J’ai recu le message :
« Paiement par CARTE en cours
Montant : 722
Si vous n’êtes pas à l’oringe de ce paiement
Veuillez contacter le service ANTIFRAUDE de toute urgence au
+33.970.44.75.44
+33.644.67.91.87
(NON SURTAXE)
Sans nouvelle de votre part dans les 45 min
nous autorisons le paiement. »
Misère.
Voici la liste des artciles :
Liste des IP qui essayent d’exploiter la faille MobileIron RCE CVE-2020-15505
Liste des IP qui essayent d’exploiter la faille GPON home (script)
Quels sont les pays des IP de mon fichier /etc/iptables/rules.v4 ?
Liste des IP qui essayent de sniffer le .env (Variables d’environnements)
Liste des IP qui font des attaques de type GET /shell
Liste des IP qui font des attaques de type HNAP1 : faille des routeurs Linksys
Attaque de l’IP 45.146.164.125 : HelloThinkCMF (Russie) => Blocage de l’IP sur tous les serveurs
Liste des IP filtrées (DROP) sur mes serveurs
Grosse attaque de l’IP 123.172.67.122 (Chine) : Il faut filtrer cette IP !
Nouveau scan sur Ngnix : wp-login.php (wordpress)
Voici le résultat :
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 112.126.90.41 anywhere DROP all -- 116.147.2.110 anywhere DROP all -- 122.14.209.13 anywhere DROP all -- ip199.ip-158-69-13.net anywhere DROP all -- 193.112.88.67 anywhere DROP all -- sym.gdsz.cncnet.net anywhere DROP all -- 223.75.249.2 anywhere DROP all -- 27.50.160.35 anywhere DROP all -- 49.233.63.234 anywhere DROP all -- 91.242.37.16 anywhere DROP all -- 103.87.167.253 anywhere DROP all -- static.vnpt.vn anywhere DROP all -- 83-235-201-123.static.youbroadband.in anywhere DROP all -- host-156.221.68.147-static.tedata.net anywhere DROP all -- dynamic-adsl.viettel.vn anywhere DROP all -- 176.240.226.165 anywhere DROP all -- 202.90.133.210 anywhere DROP all -- afol-ipg-1-88.africaonline.co.ug anywhere DROP all -- 175.172.174.191 anywhere DROP all -- 123.132.65.176 anywhere DROP all -- 103.145.13.43 anywhere DROP all -- 128.153.21.175.adsl-pool.jlccptt.net.cn anywhere DROP all -- static.189.34.63.178.clients.your-server.de anywhere DROP all -- scanner-06.ch1.censys-scanner.com anywhere DROP all -- ec2-34-240-212-8.eu-west-1.compute.amazonaws.com anywhere DROP all -- scanner-09.ch1.censys-scanner.com anywhere DROP all -- scanner-05.ch1.censys-scanner.com anywhere DROP all -- host-197.53.220.102.tedata.net anywhere DROP all -- 134.209.87.169 anywhere DROP all -- 66.151.211.226 anywhere DROP all -- 61.40.0.0/16 anywhere DROP all -- atlas.bullzibiz.net anywhere DROP all -- cocospace.com anywhere DROP all -- 81.68.159.121 anywhere DROP all -- h178-129-246-3.dyn.bashtel.ru anywhere DROP all -- 46.209.56.107 anywhere DROP all -- host-156.197.223.215-static.tedata.net anywhere DROP all -- host-156.216.199.50-static.tedata.net anywhere DROP all -- 192.241.224.104 anywhere DROP all -- 192.241.206.242 anywhere DROP all -- 22-193-245-216.static.reverse.lstn.net anywhere DROP all -- 36.27.208.157 anywhere DROP all -- 81.68.106.157 anywhere DROP all -- mocci.yy0aepo3j015sju anywhere DROP all -- 135.ip-54-39-22.net anywhere DROP all -- vmi365634.contaboserver.net anywhere DROP all -- broadwicklive-com.nh-serv.co.uk anywhere DROP all -- 103.241.205.1 anywhere DROP all -- 128.199.122.54 anywhere DROP all -- li849-223.members.linode.com anywhere DROP all -- 139.59.58.116 anywhere DROP all -- 159.89.109.162 anywhere DROP all -- 201.143.63.92.dsl.dyn.telnor.net anywhere DROP all -- sentora2.destinysystems.my anywhere DROP all -- 206.189.93.93 anywhere DROP all -- 211.43.12.188 anywhere DROP all -- 123.172.67.122 