Archives de catégorie : Sécurité

Liste des IP qui exploitent la faille : editBlackAndWhiteList : Chine & Corée du Nord

Publié le par
Répondre

Voici la liste des IP ;

39.79.94.197 - admin [03/Jun/2022:12:13:29 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 239 "-" "Mozila/5.0"
119.119.99.238 - admin [03/Jun/2022:14:36:51 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 241 "-" "Mozila/5.0"
120.237.210.179 - admin [03/Jun/2022:14:56:25 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 239 "-" "Mozila/5.0"
113.116.170.23 - admin [02/Jun/2022:06:50:53 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 239 "-" "Mozila/5.0"
58.145.68.217 - admin [02/Jun/2022:09:37:28 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 241 "-" "Mozila/5.0"
220.79.44.139 - admin [02/Jun/2022:12:53:38 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 241 "-" "Mozila/5.0"

J’ai donc bloqué toutes ses IP :

# iptables -A INPUT -s 39.79.94.197 -j DROP
# iptables -A INPUT -s 119.119.99.238 -j DROP
# iptables -A INPUT -s 120.237.210.179 -j DROP
# iptables -A INPUT -s 113.116.170.23 -j DROP
# iptables -A INPUT -s 58.145.68.217 -j DROP
# iptables -A INPUT -s 220.79.44.139 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Quelques localisation ;

IP Address Country Region City
39.79.94.197 China Shandong Dongying
ISP Organization Latitude Longitude
China Unicom Shandong Province Network Not Available
IP Address Country Region City
119.119.99.238 China Liaoning Shenyang
ISP Organization Latitude Longitude
China Unicom Liaoning Province Network Not Available 41.7922 123.4328
IP Address Country Region City
120.237.210.179 China Guangdong Huizhou
ISP Organization Latitude Longitude
China Mobile Communications Corporation Not Available 23.0833 114.4000
IP Address Country Region City
113.116.170.23 China Guangdong Shenzhen
ISP Organization Latitude Longitude
ChinaNet Guangdong Province Network Not Available 22.5455 114.0683
IP Address Country Region City
58.145.68.217 Korea (Republic of) Gyeonggi-do Mansan
ISP Organization Latitude Longitude
SK Broadband Co Ltd Not Available 37.6795 127.1108
IP Address Country Region City
220.79.44.139 Korea (Republic of) Gyeonggi-do Seongnam
ISP Organization Latitude Longitude
KT Corporation Not Available 37.4201 127.1267

Scan de dossier par l’IP : 82.180.149.210

Publié le par
Répondre
IP Address Country Region City
82.180.149.210 Netherlands Noord-Holland Amsterdam
ISP Organization Latitude Longitude
Packethub S.A. Not Available 52.3785 4.9000

Voici la liste des dossiers testés :

# grep "82.180.149.210" /var/log/apache2/access.humhub.log | grep " 302 " | awk '{print $7}'
/
/
/git/
/git
/src/
/src
/config
/source/
/source
/sources/
/git/.git/config
/git/config
/src/.git/config
/src/config
/sources
/admin/
/source/.git/config
/admin
/source/config
/sources/.git/config
/sources/config
/admin/.git/config
/admin/config
/api
/rest/.git/config
/rest/config
/backend/.git/config
/rest/
/backend/config
/svc/.git/config
/svc/config
/service/.git/config
/service/config
/services/.git/config
/services/config
/app/.git/config
/app/config
/data/.git/config
/data/config
/rest
/bak/.git/config
/backend/
/bak/config
/backend
/svc/
/svc
/backup/.git/config
/backup/config
/test/.git/config
/test/config
/temp/.git/config
/temp/config
/tmp/.git/config
/tmp/config
/lib/.git/config
/lib/config
/libs/.git/config
/service/
/service
/services/
/services
/app/
/libs/config
/app
/cfg/.git/config
/data/
/data
/bak/
/bak
/backup/
/backup
/test/
/test
/cfg/config
/conf/.git/config
/conf/config
/config/.git/config
/config/config
/inc/.git/config
/inc/config
/include/.git/config
/include/config
/includes/.git/config
/includes/config
/temp/
/temp
/tmp/
/tmp
/lib/
/lib
/libs/
/libs
/cfg/
/cfg
/conf/
/conf
/config/
/config
/inc/
/inc
/include/
/include
/includes/
/includes
/upload/
/upload
/uploads/
/uploads/
/download/
/download
/downloads/
/downloads
/files/
/files
/log/
/log
/logs/
/logs
/cron/
/cron
/wallet/
/wallet
/wallets/
/wallets

J’ai donc bloqué l’IP.

