198.100.145.105 - - [12/Jul/2020:03:55:34 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 580 "-" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
198.100.145.105 - - [12/Jul/2020:03:55:34 +0000] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%
...

WEB server attack.

Hacking Attempt (Website Honeypot)

Hacking Attempt (Website Honeypot)

198.100.145.89 - - [03/Sep/2020:14:29:15 +0200] "GET /wp-login.php HTTP/1.1" 200 9040 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [03/Sep/2020:14:29:16 +0200] "POST /wp-login.php HTTP/1.1" 200 9291 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [03/Sep/2020:14:29:17 +0200] "POST /xmlrpc.php HTTP/1.1" 200 427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

198.100.145.89 - - [03/Sep/2020:03:58:19 +0100] "POST /wp-login.php HTTP/1.1" 200 1874 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [03/Sep/2020:03:58:20 +0100] "POST /wp-login.php HTTP/1.1" 200 1858 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [03/Sep/2020:03:58:22 +0100] "POST /wp-login.php HTTP/1.1" 200 1856 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

198.100.145.89 - - [02/Sep/2020:22:10:04 +0200] "GET /wp-login.php HTTP/1.1" 200 9040 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [02/Sep/2020:22:10:06 +0200] "POST /wp-login.php HTTP/1.1" 200 9291 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [02/Sep/2020:22:10:07 +0200] "POST /xmlrpc.php HTTP/1.1" 200 427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

198.100.145.89 - - \[30/Aug/2020:08:47:46 +0200\] "POST /wp-login.php HTTP/1.0" 200 6528 "-" "Mozilla/5.0 \(X11\; Ubuntu\; Linux x86_64\; rv:62.0\) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - \[30/Aug/2020:08:47:49 +0200\] "POST /wp-login.php HTTP/1.0" 200 6347 "-" "Mozilla/5.0 \(X11\; Ubuntu\; Linux x86_64\; rv:62.0\) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - \[30/Aug/2020:08:47:51 +0200\] "POST /wp-login.php HTTP/1.0" 200 6351 "-" "Mozilla/5.0 \(X11\; Ubuntu\; Linux x86_64\; rv:62.0\) Gecko/20100101 Firefox/62.0"

Attempt to hack Wordpress Login, XMLRPC or other login

198.100.145.89 - - [16/Aug/2020:14:37:13 +0100] "POST /wp-login.php HTTP/1.1" 200 2132 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [16/Aug/2020:14:37:14 +0100] "POST /wp-login.php HTTP/1.1" 200 2127 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [16/Aug/2020:14:37:16 +0100] "POST /wp-login.php HTTP/1.1" 200 2094 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

198.100.145.89 - - [16/Aug/2020:04:58:15 +0100] "POST /wp-login.php HTTP/1.1" 200 1996 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [16/Aug/2020:04:58:16 +0100] "POST /wp-login.php HTTP/1.1" 200 1929 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [16/Aug/2020:04:58:16 +0100] "POST /xmlrpc.php HTTP/1.1" 403 219 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

198.100.145.89 - - [10/Aug/2020:08:17:22 +0200] "blog.ruhnke.cloud" "POST /wp-login.php HTTP/1.1" 200 4994 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "-"
...

198.100.145.89 - - [09/Aug/2020:01:30:33 +0200] "GET /wp-login.php HTTP/1.1" 200 6310 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [09/Aug/2020:01:30:34 +0200] "POST /wp-login.php HTTP/1.1" 200 6627 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [09/Aug/2020:01:30:36 +0200] "POST /xmlrpc.php HTTP/1.1" 200 427 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

C1,DEF GET /wp-login.php

198.100.145.89 - - [07/Aug/2020:19:59:43 +0100] "POST /wp-login.php HTTP/1.1" 200 2121 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [07/Aug/2020:19:59:44 +0100] "POST /wp-login.php HTTP/1.1" 200 2091 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [07/Aug/2020:19:59:46 +0100] "POST /wp-login.php HTTP/1.1" 200 2092 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

198.100.145.89 - - [06/Aug/2020:20:28:03 +0100] "POST /wp-login.php HTTP/1.1" 200 2178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [06/Aug/2020:20:28:05 +0100] "POST /wp-login.php HTTP/1.1" 200 2154 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
198.100.145.89 - - [06/Aug/2020:20:28:06 +0100] "POST /xmlrpc.php HTTP/1.1" 403 219 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
...

2020-07-07T13:34:43.167926mail.csmailer.org sshd[9164]: Failed password for root from 193.112.156.65 port 50856 ssh2
2020-07-07T13:37:58.597157mail.csmailer.org sshd[9334]: Invalid user swb from 193.112.156.65 port 58924
2020-07-07T13:37:58.601714mail.csmailer.org sshd[9334]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.112.156.65
2020-07-07T13:37:58.597157mail.csmailer.org sshd[9334]: Invalid user swb from 193.112.156.65 port 58924
2020-07-07T13:38:00.254498mail.csmailer.org sshd[9334]: Failed password for invalid user swb from 193.112.156.65 port 58924 ssh2
...

