Quels sont les pays des IP de mon fichier /etc/iptables/rules.v4 ?

251 x served & 7 x viewed

C’est la mise à jours de l’article : https://www.cyber-neurones.org/2021/10/quels-sont-les-pays-des-ip-de-mon-fichier-etc-iptables-rules-v4-3/

J’ai plus d’IP filtrée :

# cat /etc/iptables/rules.v4 | grep "j DROP" | grep "INPUT" | wc -l
442
# cat /etc/iptables/rules.v4 | grep "j DROP" | grep "INPUT" | awk '{print $4}' | sed 's/\// /g' | awk '{print $1}' | xargs -n 1 geoiplookup { } | sort | uniq -c | sort -n | sed -r 's/ GeoIP Country Edition://g'
      1 AL, Albania
      1 AR, Argentina
      1 AT, Austria
      1 BZ, Belize
      1 CZ, Czech Republic
      1 ES, Spain
      1 GR, Greece
      1 HK, Hong Kong
      1 HU, Hungary
      1 IE, Ireland
      1 MD, Moldova, Republic of
      1 PE, Peru
      1 PH, Philippines
      1 PS, Palestinian Territory
      1 RO, Romania
      1 TT, Trinidad and Tobago
      1 UG, Uganda
      2 DK, Denmark
      2 IR, Iran, Islamic Republic of
      2 MY, Malaysia
      2 RS, Serbia
      3 ID, Indonesia
      3 IT, Italy
      3 JP, Japan
      3 MX, Mexico
      3 SG, Singapore
      3 TW, Taiwan
      3 VN, Vietnam
      4 BA, Bosnia and Herzegovina
      4 BR, Brazil
      4 TR, Turkey
      5 EG, Egypt
      5 SE, Sweden
      6 GB, United Kingdom
      8 FR, France
      8 SC, Seychelles
      9 KR, Korea, Republic of
     10 CA, Canada
     11 NL, Netherlands
     12 DE, Germany
     13 IN, India
     17 RU, Russian Federation
     29 IP Address not found
     74 CN, China
    177 US, United States

Liste des IP qui exploitent la faille : editBlackAndWhiteList : Chine & Corée du Nord

263 x served & 15 x viewed

Voici la liste des IP ;

39.79.94.197 - admin [03/Jun/2022:12:13:29 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 239 "-" "Mozila/5.0"
119.119.99.238 - admin [03/Jun/2022:14:36:51 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 241 "-" "Mozila/5.0"
120.237.210.179 - admin [03/Jun/2022:14:56:25 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 239 "-" "Mozila/5.0"
113.116.170.23 - admin [02/Jun/2022:06:50:53 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 239 "-" "Mozila/5.0"
58.145.68.217 - admin [02/Jun/2022:09:37:28 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 241 "-" "Mozila/5.0"
220.79.44.139 - admin [02/Jun/2022:12:53:38 +0200] "POST /editBlackAndWhiteList HTTP/1.1" 302 241 "-" "Mozila/5.0"

J’ai donc bloqué toutes ses IP :

# iptables -A INPUT -s 39.79.94.197 -j DROP
# iptables -A INPUT -s 119.119.99.238 -j DROP
# iptables -A INPUT -s 120.237.210.179 -j DROP
# iptables -A INPUT -s 113.116.170.23 -j DROP
# iptables -A INPUT -s 58.145.68.217 -j DROP
# iptables -A INPUT -s 220.79.44.139 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Quelques localisation ;

IP Address Country Region City
39.79.94.197 China Shandong Dongying
ISP Organization Latitude Longitude
China Unicom Shandong Province Network Not Available
IP Address Country Region City
119.119.99.238 China Liaoning Shenyang
ISP Organization Latitude Longitude
China Unicom Liaoning Province Network Not Available 41.7922 123.4328
IP Address Country Region City
120.237.210.179 China Guangdong Huizhou
ISP Organization Latitude Longitude
China Mobile Communications Corporation Not Available 23.0833 114.4000
IP Address Country Region City
113.116.170.23 China Guangdong Shenzhen
ISP Organization Latitude Longitude
ChinaNet Guangdong Province Network Not Available 22.5455 114.0683
IP Address Country Region City
58.145.68.217 Korea (Republic of) Gyeonggi-do Mansan
ISP Organization Latitude Longitude
SK Broadband Co Ltd Not Available 37.6795 127.1108
IP Address Country Region City
220.79.44.139 Korea (Republic of) Gyeonggi-do Seongnam
ISP Organization Latitude Longitude
KT Corporation Not Available 37.4201 127.1267

