Archives de catégorie : Sécurité

Liste des IP qui font des attaques de type HNAP1 : faille des routeurs Linksys

Publié le par
2

Voici la liste :

# zgrep "HNAP1" /var/log/apache2/access.*.log.*.gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq -c
      2 45.15.18.3
      1 49.143.32.6
      2 84.17.42.11
      1 101.0.54.165
      1 113.220.18.13
      2 151.106.8.41
      1 182.119.98.177
      1 103.91.80.2 --> Inde

Action, blocage de ses IP :

iptables -A INPUT -s 45.15.18.3  -j DROP 
iptables -A INPUT -s 49.143.32.6  -j DROP 
iptables -A INPUT -s 84.17.42.11  -j DROP
iptables -A INPUT -s 101.0.54.165  -j DROP
iptables -A INPUT -s 113.220.18.13  -j DROP 
iptables -A INPUT -s 151.106.8.41  -j DROP 
iptables -A INPUT -s 182.119.98.177  -j DROP
iptables -A INPUT -s 103.91.80.2  -j DROP
iptables-save > /etc/iptables/rules.v4

A noter que 84.17.42.11 c’est en France ….

Misère.

Attaque de l’IP 45.146.164.125 : HelloThinkCMF (Russie) => Blocage de l’IP sur tous les serveurs

Publié le par
1

Encore une attaque de la Russie, il me faudrait bloquer toutes les IP des Russes ….

Type d’attaque :

GET /?XDEBUG_SESSION_START=phpstorm
GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1
GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1
GET /wp-content/plugins/wp-file-manager/readme.txt
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
GET /_ignition/execute-solution HTTP/1.1"
GET /solr/admin/info/system?wt=json HTTP/1.1
GET /console/ HTTP/1.1
POST /api/jsonws/invoke HTTP/1.1
GET /index.php?r=user%2Fauth%2Flogin HTTP/1.1

Quand je fais une recherche c’est pas la seule IP :

# zgrep "HelloThinkCMF" /var/log/apache2/access.humhub.log.*.gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq -c
     20 45.146.164.125
      2 45.146.164.131
      2 45.155.205.109
      4 45.155.205.181
      4 45.155.205.196
      1 123.58.4.233

Bilan :

iptables -A INPUT -s 45.146.164.125  -j DROP
iptables -A INPUT -s 45.146.164.131  -j DROP
iptables -A INPUT -s 45.155.205.109  -j DROP
iptables -A INPUT -s 45.155.205.181  -j DROP 
iptables -A INPUT -s 45.155.205.196  -j DROP
iptables -A INPUT -s 123.58.4.233  -j DROP 
iptables-save > /etc/iptables/rules.v4

Misère.

Liste des IP filtrées (DROP) sur mes serveurs

Publié le par
2

Voici la liste (fichier /etc/iptables/rules.v4 ):

