This question is a means of preventing automated form submissions by spambots.
What are the l a s t four characters of "166d664c947364575f5a3eaa"? You must also add "xx!1.." to the answer but type "1" as a word not a number.
Smilies
:clap: :crazy: :thumbdown: :thumbup: :wtf: :yawn: :tired: :relaxed: :grin: :smile: :wink: :sad: :eek: :shock: :???: :cool: :lol: :mad: :razz: :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :neutral: :mrgreen: :geek: :ugeek: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :wave:
   

If you wish to attach one or more files enter the details below.

techtalk.cc, 2021-12-13 23:00 »

:sick: :sick: :sick:

Code: Select all

2021-05-16 06:58:30 185.202.1.78
2021-05-16 06:58:30 185.202.1.213
2021-05-16 06:58:30 194.61.55.130
2021-05-16 06:58:30 185.202.2.18
2021-05-16 06:58:30 185.202.2.111
2021-05-16 06:58:30 91.220.163.140
2021-05-16 06:58:30 194.61.55.57
2021-05-16 06:58:30 194.61.55.94
2021-05-16 06:58:30 185.202.1.81
2021-05-16 06:58:30 185.202.1.73
2021-05-16 06:58:30 185.202.2.190
2021-05-16 06:58:30 185.202.2.36
2021-05-16 06:58:30 185.153.199.105
2021-05-16 06:58:30 104.243.38.48
2021-05-16 06:58:30 87.251.67.175
2021-05-16 06:58:30 87.251.75.21
2021-05-16 06:58:30 80.66.88.20
2021-05-16 06:58:30 80.66.76.10
2021-05-16 11:14:38 194.61.54.217
2021-05-16 11:30:46 185.202.2.139
2021-05-16 12:32:46 194.61.54.80
2021-05-16 14:31:27 194.61.55.43
2021-05-16 18:22:54 185.202.1.175
2021-05-16 20:51:04 185.202.2.32
2021-05-16 22:51:25 185.202.2.71
2021-05-17 04:27:40 185.202.1.79
2021-05-17 04:42:47 185.202.1.80
2021-05-17 06:06:20 91.220.163.160
2021-05-17 07:48:00 185.202.2.17
2021-05-17 08:31:23 185.202.2.29
2021-05-17 11:40:17 194.61.54.115
2021-05-17 14:34:03 45.141.87.59
2021-05-17 15:29:53 185.202.1.82
2021-05-19 12:48:19 91.241.19.136
2021-05-19 17:58:58 91.241.19.103
2021-05-20 00:36:45 185.202.2.23
2021-05-20 01:25:06 45.155.205.60
2021-05-24 04:59:41 45.227.255.228
2021-05-24 14:43:56 45.146.166.131
2021-05-26 13:07:09 91.241.19.191
2021-05-26 13:47:09 193.32.164.18
2021-05-27 08:47:25 193.32.164.51
2021-05-28 11:23:20 45.93.201.129
2021-05-28 11:26:38 45.146.164.25
2021-06-02 09:05:23 194.26.29.31
2021-06-02 22:41:58 212.73.146.202
2021-06-04 06:11:39 193.32.164.50
2021-06-06 17:44:20 87.251.67.156
2021-06-07 13:29:36 89.248.165.106
2021-06-08 09:03:06 45.146.164.150
2021-06-08 15:10:47 94.232.46.213
2021-06-09 15:27:09 91.241.19.60
2021-06-10 09:39:04 45.93.201.99
2021-06-10 16:03:23 27.50.81.123
2021-06-10 23:02:38 103.65.183.172
2021-06-11 18:35:09 27.50.81.123
2021-06-13 08:49:21 91.241.19.109
2021-06-16 23:28:19 185.156.72.10
2021-06-17 00:19:48 95.141.198.235
2021-06-17 00:19:57 95.141.198.234
2021-06-17 00:20:20 185.156.72.12
2021-06-17 00:20:31 95.141.198.236
2021-06-18 13:44:26 185.156.72.2
2021-07-07 04:54:33 94.232.43.63
2021-07-07 08:51:27 94.232.43.60
2021-07-07 09:09:40 94.232.43.61
