP command to filter out the large file into a smaller workable file. The problem is that there is NO GREP command on the windows server. Thankfully, WINDOWS does have an equivalent though — Findstr command to the rescue.
This gave me a smaller file that i could work with. Other ideas to try is to find the UNIX date string and use it to filter the log file into the date range you want to work with.