-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwatcher.js
139 lines (108 loc) · 3.38 KB
/
watcher.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
// todo: - Weight system using calculations
// - split reports into abuse and scanners
// - user settable confidence calculation and threshold
//Abuse confidence increase with:
// - > 10 %
// - > 10 /
// - HTTP 1.1
// - go / python / curl in agent
//
const fs = require('fs'); const { exec } = require('child_process');
import("node-fetch")
const fileToWatch = '/etc/nginx/logs/access.log';
function checkForBackslash(str) {
let count = 0;
for (let i = 0; i < str.length; i++) {
if (str[i] === '\\') {
count++;
}
if (str[i] === '/') {
count++;
}
}
console.log(count);
return count;
}
function extractData(inputString, startSubstr, endSubstr) {
const startIndex = inputString.indexOf(startSubstr) + startSubstr.length; const endIndex = inputString.indexOf(endSubstr);
if (startIndex >= 0 && endIndex >= 0) { const extractedString = inputString.substring(startIndex, endIndex); return(extractedString); } else { console.log("Substrings not found in input string"); };
}
fs.watch(fileToWatch, (event, filename) => { console.log("unk");
exec("tail -n 1 /etc/nginx/logs/access.log", (error, stdout, stderr) => {
if (error) {
console.log(`error: ${error.message}`);
return;
}
if (stderr) {
console.log(`stderr: ${stderr}`);
return;
}
console.log(`stdout: ${stdout}`);
var paramsUser = {
username: "DataWatch.",
avatar_url: "",
content: "",
embeds: [
{
"title": "New Request:",
"color": 16384229,
"thumbnail": {
"url": "",
},
"fields": [
{
"name": "",
"value": stdout,
"inline": true
}
]
}
]
}
var paramsBot = {
username: "DataWatch.",
avatar_url: "",
content: "",
embeds: [
{
"title": "Likely Bot traffic detected:",
"color": 16711680,
"thumbnail": {
"url": "",
},
"fields": [
{
"name": "",
"value": stdout,
"inline": true
}
]
}
]
}
if(stdout.includes("444") | stdout.includes("404") | stdout.includes("400") | (checkForBackslash(stdout) > 12) ) {
const d = new Date();
let year = d.getFullYear();
let day = d.getDate();
let hours = d.getHours();
let seconds = d.getSeconds();
var inputIP = '127.0.0.2'
var inputString = `${stdout}`
var submitIP = extractData(inputString, "IP: ", "|A|")
var submitUA = extractData(inputString, "UA: ", "|F|")
exec(`curl https://api.abuseipdb.com/api/v2/report --data-urlencode "ip=${submitIP}" -d categories=14 --data-urlencode 'comment= web scraper with user agent: ${submitUA}' --data-urlencode "timestamp=" -H "Key: ABUSEOIPDB_KEY" -H "Accept: application/json"`, (error, stdout, stderr) => {console.log(`stdout: ${stdout}`);});
var params = paramsBot;
}
else {
var params = paramsUser;
}
fetch('WEBHOOK_TOKEN', {
method: "POST",
headers: {
'Content-type': 'application/json'
},
body: JSON.stringify(params)
}).then(res => {
})
});
});