2021-07-07 10:39:04 94.232.43.67
2021-07-07 13:17:03 94.232.43.64
2021-07-07 15:10:46 94.232.43.62
2021-07-07 16:17:49 94.232.43.65
2021-08-04 11:56:49 45.146.166.26
2021-08-08 18:56:46 91.241.19.157
2021-08-10 05:39:12 91.241.19.119
2021-08-13 23:21:38 45.134.26.157
2021-08-15 10:00:23 185.219.52.72
2021-08-19 06:10:26 45.134.26.246
2021-08-21 21:57:26 45.134.26.245
2021-08-22 15:35:55 87.251.70.129
2021-08-22 15:35:55 91.220.163.20
2021-08-26 08:01:55 91.241.19.155
2021-08-29 07:18:09 94.102.51.31
2021-08-30 18:48:30 45.93.201.97
2021-09-02 19:35:57 45.146.166.156
2021-09-02 19:38:26 185.191.34.216
2021-09-02 19:46:00 45.9.20.43
2021-09-04 06:10:37 89.248.165.9
2021-09-05 02:58:48 45.146.167.97
2021-09-05 02:59:55 45.135.232.53
2021-09-05 03:24:51 45.145.64.67
2021-09-06 14:42:15 45.155.204.170
2021-09-06 14:45:59 45.155.204.171
2021-09-06 14:55:18 45.155.204.172
2021-09-06 14:59:15 45.155.204.173
2021-09-16 11:23:29 45.93.201.98
2021-09-25 04:54:27 94.232.42.14
2021-09-26 18:16:19 194.38.20.149
2021-09-26 18:23:51 185.193.88.164
2021-09-26 18:24:11 185.193.88.161
2021-09-26 18:24:25 185.193.88.165
2021-09-26 18:24:25 185.193.88.163
2021-09-26 18:24:25 185.193.88.162
2021-09-28 03:52:30 94.232.42.15
2021-09-28 03:52:43 94.232.43.15
2021-09-28 03:55:35 94.232.42.23
2021-09-28 04:00:06 94.232.42.96
2021-09-28 04:02:05 94.232.43.10
2021-09-28 04:08:40 94.232.42.105
2021-09-28 04:09:18 94.232.43.33
2021-09-28 04:16:49 94.232.43.32
2021-09-28 04:18:17 94.232.41.27
2021-09-28 04:19:50 94.232.43.34
2021-09-28 04:34:51 94.232.43.31
2021-09-28 13:06:45 94.232.44.12
2021-09-28 22:16:59 87.251.64.140
2021-09-29 02:43:47 94.232.42.95
2021-09-29 03:26:49 94.232.43.14
2021-09-29 03:39:08 94.232.44.11
2021-09-29 14:53:13 94.232.44.10
2021-10-07 02:04:34 45.93.201.100
2021-10-17 23:29:25 89.248.168.226
2021-10-18 17:45:51 45.227.254.118
2021-10-18 18:06:50 80.94.93.10
2021-10-19 01:26:24 45.9.20.83
2021-10-21 16:51:58 94.232.42.104
2021-10-21 22:35:45 87.251.64.160
2021-10-27 10:25:38 94.232.43.68
2021-11-05 08:05:00 193.32.164.16
2021-11-18 03:40:52 194.165.16.10
2021-11-19 12:16:59 193.32.164.28
2021-11-21 08:18:17 77.83.36.30
2021-11-21 08:23:14 77.83.36.31
2021-11-21 08:34:36 77.83.36.42
2021-12-03 04:44:15 193.56.146.208
2021-12-04 06:37:27 194.165.16.78
2021-12-05 03:03:23 194.165.16.72
2021-12-05 03:07:44 194.165.16.73
2021-12-05 03:22:44 194.165.16.37
2021-12-05 04:07:29 45.227.254.55
2021-12-05 04:42:11 194.165.16.77
2021-12-05 04:56:32 45.227.254.56
2021-12-05 05:23:40 45.227.254.48
2021-12-05 05:59:29 194.165.16.71
2021-12-05 06:00:01 194.165.16.75
2021-12-05 06:27:49 194.165.16.76
2021-12-05 06:30:30 45.227.254.54
2021-12-09 11:51:39 193.56.146.191
2021-12-09 18:57:26 45.227.254.26
2021-12-09 23:09:26 45.227.254.10
2021-12-10 00:50:55 45.227.254.51
2021-12-11 05:13:51 45.227.254.53
2021-12-11 14:08:13 194.165.16.11
2021-12-11 17:02:41 31.43.185.6

