stoplist.tinyvz

# Basic stuff.
-- MARK --
^[:blank:]*$

# Cron.
CRON.*: session closed for user root
CRON.*: session opened for user root
CRON.*: session closed for user logbot
CRON.*: session opened for user logbot
CRON.*: (root) CMD (.* run-parts --report /etc/cron.hourly
CRON.*: (root) CMD (.* run-parts --report /etc/cron.daily
CRON.*: (root) CMD (.* run-parts --report /etc/cron.weekly
CRON.*: (root) CMD (.* run-parts --report /etc/cron.monthly
CRON.*: (logbot) CMD (/home/logbot/bin/ai.sh)

# eventbot cron job
09:00:0[0-2] .* CRON\[.* session opened for user eventbot
09:00:0[0-2] .* CRON\[.* (eventbot) CMD (\$HOME/ironhorse
09:[01][0-9]:[0-9][0-9] .* postfix/pickup\[.* from=<eventbot>
09:[01][0-9]:[0-9][0-9] .* postfix/qmgr\[.* from=<eventbot@eventarelli.com>
09:[01][0-9]:[0-9][0-9] .* CRON\[.* session closed for user eventbot

# Not sure why this comes out lower case sometimes.
cron.*: (root) RELOAD (crontabs/root)

#
# Commented out 12/21/2014, see how noisy they are.
#
# Don't notify when crontab changes.
# If cron runs something unexpected,
# we'll get emailed the CMD entry.
crontab.*: (root) LIST (.*)
#crontab.*: (root) BEGIN EDIT (root)
#crontab.*: (root) REPLACE (root)
#crontab.*: (root) END EDIT (root)
#crontab.*: (root) RELOAD (root)

# Swallow ansible messages.
ansible-[^:]*:

# ssh and su
sshd.*: Received disconnect from 24.*
sshd.*: Accepted publickey for root from 24.*
su.*: pam_unix(su:session): session opened for user .* by root(uid=0)
su.*: pam_unix(su:session): session closed for user .*
su.*: Successful su for .* by root
su.*: + /dev/pts/0 root:.*

# Postfix
# Really strict for now, hardly sending any mail.
postfix/anvil.*: statistics:
postfix/smtp.*: .* to=<mkbucc@gmail.com>.* status=sent (250 Great success)
postfix/qmgr.*: .*: removed
postfix/qmgr.*: .*: from=<root@eventarelli.com>.*
postfix/pickup.*: .* from=<root>
postfix/cleanup.*: .*: message-id=.*
:00:0[0-5].* postfix/pickup.* from=<logbot>
:00:0[0-5].* postfix/qmgr.* from=<logbot@eventarelli.com>,

# /var/log/udev
# There are no rules defined under /etc/udev/rules.d
# so I'm not sure why this was logged.
monitor will print the received events for:

# sshd logs this when pty > 999, per RedHat bug (from 2004!):
# https://bugzilla.redhat.com/show_bug.cgi?id=125589
syslogin_perform_logout: logout() returned an error

# dpkg
# This one is a tough one.
# The log entries are so short,
# you need to use broad regular expressions
# and then risk swallowing errors you want.
# Maybe skip package notifications entirely
# by adding dpkg.log to stopfiles
# and be happy with daemon restart messages.
# Leave in for now.
 status unpacked
update-alternatives: run with .*
status half-configured
status half-installed
startup packages configure
configure .* 436-1
trigproc
status triggers-pending
startup archives unpack
update-alternatives: link

# syslog-ng
syslog-ng.*: Configuration reload request received, reloading configuration;

# tmUnblock.cgi is a binary CGI executable in some Cisco/Linksys router
# that has multiple security holes that permit various attacks on the router.
GET /tmUnblock\.cgi HTTP/1\.1" 400

# Someone made an empty request to nginx.
# Both Chrome and Firefox open more than two
# simultaneous connections to a web site.
# If one of the connections is not needed to pull data,
# then you get 400 in access_log
# and "closed prematurely" in error_log.
#
# From http://it.randomthemes.com/2012/08/24/153/:
#
#       modern browsers open 2+ simultanious connections,
#       but some of them frequently not used for data
#       transfer, so nginx close them by timeout with
#       400 code at access.log
#
 "-" 400 0 "-" "-"
 "-" 400 "-" "-"
 " " 400 "-" "-" -
 "\\x00" 400 "-" "-" -
 "" 400 "-" "-" - -
client closed prematurely connection while reading client request line
client closed prematurely connection, so upstream connection is closed too .*\.php HTTP