Scan de dossier par l’IP : 82.180.149.210

228 x served & 0 x viewed

IP Address Country Region City
82.180.149.210 Netherlands Noord-Holland Amsterdam
ISP Organization Latitude Longitude
Packethub S.A. Not Available 52.3785 4.9000

Voici la liste des dossiers testés :

# grep "82.180.149.210" /var/log/apache2/access.humhub.log | grep " 302 " | awk '{print $7}'
/
/
/git/
/git
/src/
/src
/config
/source/
/source
/sources/
/git/.git/config
/git/config
/src/.git/config
/src/config
/sources
/admin/
/source/.git/config
/admin
/source/config
/sources/.git/config
/sources/config
/admin/.git/config
/admin/config
/api
/rest/.git/config
/rest/config
/backend/.git/config
/rest/
/backend/config
/svc/.git/config
/svc/config
/service/.git/config
/service/config
/services/.git/config
/services/config
/app/.git/config
/app/config
/data/.git/config
/data/config
/rest
/bak/.git/config
/backend/
/bak/config
/backend
/svc/
/svc
/backup/.git/config
/backup/config
/test/.git/config
/test/config
/temp/.git/config
/temp/config
/tmp/.git/config
/tmp/config
/lib/.git/config
/lib/config
/libs/.git/config
/service/
/service
/services/
/services
/app/
/libs/config
/app
/cfg/.git/config
/data/
/data
/bak/
/bak
/backup/
/backup
/test/
/test
/cfg/config
/conf/.git/config
/conf/config
/config/.git/config
/config/config
/inc/.git/config
/inc/config
/include/.git/config
/include/config
/includes/.git/config
/includes/config
/temp/
/temp
/tmp/
/tmp
/lib/
/lib
/libs/
/libs
/cfg/
/cfg
/conf/
/conf
/config/
/config
/inc/
/inc
/include/
/include
/includes/
/includes
/upload/
/upload
/uploads/
/uploads/
/download/
/download
/downloads/
/downloads
/files/
/files
/log/
/log
/logs/
/logs
/cron/
/cron
/wallet/
/wallet
/wallets/
/wallets

J’ai donc bloqué l’IP.

# iptables -A INPUT -s 82.180.149.210 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Attaque de l’IP : 193.106.191.48 (Russian Federation)

178 x served & 50 x viewed

Voici toutes les tentatives :

193.106.191.48 - - [25/May/2022:00:17:47 +0200] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:00:17:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8276 "http://80.15.48.50:80/solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:04:50 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:04:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8278 "http://80.15.48.50:80/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:47:43 +0200] "GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:47:43 +0200] "GET /user/auth/login HTTP/1.1" 200 8275 "http://80.15.48.50:80/?a=fetch&content=die(@md5(HelloThinkCMF))" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:38:44 +0200] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:38:57 +0200] "GET /user/auth/login HTTP/1.1" 200 8273 "http://80.15.48.50:80/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:50:08 +0200] "GET /console/ HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:50:08 +0200] "GET /user/auth/login HTTP/1.1" 200 8277 "http://80.15.48.50:80/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:03:29:20 +0200] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:03:29:20 +0200] "GET /user/auth/login HTTP/1.1" 200 8280 "http://80.15.48.50:80/Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:07:48 +0200] "GET /_ignition/execute-solution HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:38:22 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:38:24 +0200] "GET /user/auth/login HTTP/1.1" 200 8279 "http://80.15.48.50:80" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:17:51 +0200] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 485 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:52:38 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:52:47 +0200] "GET /user/auth/login HTTP/1.1" 200 8278 "http://80.15.48.50:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:06:24:47 +0200] "GET /actuator/gateway/routes HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:06:24:48 +0200] "GET /user/auth/login HTTP/1.1" 200 8277 "http://80.15.48.50:80/actuator/gateway/routes" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:41:34 +0200] "GET / HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:41:46 +0200] "GET /user/auth/login HTTP/1.1" 200 13475 "https://80.15.48.50:443" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:55:26 +0200] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5371 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:55:28 +0200] "GET /user/auth/login HTTP/1.1" 200 13473 "https://80.15.48.50:443/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:08:40:07 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:08:40:10 +0200] "GET /user/auth/login HTTP/1.1" 200 13471 "https://80.15.48.50:443/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:09:54:31 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:09:54:32 +0200] "GET /user/auth/login HTTP/1.1" 200 13470 "https://80.15.48.50:443/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Et comme par hasard :

IP Address Country Region City
193.106.191.48 Russian Federation Moskva Moscow
ISP Organization Latitude Longitude
Kanzas LLC Not Available 55.7522 37.6156

Mon conseil :

# iptables -A INPUT -s 193.106.191.48 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4