!, 2021-06-13 17:08 »

What a joke, Windows firewall don't block the IPs after the rule gets around ~50 IPs in the list I think. lol.... I had to create a second rule after the first one filled up or something. I'm not 100% sure but there was an IP around 55 and it still kept hitting the server trying to login even though it was in the IP block list of the firewall. I don't have a computer so I can't really look into this in detail.

techtalk.cc, 2021-06-11 16:32 »

:sick: :sick: :sick:

Code: Select all

2021-05-16 06:58:30 185.202.1.78
2021-05-16 06:58:30 185.202.1.213
2021-05-16 06:58:30 194.61.55.130
2021-05-16 06:58:30 185.202.2.18
2021-05-16 06:58:30 185.202.2.111
2021-05-16 06:58:30 91.220.163.140
2021-05-16 06:58:30 194.61.55.57
2021-05-16 06:58:30 194.61.55.94
2021-05-16 06:58:30 185.202.1.81
2021-05-16 06:58:30 185.202.1.73
2021-05-16 06:58:30 185.202.2.190
2021-05-16 06:58:30 185.202.2.36
2021-05-16 06:58:30 185.153.199.105
2021-05-16 06:58:30 104.243.38.48
2021-05-16 06:58:30 87.251.67.175
2021-05-16 06:58:30 87.251.75.21
2021-05-16 06:58:30 80.66.88.20
2021-05-16 06:58:30 80.66.76.10
2021-05-16 11:14:38 194.61.54.217
2021-05-16 11:30:46 185.202.2.139
2021-05-16 12:32:46 194.61.54.80
2021-05-16 14:31:27 194.61.55.43
2021-05-16 18:22:54 185.202.1.175
2021-05-16 20:51:04 185.202.2.32
2021-05-16 22:51:25 185.202.2.71
2021-05-17 04:27:40 185.202.1.79
2021-05-17 04:42:47 185.202.1.80
2021-05-17 06:06:20 91.220.163.160
2021-05-17 07:48:00 185.202.2.17
2021-05-17 08:31:23 185.202.2.29
2021-05-17 11:40:17 194.61.54.115
2021-05-17 14:34:03 45.141.87.59
2021-05-17 15:29:53 185.202.1.82
2021-05-19 12:48:19 91.241.19.136
2021-05-19 17:58:58 91.241.19.103
2021-05-20 00:36:45 185.202.2.23
2021-05-20 01:25:06 45.155.205.60
2021-05-24 04:59:41 45.227.255.228
2021-05-24 14:43:56 45.146.166.131
2021-05-26 13:07:09 91.241.19.191
2021-05-26 13:47:09 193.32.164.18
2021-05-27 08:47:25 193.32.164.51
2021-05-28 11:23:20 45.93.201.129
2021-05-28 11:26:38 45.146.164.25
2021-06-02 09:05:23 194.26.29.31
2021-06-02 22:41:58 212.73.146.202
2021-06-04 06:11:39 193.32.164.50
2021-06-06 17:44:20 87.251.67.156
2021-06-07 13:29:36 89.248.165.106
2021-06-08 09:03:06 45.146.164.150
2021-06-08 15:10:47 94.232.46.213
2021-06-09 15:27:09 91.241.19.60
2021-06-10 09:39:04 45.93.201.99
2021-06-10 16:03:23 27.50.81.123
2021-06-10 23:02:38 103.65.183.172

techtalk.cc, 2021-05-29 16:42 »

