Most malicious IP lists focus on the client side threat, where servers (hosted or exploited) host client side exploits or evil scripting.
These don’t really help the server admins very much. Project Honeypot does an amazing job at keeping detailed information on scanners / harvesters and brute forcers, the likes of which are the daily enemy of said admins. They offer a service called HTTP Block List or ‘HTTP:BL’.
Another way this list differs from the rest is it isn’t a list you can download. Its a DNS service. Simply put, you submit a query, it gives an (A) record that looks something like ‘127.3.5.1’. Disregard the 127, but the rest of the details pertain to different details about the IP you requested. You can read the documentation here: http://www.projecthoneypot.org/httpbl_api.php for an explanation on exactly how it works, or you can read the code of the Metasploit module I wrote for it.
I wrote it in Metasploit for 2 reasons. 1) RangeWalker is awesome code, and allows you to query a list of IPs, a range, or a single IP with ease. 2) All of the other implementations of the API that they have listed are for CMSs (to actively block IPs that come back ‘bad’).
This will mostly come in useful for incident responders who are trying to get a bead on a bunch of hosts, or for web admins who want to pull the code out for an active blocking system of their own.
Here it is in action:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
msf auxiliary(httpbl_lookup) > info
Name: Http:BL lookup
Version: xxxx
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Rob Fuller
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
APIKEY xxxxxxxxxxxx yes Your HTTP:BL api key
RHOSTS 88.229.108.0/24 yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
Description:
This module can be used to enumerate information about a IP
addresses from Project HoneyPot's HTTP Block List.
References:
link (<a href="http://www.projecthoneypot.org/httpbl_api.php">http://www.projecthoneypot.org/httpbl_api.php</a>)
msf auxiliary(httpbl_lookup) > run
[*]
[*] 88.229.108.0 resloves to 127.51.8.1 which means: Suspicious
[*] => it was last seen 51 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.0">http://www.projecthoneypot.org/ip_88.229.108.0</a>
[*]
[*] 88.229.108.1 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.1">http://www.projecthoneypot.org/ip_88.229.108.1</a>
[*]
[*] 88.229.108.2 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.2">http://www.projecthoneypot.org/ip_88.229.108.2</a>
[*]
[*] 88.229.108.254 resloves to 127.51.8.1 which means: Suspicious
[*] => it was last seen 51 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.254">http://www.projecthoneypot.org/ip_88.229.108.254</a>
[*]
[*] 88.229.108.255 resloves to 127.29.8.1 which means: Suspicious
[*] => it was last seen 29 day ago and has a threat score of 8 or 'less than 100 spam messages'
[*] => more info here: <a href="http://www.projecthoneypot.org/ip_88.229.108.255">http://www.projecthoneypot.org/ip_88.229.108.255</a>
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(httpbl_lookup) >
|
You can obtain the module here: https://github.com/mubix/stuff/blob/master/metasploit/httpbl_lookup.rb
Enjoy!