ISP DigitalOcean LLC c’est un enfer pour la sécurité

Voici encore une IP de l’ISP DigitalOcean LLC :

167.71.13.196 - - [15/Oct/2021:01:11:23 +0200] "GET / HTTP/1.1" 400 5128 "-" "-"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET / HTTP/1.1" 302 5554 "-" "l9tcpid/v1.1.0"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 5636 "-" "Lkx-Apache2449TraversalPlugin/0.0.1 (+https://leakix.net/, +https://twitter.com/HaboubiAnis)"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /.DS_Store HTTP/1.1" 403 991 "-" "Go-http-client/1.1"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /.git/config HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /telescope/requests HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /.json HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET / HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /frontend_dev.php/$ HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /api/search?folderIds=0 HTTP/1.1" 404 889 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /config.json HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:25 +0200] "GET /idx_config/ HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /info.php HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /login.action HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /debug/default/view?panel=config HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /v2/_catalog HTTP/1.1" 302 938 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:26 +0200] "GET /server-status HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:27 +0200] "GET /.env HTTP/1.1" 403 991 "-" "l9explore/1.3.0"
167.71.13.196 - - [15/Oct/2021:01:11:27 +0200] "GET /s/lkx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 302 938 "-" "l9explore/1.3.0"

Il essaye d’exploiter une liste de faille ….

Misère.

Faille de sécurité sur Apache « /cgi-bin/.%2e » (CVE-2021-41773)

J’ai pu observer deux attaques différentes :

167.71.13.196 - - [15/Oct/2021:01:11:24 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 5636 "-" "Lkx-Apache2449TraversalPlugin/0.0.1 (+https://leakix.net/, +https://twitter.com/HaboubiAnis)"
45.93.201.33 - - [15/Oct/2021:08:16:57 +0200] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1" 400 485 "-" "-"

J’ai donc bloqué les ip :

# iptables -A INPUT -s 167.71.13.196 -j DROP
# iptables -A INPUT -s 45.93.201.33 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Pour information les IP en question :

IP Address Country Region City
167.71.13.196 Netherlands Noord-Holland Amsterdam
ISP Organization Latitude Longitude
DigitalOcean LLC Not Available 52.3740 4.8897
IP Address Country Region City
45.93.201.33 Russian Federation Moskva Moscow
ISP Organization Latitude Longitude
LIR LLC Not Available 55.7522 37.6156

A suivre.

Quels sont les pays des IP de mon fichier /etc/iptables/rules.v4 ?

J’ai fait un update de mon précédent article : https://www.cyber-neurones.org/2021/06/quels-sont-les-pays-des-ip-de-mon-fichier-etc-iptables-rules-v4/ .

Voici la commande et le résultat :

#  cat /etc/iptables/rules.v4 | grep "DROP" | awk '{print $4}' | sed 's/\// /g' | awk '{print $1}' | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g'
      1 AL, Albania
      1 AT, Austria
      1 CZ, Czech Republic
      1 GR, Greece
      1 IE, Ireland
      1 MD, Moldova, Republic of
      1 PE, Peru
      1 PH, Philippines
      1 SE, Sweden
      1 TT, Trinidad and Tobago
      1 UG, Uganda
      2 ID, Indonesia
      2 IR, Iran, Islamic Republic of
      2 IT, Italy
      2 JP, Japan
      2 MX, Mexico
      2 MY, Malaysia
      2 SG, Singapore
      2 TR, Turkey
      2 TW, Taiwan
      3 VN, Vietnam
      4 BR, Brazil
      4 EG, Egypt
      4 SC, Seychelles
      5 DE, Germany
      5 FR, France
      5 GB, United Kingdom
      6 CA, Canada
      6 KR, Korea, Republic of
      7 NL, Netherlands
      7 RU, Russian Federation
     11 IN, India
     19 IP Address not found
     43 CN, China
    107 US, United States

Toujours US devant avec 107 IPs … finalement les Russes avec 7 IPs sont petits joueurs.

Misère.

 

Faille securité : malware surnommé « THE MOON » sur Linksys.

Voici un exemple de trace sur mon serveur :

50.31.21.6 - - [14/Oct/2021:02:02:15 +0200] "GET / HTTP/1.0" 302 5156 "-" "-"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "HEAD / HTTP/1.1" 302 4938 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "GET /nmaplowercheck1634169768 HTTP/1.1" 302 5145 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "POST /sdk HTTP/1.1" 302 4957 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:48 +0200] "GET / HTTP/1.0" 302 5156 "-" "-"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET /HNAP1 HTTP/1.1" 302 5145 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET / HTTP/1.1" 302 5126 "-" "-"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "HEAD /user/auth/login HTTP/1.1" 200 6095 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET /evox/about HTTP/1.1" 302 5145 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"
50.31.21.6 - - [14/Oct/2021:02:02:49 +0200] "GET /user/auth/login HTTP/1.1" 200 29756 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; MDDCJS; rv:11.0) like Gecko"

La signature c’est surtout : « GET /HNAP1 HTTP/1.1 »

Mon action :

# iptables -A INPUT -s 50.31.21.6 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Plus d’information sur l’IP :

IP Address Country Region City
50.31.21.6 United States of America Illinois Chicago
ISP Organization Latitude Longitude
SteadFast Not Available 41.8761 -87.6521

A noter que c’est visiblement pas la première attaque du type :

134.255.233.173 - - [13/Oct/2021:18:55:13 +0200] "POST /HNAP1/ HTTP/1.1" 302 255 "-" "Mozila/5.0"
192.168.1.153 - - [13/Oct/2021:21:25:40 +0200] "GET /HNAP1/ HTTP/1.1" 302 404 "-" "Avast Antivirus"
112.27.124.140 - - [30/Oct/2020:22:40:00 +0100] "POST /HNAP1/ HTTP/1.0" 408 484 "-" "-"
45.6.195.248 - - [31/Oct/2020:00:23:21 +0100] "POST /HNAP1/ HTTP/1.0" 408 484 "-" "-"

Misère.