How to auto report abusive IPs

Hello! This report is for owners of sites to report abusive IPs the second they happen.

Step One: Set up the “trap” page in your .htaccess:

ErrorDocument 404: /trap.php

Step Two: Install Guzzle for HTTP requests to the AbuseIPDB API.
composer require guzzlehttp/guzzle:^6.0

Step Three: Create a free account at abuseipdb.com and get an API key:


Step Three: Create a file called trap.php with this:

<?php
require 'vendor/autoload.php';
$hacks = array(
    "/.env" => "Tried to access .env file",
    "/api/jsonws/invoke" => "Tried to POST web API, /api/jsonws/invoke",
    "/.git//index" => "Attempted to access git files, /.git//index",
    "/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>" => "ThinkPHP exploit. /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>",
    "/?XDEBUG_SESSION_START=phpstorm" => "PHPSTORM Debug hack",
    "/solr/admin/info/system?wt=json" => "Trying to access solr admin page.",
    "/boaform/admin/formLogin" => "Trying to access admin login: /boaform/admin/formLogin",
    "/config/getuser?index=0" => "Trying to access configuration files: /config/getuser?index=0",
    "/test/.env" => "Attempting to access .env file",
    "/laravel/.env" => "Attempting to access .env file",
    "/admin/.env" => "Attempting to access .env file",
    "/system/.env" => "Attempting to access .env file",
    "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" => "Attempting to access vendor files: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
    "/por/login_psw.csp" => "Trying to access admin login pages: /por/login_psw.csp",
    "/ui/login.php" => "Trying to access admin login pages: /ui/login.php",
    "/cgi-bin/login.cgi?requestname=2&cmd=0" => "Trying to access admin login pages: /cgi-bin/login.cgi?requestname=2&cmd=0",
    "/GponForm/diag_Form?images/" => "Odd Request, trying to access some sort of form: /GponForm/diag_Form?images/",
    "//vendor/phpunit/phpunit/phpunit.xsd" => "Trying to access PHPUnit scripts: //vendor/phpunit/phpunit/phpunit.xsd",
    "//web/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
    "//wordpress/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
    "//wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
    "//shop/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
    "//cms/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
    "//xmlrpc.php?rsd" => "Suspicous request; //xmlrpc.php?rsd",
    "/manager/text/list" => "Trying to access admin files: /manager/text/list"
);

$url = $_SERVER["REQUEST_URI"];

if(isset($hacks[$url])){
    $mes = "AUTOMATED REPORT: " . $hacks[$url];
}

if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];

if(isset($mes)){
    $ip = $_SERVER['REMOTE_ADDR'];
    $client = new GuzzleHttp\Client([
        'base_uri' => 'https://api.abuseipdb.com/api/v2/'
      ]);
      
      $response = $client->request('POST', 'report', [
          'query' => [
              'ip' => "${ip}",
              'categories' => '15',
              'comment' => "${mes}"
          ],
          'headers' => [
              'Accept' => 'application/json',
              'Key' => "your api key here"
        ],
      ]);
      
      $output = $response->getBody();
      // Store response as a PHP object.
      $ipDetails = json_decode($output, true);
      die("Attemped to access blacklisted page, this has been logged.");
}else{
    header("Location: /request-error?code=404");
    die();
}

This script is an array of common hacked pages and messages to report if a request to any one of the pages is made. Upon a request to any of these pages, a report will be made to the abuseIPDB. Pat yourself on the back, you just helped other website owners block bad requests!

8 Likes

Thanks for this, it might come in handy!

As usual, is there a Node equivalent of this? :sweat_smile:

2 Likes

Lol, when I posted that reply I had just realized that it was written in php not js

edit: I will make it so that anyone who goes to /admin on my site will get me warned and they shall receive a random message like “Hacker, stop, now”

You just need something like axios or node-fetch for node and set it up to be triggered on a request to one of the domains on riverside’s list. Make sure to ip ban or prevent them from triggering the api request otherwise if they find out about it they will spam the api through your server and you will get your api key revoked.

3 Likes

If the IP address is a Glitch server, it will get cycled and might end up as the target’s IP address, haha. More problematic is that Glitch might have a headache trying to unban their IP addresses, like they had a big issue with discord bans.

2 Likes

I could try to get something going. All you would need to do is just install libcurl for sending requests:

Also, here are some reports I got in the night!

2 Likes

How the turntables.

Most of these “hackers” will often use hosting to run out attacks, and since they may or may not be using dedicated IPs, its tricky for companies to track them down.

For the attacks who do use “fixed line ISPs”, I have contacted the abuse email of the ISP and they never get back to me, which is probably why it is a choice of attackers.