Hello! This report is for owners of sites to report abusive IPs the second they happen.
Step One: Set up the “trap” page in your .htaccess:
ErrorDocument 404: /trap.php
Step Two: Install Guzzle for HTTP requests to the AbuseIPDB API.
composer require guzzlehttp/guzzle:^6.0
Step Three: Create a free account at abuseipdb.com and get an API key:
Step Three: Create a file called trap.php with this:
<?php
require 'vendor/autoload.php';
$hacks = array(
"/.env" => "Tried to access .env file",
"/api/jsonws/invoke" => "Tried to POST web API, /api/jsonws/invoke",
"/.git//index" => "Attempted to access git files, /.git//index",
"/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>" => "ThinkPHP exploit. /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>",
"/?XDEBUG_SESSION_START=phpstorm" => "PHPSTORM Debug hack",
"/solr/admin/info/system?wt=json" => "Trying to access solr admin page.",
"/boaform/admin/formLogin" => "Trying to access admin login: /boaform/admin/formLogin",
"/config/getuser?index=0" => "Trying to access configuration files: /config/getuser?index=0",
"/test/.env" => "Attempting to access .env file",
"/laravel/.env" => "Attempting to access .env file",
"/admin/.env" => "Attempting to access .env file",
"/system/.env" => "Attempting to access .env file",
"/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" => "Attempting to access vendor files: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php",
"/por/login_psw.csp" => "Trying to access admin login pages: /por/login_psw.csp",
"/ui/login.php" => "Trying to access admin login pages: /ui/login.php",
"/cgi-bin/login.cgi?requestname=2&cmd=0" => "Trying to access admin login pages: /cgi-bin/login.cgi?requestname=2&cmd=0",
"/GponForm/diag_Form?images/" => "Odd Request, trying to access some sort of form: /GponForm/diag_Form?images/",
"//vendor/phpunit/phpunit/phpunit.xsd" => "Trying to access PHPUnit scripts: //vendor/phpunit/phpunit/phpunit.xsd",
"//web/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
"//wordpress/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
"//wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
"//shop/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
"//cms/wp-includes/wlwmanifest.xml" => "Attempting to access Wordpress wlwmanifest.xml file.",
"//xmlrpc.php?rsd" => "Suspicous request; //xmlrpc.php?rsd",
"/manager/text/list" => "Trying to access admin files: /manager/text/list"
);
$url = $_SERVER["REQUEST_URI"];
if(isset($hacks[$url])){
$mes = "AUTOMATED REPORT: " . $hacks[$url];
}
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
if(isset($mes)){
$ip = $_SERVER['REMOTE_ADDR'];
$client = new GuzzleHttp\Client([
'base_uri' => 'https://api.abuseipdb.com/api/v2/'
]);
$response = $client->request('POST', 'report', [
'query' => [
'ip' => "${ip}",
'categories' => '15',
'comment' => "${mes}"
],
'headers' => [
'Accept' => 'application/json',
'Key' => "your api key here"
],
]);
$output = $response->getBody();
// Store response as a PHP object.
$ipDetails = json_decode($output, true);
die("Attemped to access blacklisted page, this has been logged.");
}else{
header("Location: /request-error?code=404");
die();
}
This script is an array of common hacked pages and messages to report if a request to any one of the pages is made. Upon a request to any of these pages, a report will be made to the abuseIPDB. Pat yourself on the back, you just helped other website owners block bad requests!
