Archives de catégorie : Sécurité

Faille de sécurité sur /CommPilot/Login/ ?

Publié le par
Répondre

Visiblement il doit y avoir une faille car j’ai des connexions :

# grep "/CommPilot/Login/" /var/log/apache2/access.* | sed 's/:/ /g' | awk '{print $2}' | uniq 
89.248.165.73
178.239.21.201
94.189.47.234

Par exemple :

178.239.21.201 - - [02/Nov/2021 13 57 42 +0100] "GET /CommPilot/Login/ HTTP/1.1" 302 5182 "-" "Cisco/SPA303-7.4.8a"
94.189.47.234 - - [02/Nov/2021 16 17 32 +0100] "GET /CommPilot/Login/ HTTP/1.1" 302 5023 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv 92.0) Gecko/20100101 Firefox/92.0"

La localisation des IP :

IP Address Country Region City
94.189.47.234 Denmark Midtjylland Tranbjerg
ISP Organization Latitude Longitude
TDC A/S Not Available 56.0901 10.1194
IP Address Country Region City
89.248.165.73 Netherlands Zuid-Holland The Hague
ISP Organization Latitude Longitude
Incrediserve Ltd Not Available 52.0767 4.2986
IP Address Country Region City
178.239.21.201 Romania Bucuresti Bucharest
ISP Organization Latitude Longitude
Backup24 Not Available 44.4323 26.1063

 

ISP DigitalOcean LLC c’est un enfer pour la sécurité

Publié le par
Répondre

Voici encore une IP de l’ISP DigitalOcean LLC :

167.71.13.196 - - [15/Oct/2021:01:11:23 +0200] "GET / HTTP/1.1" 400 5128 "-" "-"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET / HTTP/1.1" 302 5554 "-" "l9tcpid/v1.1.0"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 5636 "-" "Lkx-Apache2449TraversalPlugin/0.0.1 (+https://leakix.net/, +https://twitter.com/HaboubiAnis)"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /.DS_Store HTTP/1.1" 403 991 "-" "Go-http-client/1.1"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /.git/config HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /telescope/requests HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /.json HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET / HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /frontend_dev.php/$ HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /api/search?folderIds=0 HTTP/1.1" 404 889 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /config.json HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /idx_config/ HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /info.php HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /login.action HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /debug/default/view?panel=config HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /v2/_catalog HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /server-status HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:27 +0200] "GET /.env HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:27 +0200] "GET /s/lkx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 302 938 "-" "l9explore/1.3.0"

Il essaye d’exploiter une liste de faille ….

Misère.

Faille de sécurité sur Apache « /cgi-bin/.%2e » (CVE-2021-41773)

Publié le par
Répondre

J’ai pu observer deux attaques différentes :

167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 5636 "-" "Lkx-Apache2449TraversalPlugin/0.0.1 (+https://leakix.net/, +https://twitter.com/HaboubiAnis)"
45.93.201.33 - - [15/Oct/2021:08:16:57 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1" 400 485 "-" "-"

J’ai donc bloqué les ip :

# iptables -A INPUT -s 167.71.13.196 -j DROP
# iptables -A INPUT -s 45.93.201.33 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Pour information les IP en question :

IP Address Country Region City
167.71.13.196 Netherlands Noord-Holland Amsterdam
ISP Organization Latitude Longitude
DigitalOcean LLC Not Available 52.3740 4.8897
IP Address Country Region City
45.93.201.33 Russian Federation Moskva Moscow
ISP Organization Latitude Longitude
LIR LLC Not Available 55.7522 37.6156

A suivre.

Quels sont les pays des IP de mon fichier /etc/iptables/rules.v4 ?

Publié le par
2

J’ai fait un update de mon précédent article : https://www.cyber-neurones.org/2021/06/quels-sont-les-pays-des-ip-de-mon-fichier-etc-iptables-rules-v4/ .

Voici la commande et le résultat :

#  cat /etc/iptables/rules.v4 | grep "DROP" | awk '{print $4}' | sed 's/\// /g' | awk '{print $1}' | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g'
      1 AL, Albania
      1 AT, Austria
      1 CZ, Czech Republic
      1 GR, Greece
      1 IE, Ireland
      1 MD, Moldova, Republic of
      1 PE, Peru
      1 PH, Philippines
      1 SE, Sweden
      1 TT, Trinidad and Tobago
      1 UG, Uganda
      2 ID, Indonesia
      2 IR, Iran, Islamic Republic of
      2 IT, Italy
      2 JP, Japan
      2 MX, Mexico
      2 MY, Malaysia
      2 SG, Singapore
      2 TR, Turkey
      2 TW, Taiwan
      3 VN, Vietnam
      4 BR, Brazil
      4 EG, Egypt
      4 SC, Seychelles
      5 DE, Germany
      5 FR, France
      5 GB, United Kingdom
      6 CA, Canada
      6 KR, Korea, Republic of
      7 NL, Netherlands
      7 RU, Russian Federation
     11 IN, India
     19 IP Address not found
     43 CN, China
    107 US, United States

Toujours US devant avec 107 IPs … finalement les Russes avec 7 IPs sont petits joueurs.

Misère.