-A INPUT -s 112.126.90.41/32 -j DROP
-A INPUT -s 116.147.2.110/32 -j DROP
-A INPUT -s 122.14.209.13/32 -j DROP
-A INPUT -s 158.69.13.199/32 -j DROP
-A INPUT -s 193.112.88.67/32 -j DROP
-A INPUT -s 210.21.218.26/32 -j DROP
-A INPUT -s 223.75.249.2/32 -j DROP
-A INPUT -s 27.50.160.35/32 -j DROP
-A INPUT -s 49.233.63.234/32 -j DROP
-A INPUT -s 91.242.37.16/32 -j DROP
-A INPUT -s 103.87.167.253/32 -j DROP
-A INPUT -s 113.160.229.252/32 -j DROP
-A INPUT -s 123.201.235.83/32 -j DROP
-A INPUT -s 156.221.147.68/32 -j DROP
-A INPUT -s 171.236.213.49/32 -j DROP
-A INPUT -s 176.240.226.165/32 -j DROP
-A INPUT -s 202.90.133.210/32 -j DROP
-A INPUT -s 216.104.201.88/32 -j DROP
-A INPUT -s 175.172.174.191/32 -j DROP
-A INPUT -s 123.132.65.176/32 -j DROP
-A INPUT -s 103.145.13.43/32 -j DROP
-A INPUT -s 175.21.153.128/32 -j DROP
-A INPUT -s 178.63.34.189/32 -j DROP
-A INPUT -s 74.120.14.36/32 -j DROP
-A INPUT -s 34.240.212.8/32 -j DROP
-A INPUT -s 167.248.133.52/32 -j DROP
-A INPUT -s 162.142.125.52/32 -j DROP
-A INPUT -s 197.53.220.102/32 -j DROP
-A INPUT -s 134.209.87.169/32 -j DROP
-A INPUT -s 66.151.211.226/32 -j DROP
-A INPUT -s 61.40.0.0/16 -j DROP
-A INPUT -s 66.210.251.136/32 -j DROP
-A INPUT -s 202.215.160.75/32 -j DROP
-A INPUT -s 81.68.159.121/32 -j DROP
-A INPUT -s 178.129.246.3/32 -j DROP
-A INPUT -s 46.209.56.107/32 -j DROP
-A INPUT -s 156.197.215.223/32 -j DROP
-A INPUT -s 156.216.50.199/32 -j DROP
-A INPUT -s 192.241.224.104/32 -j DROP
-A INPUT -s 192.241.206.242/32 -j DROP
-A INPUT -s 216.245.193.22/32 -j DROP
-A INPUT -s 36.27.208.157/32 -j DROP
-A INPUT -s 81.68.106.157/32 -j DROP
-A INPUT -s 143.110.212.186/32 -j DROP
-A INPUT -s 54.39.22.135/32 -j DROP
-A INPUT -s 62.171.179.56/32 -j DROP
-A INPUT -s 93.113.111.100/32 -j DROP
-A INPUT -s 103.241.205.1/32 -j DROP
-A INPUT -s 128.199.122.54/32 -j DROP
-A INPUT -s 139.162.7.223/32 -j DROP
-A INPUT -s 139.59.58.116/32 -j DROP
-A INPUT -s 159.89.109.162/32 -j DROP
-A INPUT -s 201.143.63.92/32 -j DROP
-A INPUT -s 202.169.26.237/32 -j DROP
-A INPUT -s 206.189.93.93/32 -j DROP
-A INPUT -s 211.43.12.188/32 -j DROP
-A INPUT -s 123.172.67.122/32 -j DROP
-A INPUT -s 3.8.12.221/32 -j DROP
-A INPUT -s 34.237.4.205/32 -j DROP
-A INPUT -s 34.230.156.67/32 -j DROP
-A INPUT -s 3.142.196.207/32 -j DROP
-A INPUT -s 185.246.209.147/32 -j DROP
-A INPUT -s 18.231.94.162/32 -j DROP
-A INPUT -s 173.212.219.223/32 -j DROP
-A INPUT -s 139.224.198.47/32 -j DROP
-A INPUT -s 13.232.100.135/32 -j DROP
-A INPUT -s 125.64.94.221/32 -j DROP
-A INPUT -s 121.5.250.245/32 -j DROP
-A INPUT -s 114.70.235.43/32 -j DROP
-A INPUT -s 101.255.122.146/32 -j DROP
-A INPUT -s 5.188.210.227/32 -j DROP
-A INPUT -s 37.49.229.222/32 -j DROP
-A INPUT -s 34.237.4.205/32 -j DROP
-A INPUT -s 193.46.255.92/32 -j DROP
-A INPUT -s 165.227.84.219/32 -j DROP
-A INPUT -s 165.22.232.189/32 -j DROP
-A INPUT -s 5.8.10.202/32 -j DROP
-A INPUT -s 5.188.210.227/32 -j DROP
-A INPUT -s 222.77.181.28/32 -j DROP
-A INPUT -s 125.64.94.221/32 -j DROP
-A INPUT -s 108.168.131.251/32 -j DROP
-A INPUT -s 79.143.86.189/32 -j DROP
COMMIT

Grosse attaque de l’IP 123.172.67.122 (Chine) : Il faut filtrer cette IP !

Publié le par
1

L’IP tente toutes les extensions PHP possible … j’ai compté 591 noms différents, parmis les grands classiques :

  • autoloader.php
  • confg.php
  • core.php
  • error.php
  • license.php
  • meijianxue.php
  • phpinfo.php
  • secure.php
  • settings.php
  • user.php
  • whoami.php
  • wp-admins.php
  • wp-config.php
  • xmlrpc.php

La meilleure réponse c’est de la mettre en liste noire :

iptables -A INPUT -s 123.172.67.122  -j DROP 
iptables-save > /etc/iptables/rules.v4

Pour l’instant j’ai 57 IP dans ma liste :

# cat /etc/iptables/rules.v4 | grep DROP | awk '{print $4}' | sort | uniq | wc -l
57

La majorité des IP c’est Chine, Russie …. Misère.