# Wierd letter combinations like:
#GET /anan/ana/an\.php HTTP/1\.1" 404

# Someone testing if our server allows redirects.
# Nginx sometimes returns 200 and other times a 404,
# but we can distinguish by the number of bytes returned.
 2366 .* "GET http[^"]\+" 200
 740 .* "GET http[^"]\+" 404

# Raw SSL.
# TODO: fix nginx config.
# see http://stackoverflow.com/questions/21340235/reproducing-iis-reverse-proxy-config-with-nginx
\x00" 400 "-" "-"

# Exploit attempts.
# We don't allow HTTP tunneling.
CONNECT .* HTTP/1\.1" \(501\|400\)

# Checking if customers can log in?
GET /customer/account/login HTTP/1\.1" 40[04]

# Simply checking if we run php?
GET //index\.php HTTP/1\.1" 400


GET /.*/setup\.php HTTP/1\.1" 40[04]
GET /.*\.php HTTP/1.1" 404
GET /.*install/ HTTP/1\.1" 400
GET // HTTP/1.1" 400
GET //Net_work.xml HTTP/1\.1" 40[04]
GET /CFIDE/administrator/ HTTP/1\.1" 404
GET /HNAP1/ HTTP/1\.1" 40[04]
GET /actionnews/index/ HTTP/1\.1" 40[04]

# 499 is a status that is custom to Nginx.
# It signals that the client closed the connection
# before Nginx (the proxy, in my case) can respond.
# Definitely want to catch those for real pages,
# as it means the site is too slow.
# But for exploit attemps, we will ignore.
# (In this specific case, the client closed the connection
# immediately, based on the log entries.)
GET /admin/\(.*\.php\)\? HTTP/1\.[01]" \(400\|404\|499\)
GET /blog HTTP/1\.1" 40[04]

# To avoid nph-test-cgi 1997 vulneratbility,
# upgrade to Apache version 1.1.3 (!!)
# test-cgi is in a 1996 security advisory.
# http://www.iss.net/security_center/reference/vuln/http-cgi-nph.htm
GET //\?cgi-bin/nph-test-cgi HTTP/1\.1" 40[04]
GET //\?cgi-bin/test.cgi HTTP/1\.[01]" 40[04]

# php cgi remote code execution
GET //\?cgi-bin/php.* HTTP/1\.[01]" 40[04]
GET //?index.php
GET //\?local-bin/php.* HTTP/1\.[01]" 40[04]
POST //\?cgi-bin/php.* HTTP/1\.[01]" 40[04]

# morx.jsp: Zimbra file inclusion/Shell upload exploit
GET //\?downloads/morx.jsp HTTP/1\.1" 40[04]

GET /css/css HTTP/1.0" 40[04]
GET /drupal HTTP/1\.1" 40[04]
GET /joomla HTTP/1\.1" 40[04]
GET /manager/html HTTP/1\.[01]" 40[04]
GET /muieblackcat HTTP/1\.1" 40[04]

# Plesk (web control panel)
GET //\?phppath/.* HTTP/1\.[01]" 40[04]

# phpMyAdmin Code Injection
GET /[Pp]/[Mm]/[Aa].*/ HTTP/1\.1" 40[04]
GET /[Pp][Mm][Aa].*/ HTTP/1\.1" 40[04]
GET /[Pp][Hh][Pp]-\?[Mm][Yy]-\?[Aa][Dd][Mm][Ii][Nn].*/.* HTTP/1\.[01]" 40[04]
GET /MyAdmin/scripts/setup\.php HTTP/1\.1" \(400\|404\|499\)
GET /websql/ HTTP/1\.1" 40[04]
GET /sql/ HTTP/1\.1" 40[04]
GET /dbadmin/ HTTP/1\.1" 40[04]
GET /myadmin/ HTTP/1\.1" 40[04]
GET /mysql-admin/ HTTP/1\.1" 40[04]
GET /mysql/ HTTP/1\.1" 40[04]
GET /mysqladmin/ HTTP/1\.1" 40[04]
GET /mysqlmanager/ HTTP/1\.1" 40[04]
GET /sqlmanager/ HTTP/1\.1" 40[04]
GET /sqlweb/ HTTP/1\.1" 40[04]
GET /webadmin/ HTTP/1\.1" 40[04]
GET /webdb/ HTTP/1\.1" 40[04]
GET <title>phpMyAdmin HTTP/1\.1" 40[04]
"ZmEu"

