Hello All, Today, Something caught my attention while looking for errors in log files.
[code] root@messagerie-principale[10.10.10.19] ~ # tail -f /var/log/apache2/roundcube.error /var/log/fail2ban.log /var/log/apache2/mail.radioalgerie.dz.error /var/log/dovecot.log /var/log/mail.warn /var/log/auth.log /var/log/daemon.log /var/log/syslog /var/log/mysql/error.log /var/log/apache2/error.log | egrep -i '(fail|reject|error|banned|quarantine|virus|malware|detected|critic|fatal)' ==> /var/log/apache2/roundcube.error <== [Mon Feb 13 07:44:16.915147 2023] [core:error] [pid 57379] [client 162.241.181.215:44188] AH00126: Invalid URI in request GET /../../web.config HTTP/1.1 [Mon Feb 13 07:45:51.144701 2023] [core:error] [pid 57489] [client 162.241.181.215:37200] AH00126: Invalid URI in request GET /../../web.config HTTP/1.1 [Mon Feb 13 08:00:31.454599 2023] [:error] [pid 58898] [client 162.241.181.215:43894] script '/var/www/roundcubemail/xprober.php' not found or unable to stat [Mon Feb 13 08:41:00.277895 2023] [core:error] [pid 64359] [client 162.241.181.215:40784] AH00126: Invalid URI in request GET /../../web.config HTTP/1.1 [Mon Feb 13 08:56:03.854510 2023] [:error] [pid 1513] [client 162.241.181.215:45126] script '/var/www/roundcubemail/login.php' not found or unable to stat ==> /var/log/fail2ban.log <== ==> /var/log/apache2/mail.radioalgerie.dz.error <== [Mon Feb 13 07:59:40.234190 2023] [:error] [pid 58662] [client 162.241.181.215:33764] script '/var/www/roundcubemail/xprober.php' not found or unable to stat [Mon Feb 13 08:39:12.997684 2023] [core:error] [pid 63800] [client 162.241.181.215:47014] AH00126: Invalid URI in request GET /../../web.config HTTP/1.1 [Mon Feb 13 08:55:12.770692 2023] [:error] [pid 1508] [client 162.241.181.215:36254] script '/var/www/roundcubemail /login.php' not found or unable to stat Feb 13 09:26:35 messagerie freshclam[854]: ERROR: Can't download main.cvd from database.clamav.net Feb 13 09:26:35 messagerie freshclam[854]: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons. Feb 13 09:29:44 messagerie smartd[857]: Device: /dev/sda, failed to read Temperature Feb 13 09:29:44 messagerie smartd[857]: Device: /dev/sdb, failed to read Temperature [/code] In particular, [code] [Mon Feb 13 08:00:31.454599 2023] [:error] [pid 58898] [client 162.241.181.215:43894] script '/var/www/roundcubemail/xprober.php' not found or unable to stat [/code] I looked again at the logs, and found that this particular IP was scanning my webmail for vulnerabilities. [code] root@messagerie-principale[10.10.10.19] /var/log # grep 162.241.181.215 /var/log/apache2/roundcube.access | head 162.241.181.215 - - [13/Feb/2023:06:33:37 +0100] "GET /.ftpconfig HTTP/1.1" 301 570 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:34:26 +0100] "GET /.ftpconfig HTTP/1.1" 301 594 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:34:51 +0100] "GET /google-services.json HTTP/1.1" 404 5101 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:34:52 +0100] "GET /app/google-services.json HTTP/1.1" 404 5105 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:34:52 +0100] "GET /android/app/google-services.json HTTP/1.1" 404 5113 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:35:26 +0100] "GET /php.ini HTTP/1.1" 301 564 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:36:13 +0100] "GET /php.ini HTTP/1.1" 301 588 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F" 162.241.181.215 - - [13/Feb/2023:06:36:20 +0100] "GET /configuration.yml HTTP/1.1" 404 5098 "-" "Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:36:21 +0100] "GET /config/configuration.yml HTTP/1.1" 404 5105 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36" 