# iptables -A INPUT -s 82.180.149.210 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Attaque de l’IP : 193.106.191.48 (Russian Federation)

Publié le par
Répondre

Voici toutes les tentatives :

193.106.191.48 - - [25/May/2022:00:17:47 +0200] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:00:17:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8276 "http://80.15.48.50:80/solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:04:50 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:04:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8278 "http://80.15.48.50:80/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:47:43 +0200] "GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:47:43 +0200] "GET /user/auth/login HTTP/1.1" 200 8275 "http://80.15.48.50:80/?a=fetch&content=die(@md5(HelloThinkCMF))" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:38:44 +0200] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:38:57 +0200] "GET /user/auth/login HTTP/1.1" 200 8273 "http://80.15.48.50:80/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:50:08 +0200] "GET /console/ HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:50:08 +0200] "GET /user/auth/login HTTP/1.1" 200 8277 "http://80.15.48.50:80/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:03:29:20 +0200] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:03:29:20 +0200] "GET /user/auth/login HTTP/1.1" 200 8280 "http://80.15.48.50:80/Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:07:48 +0200] "GET /_ignition/execute-solution HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:38:22 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:38:24 +0200] "GET /user/auth/login HTTP/1.1" 200 8279 "http://80.15.48.50:80" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:17:51 +0200] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 485 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:52:38 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:52:47 +0200] "GET /user/auth/login HTTP/1.1" 200 8278 "http://80.15.48.50:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:06:24:47 +0200] "GET /actuator/gateway/routes HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:06:24:48 +0200] "GET /user/auth/login HTTP/1.1" 200 8277 "http://80.15.48.50:80/actuator/gateway/routes" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:41:34 +0200] "GET / HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:41:46 +0200] "GET /user/auth/login HTTP/1.1" 200 13475 "https://80.15.48.50:443" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:55:26 +0200] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5371 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:55:28 +0200] "GET /user/auth/login HTTP/1.1" 200 13473 "https://80.15.48.50:443/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:08:40:07 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:08:40:10 +0200] "GET /user/auth/login HTTP/1.1" 200 13471 "https://80.15.48.50:443/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:09:54:31 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:09:54:32 +0200] "GET /user/auth/login HTTP/1.1" 200 13470 "https://80.15.48.50:443/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Et comme par hasard :

IP Address Country Region City
193.106.191.48 Russian Federation Moskva Moscow
ISP Organization Latitude Longitude
Kanzas LLC Not Available 55.7522 37.6156

Mon conseil :

# iptables -A INPUT -s 193.106.191.48 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

 

Attaque de l’IP : 45.9.20.101 (Amsterdam)

Publié le par
Répondre

Voici toutes les tentatives :

45.9.20.101 - - [11/May/2022:09:56:44 +0200] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:09:56:45 +0200] "GET /user/auth/login HTTP/1.1" 200 8190 "http://80.15.48.50:80/Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:11:09:47 +0200] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:11:09:48 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:05:05 +0200] "GET /console/ HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:05:05 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:25:06 +0200] "GET / HTTP/1.1" 302 5554 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:25:08 +0200] "GET /user/auth/login HTTP/1.1" 200 13468 "https://80.15.48.50:443/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:13:29:32 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:13:29:32 +0200] "GET /user/auth/login HTTP/1.1" 200 8272 "http://80.15.48.50:80/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:01:19 +0200] "GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:01:21 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/?a=fetch&content=die(@md5(HelloThinkCMF))" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:38:52 +0200] "GET /actuator/gateway/routes HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:38:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/actuator/gateway/routes" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:15:02:21 +0200] "GET /actuator/gateway/routes HTTP/1.1" 302 5554 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:15:02:24 +0200] "GET /user/auth/login HTTP/1.1" 200 13465 "https://80.15.48.50:443/actuator/gateway/routes" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:16:01:06 +0200] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:16:01:06 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

C’est pas la première fois visiblement :

# grep "45.9.20.101" /var/log/apache2/access.humhub.log* | wc -l
65

Un conseil :

iptables -A INPUT -s 45.9.20.101 -j DROP
/usr/sbin/iptables-save > /etc/iptables/rules.v4