Jul  7 15:12:59 lnxweb61 sshd[1429]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=193.112.143.80

Jul  7 14:28:39 melroy-server sshd[32522]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=144.34.248.219 
Jul  7 14:28:41 melroy-server sshd[32522]: Failed password for invalid user import from 144.34.248.219 port 35734 ssh2
...

217.160.61.185 - - [07/Jul/2020:17:24:37 +0100] "POST //wp-login.php HTTP/1.1" 302 11 "https://www.silverfox.co.uk//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
217.160.61.185 - - [07/Jul/2020:17:24:43 +0100] "POST //wp-login.php HTTP/1.1" 302 11 "https://www.silverfox.co.uk//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
217.160.61.185 - - [07/Jul/2020:17:24:46 +0100] "POST //wp-login.php HTTP/1.1" 302 11 "https://www.silverfox.co.uk//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
...

0,20-02/03 [bc02/m186] PostRequest-Spammer scoring: berlin

Jul  7 16:59:58 gw1 sshd[29197]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.50.135.171
Jul  7 17:00:00 gw1 sshd[29197]: Failed password for invalid user ofbiz from 147.50.135.171 port 49444 ssh2
...

Jul  7 12:58:45 ajax sshd[12660]: Failed password for root from 118.25.36.79 port 34452 ssh2

14.192.213.244 - - [07/Jul/2020:15:32:49 +0100] "POST /xmlrpc.php HTTP/1.1" 403 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
14.192.213.244 - - [07/Jul/2020:15:32:50 +0100] "POST /wp-login.php HTTP/1.1" 200 5808 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
14.192.213.244 - - [07/Jul/2020:15:51:35 +0100] "POST /xmlrpc.php HTTP/1.1" 403 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
...

178.88.254.76 - - [07/Jul/2020:12:59:06 +0100] "POST /wp-login.php HTTP/1.1" 200 2034 "http://wpeagleonepage.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
178.88.254.76 - - [07/Jul/2020:12:59:09 +0100] "POST /wp-login.php HTTP/1.1" 200 1991 "http://wpeagleonepage.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
178.88.254.76 - - [07/Jul/2020:12:59:54 +0100] "POST /wp-login.php HTTP/1.1" 200 1991 "http://wpeagleonepage.com/wp-login.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
...

Fail2Ban Ban Triggered

Jul  7 12:06:47 Tower sshd[43075]: Connection from 178.62.186.49 port 38752 on 192.168.10.220 port 22 rdomain ""
Jul  7 12:06:50 Tower sshd[43075]: Invalid user zhanggefei from 178.62.186.49 port 38752
Jul  7 12:06:50 Tower sshd[43075]: error: Could not get shadow information for NOUSER
Jul  7 12:06:50 Tower sshd[43075]: Failed password for invalid user zhanggefei from 178.62.186.49 port 38752 ssh2
Jul  7 12:06:50 Tower sshd[43075]: Received disconnect from 178.62.186.49 port 38752:11: Bye Bye [preauth]
Jul  7 12:06:50 Tower sshd[43075]: Disconnected from invalid user zhanggefei 178.62.186.49 port 38752 [preauth]

20/7/7@07:59:34: FAIL: Alarm-Network address from=95.56.246.2
20/7/7@07:59:34: FAIL: Alarm-Network address from=95.56.246.2
...

Jul  7 15:29:24 lnxded64 sshd[27449]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.12.36.3

192.99.5.94 - - [07/Jul/2020:17:04:30 +0100] "POST /wp-login.php HTTP/1.1" 200 5874 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"
192.99.5.94 - - [07/Jul/2020:17:06:44 +0100] "POST /wp-login.php HTTP/1.1" 200 5874 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"
192.99.5.94 - - [07/Jul/2020:17:08:49 +0100] "POST /wp-login.php HTTP/1.1" 200 5874 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"
...

2020-07-07 16:37:38 auth_plain authenticator failed for (User) [212.70.149.3]: 535 Incorrect authentication data (set_id=everly@csmailer.org)
2020-07-07 16:38:01 auth_plain authenticator failed for (User) [212.70.149.3]: 535 Incorrect authentication data (set_id=evert@csmailer.org)
2020-07-07 16:38:23 auth_plain authenticator failed for (User) [212.70.149.3]: 535 Incorrect authentication data (set_id=evette@csmailer.org)
2020-07-07 16:38:46 auth_plain authenticator failed for (User) [212.70.149.3]: 535 Incorrect authentication data (set_id=evey@csmailer.org)
2020-07-07 16:39:08 auth_plain authenticator failed for (User) [212.70.149.3]: 535 Incorrect authentication data (set_id=evie@csmailer.org)
...