anywhere DROP all -- ec2-3-8-12-221.eu-west-2.compute.amazonaws.com anywhere DROP all -- ec2-34-237-4-205.compute-1.amazonaws.com anywhere DROP all -- ec2-34-230-156-67.compute-1.amazonaws.com anywhere DROP all -- ec2-3-142-196-207.us-east-2.compute.amazonaws.com anywhere DROP all -- unn-185-246-209-147.datapacket.com anywhere DROP all -- ec2-18-231-94-162.sa-east-1.compute.amazonaws.com anywhere DROP all -- cloud.ssh.ma anywhere DROP all -- 139.224.198.47 anywhere DROP all -- ec2-13-232-100-135.ap-south-1.compute.amazonaws.com anywhere DROP all -- 125.64.94.221 anywhere DROP all -- 121.5.250.245 anywhere DROP all -- 114.70.235.43 anywhere DROP all -- 101.255.122.146 anywhere DROP all -- 5.188.210.227 anywhere DROP all -- 37.49.229.222 anywhere DROP all -- ec2-34-237-4-205.compute-1.amazonaws.com anywhere DROP all -- hostingmailto246.statics.servermail.org anywhere DROP all -- 165.227.84.219 anywhere DROP all -- 165.22.232.189 anywhere DROP all -- 5.8.10.202 anywhere DROP all -- 5.188.210.227 anywhere DROP all -- 222.77.181.28 anywhere DROP all -- 125.64.94.221 anywhere DROP all -- fb.83.a86c.ip4.static.sl-reverse.com anywhere DROP all -- 189.86.143.79.mail.iranianwebman.ir anywhere DROP all -- 125.64.94.214 anywhere DROP all -- li1511-13.members.linode.com anywhere DROP all -- 45.146.164.125 anywhere DROP all -- 45.146.164.131 anywhere DROP all -- 45.155.205.109 anywhere DROP all -- 45.155.205.181 anywhere DROP all -- 45.155.205.196 anywhere DROP all -- 123.58.4.233 anywhere DROP all -- 45.15.18.3 anywhere DROP all -- 49.143.32.6 anywhere DROP all -- unn-84-17-42-11.cdn77.com anywhere DROP all -- 101.0.54.165 anywhere DROP all -- 113.220.18.13 anywhere DROP all -- 151.106.8.41 anywhere DROP all -- hn.kd.ny.adsl anywhere DROP all -- 103.91.80.2 anywhere DROP all -- 120.52.152.3 anywhere DROP all -- 45.14.149.244 anywhere DROP all -- 209.141.33.232 anywhere DROP all -- S0106d017c25a1f70.ed.shawcable.net anywhere DROP all -- 114-33-156-230.HINET-IP.hinet.net anywhere DROP all -- 59.63.206.200 anywhere DROP all -- 59.97.193.131 anywhere DROP all -- 117.241.51.177 anywhere DROP all -- 119.123.236.177 anywhere DROP all -- 27.5.37.175 anywhere DROP all -- 27.45.11.127 anywhere DROP all -- 61.242.40.137 anywhere DROP all -- hn.kd.ny.adsl anywhere DROP all -- 2.57.122.53 anywhere DROP all -- 2.57.122.53 anywhere DROP all -- ec2-3-19-213-88.us-east-2.compute.amazonaws.com anywhere DROP all -- 20.199.123.240 anywhere DROP all -- 20.68.241.118 anywhere DROP all -- 23.101.199.109 anywhere DROP all -- 64.212.202.35.bc.googleusercontent.com anywhere DROP all -- 40.121.11.29 anywhere DROP all -- 40.87.87.96 anywhere DROP all -- 40.89.150.92 anywhere DROP all -- 45.77.214.38.vultr.com anywhere DROP all -- 51.141.166.84 anywhere DROP all -- ip28.ip-51-210-137.eu anywhere DROP all -- 52.149.128.42 anywhere DROP all -- 52.175.210.216 anywhere DROP all -- 52.249.196.150 anywhere DROP all -- mail.inforza.com.pe anywhere DROP all -- 152.217.154.104.bc.googleusercontent.com anywhere DROP all -- 4.135.198.104.bc.googleusercontent.com anywhere DROP all -- 108.59.10.20 anywhere DROP all -- 115.78.14.240 anywhere DROP all -- 118.101.194.141 anywhere DROP all -- tor-exit.csail.mit.edu anywhere DROP all -- 134.119.189.155 anywhere DROP all -- 144.202.53.77.vultr.com anywhere DROP all -- 148.64.121.254 anywhere DROP all -- 149.28.84.31.vultr.com anywhere DROP all -- do-prod-eu-central-scanner-2604-13.do.binaryedge.ninja anywhere DROP all -- 215-128-93-172.reverse-dns anywhere DROP all -- 178.128.104.205 anywhere DROP all -- fixed-189-203-106-65.totalplay.net anywhere DROP all -- 190.83.155.186 anywhere DROP all -- li2196-53.members.linode.com anywhere DROP all -- guarded.dashskinz.com anywhere DROP all -- 194.116.73.192 anywhere DROP all -- 199-117-154-162.dia.static.qwest.net anywhere DROP all -- 210.66.16.184 anywhere DROP all -- 246.7.154.212.dsl.static.turk.net anywhere DROP all -- dojo.census.shodan.io anywhere DROP all -- sky.census.shodan.io anywhere DROP all -- 125.64.94.138 anywhere DROP all -- wine.census.shodan.io anywhere DROP all -- blue.census.shodan.io anywhere DROP all -- blue2.census.shodan.io anywhere DROP all -- 23-95-132-55-host.colocrossing.com anywhere DROP all -- 23-95-191-212-host.colocrossing.com anywhere DROP all -- 27.40.100.96 anywhere DROP all -- hn.kd.ny.adsl anywhere DROP all -- hn.kd.ny.adsl anywhere DROP all -- 120-54-229-45.redevirtualnet.com.br anywhere DROP all -- 59.99.47.115 anywhere DROP all -- hn.kd.ny.adsl anywhere DROP all -- 178.175.102.79 anywhere DROP all -- 180.188.249.125 anywhere DROP all -- 198-23-172-233-host.colocrossing.com anywhere DROP all -- hn.kd.jz.adsl anywhere DROP all -- 222.97.172.100 anywhere DROP all -- 45.146.165.123 anywhere
Misère
Pour plus d’information : https://perchsecurity.com/perch-news/cve-spotlight-mobileiron-rce-cve-2020-15505/
Exemple d’un logs :
45.146.165.123 - - [24/Jun/2021:03:49:36 +0200] "POST /mifs/.;/services/LogService HTTP/1.1" 302 5371 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 45.146.165.123 - - [24/Jun/2021:03:49:46 +0200] "GET /user/auth/login HTTP/1.1" 200 13385 "-/mifs/.;/services/LogService" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
J’ai donc fait :
# zgrep "/mifs/." /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "iptables -A INPUT -s " $1 " -j DROP "}'
iptables -A INPUT -s 45.146.165.123 -j DROP
Vu qu’il y avait qu’une seule IP, j’ai pas fait de script:
# iptables -A INPUT -s 45.146.165.123 -j DROP # iptables-save > /etc/iptables/rules.v4
A suivre.
Pour mémoire : https://securityaffairs.co/wordpress/71987/hacking/gpon-home-routers-hack.html
Analyzing the firmware of the GPON home routers, the experts found two different critical vulnerabilities (CVE-2018-10561 & CVE-2018-10562) that could be chained to allow complete control of the vulnerable device and therefore the network. The first vulnerability exploits the authentication mechanism of the device, it could be exploited by an attacker to bypass all authentication.
Voici donc le script que j’ai fait :
# zgrep "GponForm/diag_F" /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "iptables -A INPUT -s " $1 " -j DROP "}'
iptables -A INPUT -s 23.95.132.55 -j DROP
iptables -A INPUT -s 23.95.191.212 -j DROP
iptables -A INPUT -s 27.40.100.96 -j DROP
iptables -A INPUT -s 42.235.98.126 -j DROP
iptables -A INPUT -s 42.237.215.13 -j DROP
iptables -A INPUT -s 45.229.54.120 -j DROP
iptables -A INPUT -s 59.99.47.115 -j DROP
iptables -A INPUT -s 115.50.246.211 -j DROP
iptables -A INPUT -s 178.175.102.79 -j DROP
iptables -A INPUT -s 180.188.249.125 -j DROP
iptables -A INPUT -s 198.23.172.233 -j DROP
iptables -A INPUT -s 221.15.171.118 -j DROP
iptables -A INPUT -s 222.97.172.100 -j DROP
# zgrep "GponForm/diag_F" /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "iptables -A INPUT -s " $1 " -j DROP "}' > script_filter_scan_gpon.bash
# echo "iptables-save > /etc/iptables/rules.v4" >> script_filter_scan_gpon.bash
# chmod +x script_filter_scan_gpon.bash
# ./script_filter_scan_gpon.bash