# Looking if we run oscommerce.
GET /tag_products\.php.* HTTP/1\.[01]" 404

# Looking for Magento
GET /js/mage/cookies\.js HTTP/1\.[01]" 40[04]

GET /rom-0 HTTP/1\.[01]" 40[04]
GET /user/soapCaller\.bs HTTP/1\.1" 40[04]
GET /w00tw00t[^"]\+ HTTP/1.1" 404

# Wordpress
GET //\?wp-admin.* HTTP/1\.1" 40[04]
GET //\?wp-content/.* HTTP/1\.1" 404
GET //\?wp-login.* HTTP/1\.1" 40[04]
GET /wordpress HTTP/1\.1" 40[04]
GET /wp HTTP/1\.1" 40[04]
GET /xmlrpc.php?rsd=1 HTTP/1\.1" 40[04]


HEAD /rom-0 HTTP/1.1" 404
POST //%63%67.*" 400
POST /login\.action HTTP/1\.1" 404
recv() failed (104: Connection reset by peer) while sending to client,.*/cgi-bin/

# Not sure, probing?  No user agent.
GET / HTTP/1.1" 400 "-" "-"
GET  HTTP/1\.1" 400 "-" "-"

# The normal website pages.
GET / HTTP/1\.[01]" \(304\|200\)
GET /colorbrewer\.v1\.min\.js HTTP/1\.1" \(304\|200\)
GET /d3\.v3\.min\.js HTTP/1\.1" \(304\|200\)
GET /feedback/ HTTP/1\.1" \(304\|200\)
GET /forms\.css HTTP/1\.[01]" \(304\|200\)
GET /ma-counties\.json HTTP/1\.1" \(304\|200\)
GET /map\.js HTTP/1\.1" \(304\|200\)
GET /media_outlets/ HTTP/1\.1" \(304\|200\)
GET /reset\.css HTTP/1\.[01]" \(304\|200\)
GET /rhythm\.css HTTP/1\.[01]" \(304\|200\)
GET /style\.css HTTP/1\.[01]" \(304\|200\)
GET /submit/ HTTP/1.1" \(304\|200\)
GET /surf\.jpg HTTP/1\.[01]" \(304\|200\)
GET /topojson\.v1\.min\.js HTTP/1\.1" \(304\|200\)

# Normal website pages
# that went stale
# or otherwise are missing.
GET /[Ss]ite[Mm]ap\.xml HTTP/1\.[01]" 404
GET /[rR]obots\.txt HTTP/1\.[01]" 404
GET /api/chkdt HTTP/1\.[01]" 400
GET /back\.css HTTP/1\.[01]" 404
GET /blog/ HTTP/1\.[01]" 404
GET /css/style\.css HTTP/1\.[01]" 404
GET /favicon\.ico HTTP/1\.[01]" 404

# Netcraft and it's ilk.
HEAD / HTTP/1\.1" 200 .* Netcraft Web Server Survey
HEAD / HTTP/1\.0" 200 .* NetcraftSurveyAgent
HEAD / HTTP/1\.1" 200 .* DomainTunoCrawler
HEAD / HTTP/1\.1" 200 .* Gimme60bot

# Wierd. Not sure, probably some kind of scan.
HEAD / HTTP/1\.[01]" 200 "-" "-"
OPTIONS / HTTP/1\.1" 501

# Per his github page:
#	This is the fastest Internet port scanner.
#	It can scan the entire Internet in under 6 minutes,
#	 transmitting 10 million packets per second.
https://github.com/robertdavidgraham/masscan

# error_log - normal behavior.
client [0-9.]\+ closed keepalive connection
05:45:0[0-9] .* reopening logs

# read http://serverfault.com/questions/322415/securing-nginx-proxy
client sent HTTP/1.1 request without "Host" header
client sent invalid header line: "
client sent invalid \(method\|request\) while reading client request line
client timed out (110: Connection timed out) while reading client request