:sick: :sick: :sick:
2021-05-16 06:58:30 185.202.1.78
2021-05-16 06:58:30 185.202.1.213
2021-05-16 06:58:30 194.61.55.130
2021-05-16 06:58:30 185.202.2.18
2021-05-16 06:58:30 185.202.2.111
2021-05-16 06:58:30 91.220.163.140
2021-05-16 06:58:30 194.61.55.57
2021-05-16 06:58:30 194.61.55.94
2021-05-16 06:58:30 185.202.1.81
2021-05-16 06:58:30 185.202.1.73
2021-05-16 06:58:30 185.202.2.190
2021-05-16 06:58:30 185.202.2.36
2021-05-16 06:58:30 185.153.199.105
2021-05-16 06:58:30 104.243.38.48
2021-05-16 06:58:30 87.251.67.175
2021-05-16 06:58:30 87.251.75.21
2021-05-16 06:58:30 80.66.88.20
2021-05-16 06:58:30 80.66.76.10
2021-05-16 11:14:38 194.61.54.217
2021-05-16 11:30:46 185.202.2.139
2021-05-16 12:32:46 194.61.54.80
2021-05-16 14:31:27 194.61.55.43
2021-05-16 18:22:54 185.202.1.175
2021-05-16 20:51:04 185.202.2.32
2021-05-16 22:51:25 185.202.2.71
2021-05-17 04:27:40 185.202.1.79
2021-05-17 04:42:47 185.202.1.80
2021-05-17 06:06:20 91.220.163.160
2021-05-17 07:48:00 185.202.2.17
2021-05-17 08:31:23 185.202.2.29
2021-05-17 11:40:17 194.61.54.115
2021-05-17 14:34:03 45.141.87.59
2021-05-17 15:29:53 185.202.1.82
2021-05-19 12:48:19 91.241.19.136
2021-05-19 17:58:58 91.241.19.103
2021-05-20 00:36:45 185.202.2.23
2021-05-20 01:25:06 45.155.205.60
2021-05-24 04:59:41 45.227.255.228
2021-05-24 14:43:56 45.146.166.131
2021-05-26 13:07:09 91.241.19.191
2021-05-26 13:47:09 193.32.164.18
2021-05-27 08:47:25 193.32.164.51
2021-05-28 11:23:20 45.93.201.129
2021-05-28 11:26:38 45.146.164.25
:sick: :sick: :sick:

techtalk.cc, 2021-05-20 23:54 »

:sick: :sick: :sick:
2021-05-16 06:58:30 185.202.1.78
2021-05-16 06:58:30 185.202.1.213
2021-05-16 06:58:30 194.61.55.130
2021-05-16 06:58:30 185.202.2.18
2021-05-16 06:58:30 185.202.2.111
2021-05-16 06:58:30 91.220.163.140
2021-05-16 06:58:30 194.61.55.57
2021-05-16 06:58:30 194.61.55.94
2021-05-16 06:58:30 185.202.1.81
2021-05-16 06:58:30 185.202.1.73
2021-05-16 06:58:30 185.202.2.190
2021-05-16 06:58:30 185.202.2.36
2021-05-16 06:58:30 185.153.199.105
2021-05-16 06:58:30 104.243.38.48
2021-05-16 06:58:30 87.251.67.175
2021-05-16 06:58:30 87.251.75.21
2021-05-16 06:58:30 80.66.88.20
2021-05-16 06:58:30 80.66.76.10
2021-05-16 11:14:38 194.61.54.217
2021-05-16 11:30:46 185.202.2.139
2021-05-16 12:32:46 194.61.54.80
2021-05-16 14:31:27 194.61.55.43
2021-05-16 18:22:54 185.202.1.175
2021-05-16 20:51:04 185.202.2.32
2021-05-16 22:51:25 185.202.2.71
2021-05-17 04:27:40 185.202.1.79
2021-05-17 04:42:47 185.202.1.80
2021-05-17 06:06:20 91.220.163.160
2021-05-17 07:48:00 185.202.2.17
2021-05-17 08:31:23 185.202.2.29
2021-05-17 11:40:17 194.61.54.115
2021-05-17 14:34:03 45.141.87.59
2021-05-17 15:29:53 185.202.1.82
2021-05-19 12:48:19 91.241.19.136
2021-05-19 17:58:58 91.241.19.103
2021-05-20 00:36:45 185.202.2.23
2021-05-20 01:25:06 45.155.205.60
:sick: :sick: :sick:

!, 2021-05-18 23:04 »

There was an IP from Russia that did a "test" login, to see if it is active, after that, a lot of login tried started from Europe, probably infected servers that are controlled by this person. I don't remember the IP though, can't be bothered to save these stuff without a computer. So far I added ~33 IPs in the firewall block list, they seemed to have stopped. Probably will be seeing another "test" login soon. :sick: :mrgreen: :mrgreen:

!, 2021-05-16 21:05 »

Hahaha this works great! Although, it seems that the event triggers late, so each IP manages to get a few tries in the first few seconds but should be fine.
Screenshot_20210516-210345~2.png
Screenshot_20210516-210345~2.png (192.77 KiB) Viewed 4660 times

!, 2021-05-16 02:39 »

This script is so cool! I set it to block in the first failed login try. I'll probably catch a looot of infected IPs now in this list. Too bad the Windows log doesn't go back more than 30 days I think. This removed such a big headache from me. :sick:

!, 2021-05-16 02:20 »

! wrote:
2021-05-16 02:00
! wrote:
2021-05-16 01:53
! wrote:
2021-05-16 00:57
! wrote:
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:

Screenshot_20210516-015031~2.png
Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.
Cool! It works now! :thumbup: :clap: :smile:

!, 2021-05-16 02:00 »

! wrote:
2021-05-16 01:53
! wrote:
2021-05-16 00:57
! wrote:
2021-05-15 21:18
https://serverfault.com/questions/23322 ... pts/397637

The file log doesn't seem to work but meh, I'm giving it a try. I ran it manually and seemed to work! It added the IPs to the firewall block rule! Very cool! Hopefully it will work when the event triggers it too. I cleared all the IPs, but I altered it so that it will add on first failed RDP login attempt, should be good.

Code: Select all

#Checks for IP addresses that used incorrect password more than 10 times
#within 24 hours and blocks them using a firewall rule 'BlockAttackers'

#Check only last 24 hours
$DT = [DateTime]::Now.AddHours(-24)

#Select Ip addresses that has audit failure
$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} }

#Get ip adresses, that have more than 10 wrong logins
$g = $l | group-object -property IpAddress | where {$_.Count -gt 10} | Select -property Name

#Get firewall object
$fw = New-Object -ComObject hnetcfg.fwpolicy2

#Get firewall rule named 'BlockAttackers' (must be created manually)
$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'}

#Split the existing IPs into an array so we can search it for existing IPs
$arRemote = $ar.RemoteAddresses -split(',')

#Only collect IPs that aren't already in the firewall rule
$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') }

#Add the new IPs to firewall rule
$w| %{
  if ($ar.RemoteAddresses -eq '*') {
    $ar.remoteaddresses = $_.Name
  }else{
    $ar.remoteaddresses += ',' + $_.Name
  }
}

#Write to logfile
if ($w.length -gt 1) {
  $w| %{(Get-Date).ToString() + ' ' + $_.Name >> '.\blocked.txt'}
}
gMqD3.jpg
vxbEK.jpg
Screenshot_20210516-005423~2.png
Log: Security.
Source: Microsoft Windows security auditing.

That's how it should be I think. It didn't trigger so I adjusted it this way. Now it should work. Waiting for new login attempts now.
The task triggered now but the .PS1 file didn't run. Trying to execute it this way instead of directly pointing to the file:

Screenshot_20210516-015031~2.png
Didn't run. Trying to put the command in a .BAT file instead. I think I locked Windows to not allow running .PS1 files. The task itself triggers fine though.

Top