162.241.181.215 - - [13/Feb/2023:06:36:22 +0100] "GET /redmine/config/configuration.yml HTTP/1.1" 404 5113 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" root@messagerie-principale[10.10.10.19] /var/log # [/code] This is a targeted attack, because it started at the end of last week, at 19:11, the guy knows that it as around that time that I leave, and he knows that end of week in Algeria is thursday, not friday. [code] root@messagerie-principale[10.10.10.19] /var/log # zgrep -l 162.241.181.215 /var/log/apache2/roundcube.access* /var/log/apache2/roundcube.access /var/log/apache2/roundcube.access.1 /var/log/apache2/roundcube.access.2.gz /var/log/apache2/roundcube.access.3.gz /var/log/apache2/roundcube.access.4.gz root@messagerie-principale[10.10.10.19] /var/log # [/code] [code] root@messagerie-principale[10.10.10.19] /var/log # zgrep 162.241.181.215 /var/log/apache2/roundcube.access.4.gz | head 162.241.181.215 - - [09/Feb/2023:19:11:27 +0100] "GET / HTTP/1.1" 301 550 "-" "Go-http-client/1.1" 162.241.181.215 - - [09/Feb/2023:19:11:30 +0100] "GET / HTTP/1.1" 200 7837 "-" "Go-http-client/1.1" 162.241.181.215 - - [09/Feb/2023:19:11:31 +0100] "GET / HTTP/1.1" 301 574 "-" "Go-http-client/1.1" 162.241.181.215 - - [09/Feb/2023:21:19:27 +0100] "GET /downloads/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1" 301 716 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET /loginsave.php?u=http://interact.sh HTTP/1.1" 301 618 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET /te%253Cimg%2520src=x%2520onerror=alert%2842%29%253Est HTTP/1.1" 301 648 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36" 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET /wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://%22-alert(document.domain)-%22 HTTP/1.1" 301 734 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36" 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "POST /mailingupgrade.php HTTP/1.1" 301 586 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET /IND780/excalweb.dll?webpage=../../AutoCE.ini HTTP/1.1" 301 638 "-" "Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36" 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET /sidekiq/queues/%22onmouseover=%22alert%28nuclei%29%22 HTTP/1.1" 301 648 "-" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36" root@messagerie-principale[10.10.10.19] /var/log # [/code] I immediately tried to stop the IP from continuing its scan with a shorewall logdrop command. [Code] $ shorewall logdrop 162.241.181.215 [/Code] But the IP continued to log in : root@messagerie-principale[10.10.10.19] /var/log # tcpdump -i eth1 -q -l -n "(tcp[13]==2 or icmp or udp) and src net not (192.168.0.0/16 or 172.16.0.0/16 or 10.0.0.0/8)" | tcpdump.ip.info IP_column=3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 10:28:24.841391 105.96.27.45.62125 - 10.10.10.19.443: DZ Tipaza PLS-POOLS IP fixe 105.96.0.0/17 10:28:24.841578 105.96.27.45.62126 - 10.10.10.19.443: DZ Tipaza PLS-POOLS IP fixe 105.96.0.0/17 10:28:24.873900 105.96.27.45.62127 - 10.10.10.19.443: DZ Tipaza PLS-POOLS IP fixe 105.96.0.0/17 10:28:26.877425 149.12.118.153.26349 - 10.10.10.19.25: US New York PSINet, Inc. 10:28:27.915445 197.200.176.81.52833 - 10.10.10.19.443: DZ Bejaia PLS-POOLS 197.200.128.0/19 ANIS BENAKNOUN 10:28:29.184396 38.107.124.7.34707 - 10.10.10.19.25: US New York PSINet, Inc. 10:28:29.813726 105.96.45.148.51692 - 10.10.10.19.443: DZ Alger PLS-POOLS IP fixe 105.96.0.0/17 10:28:29.875461 105.96.73.64.10380 - 10.10.10.19.443: DZ Alger PLS-POOLS IP fixe 105.96.0.0/17 10:28:29.919179 105.96.73.64.3463 - 10.10.10.19.443: DZ Alger PLS-POOLS IP fixe 105.96.0.0/17 10:28:30.700453 105.96.60.35.55994 - 10.10.10.19.443: DZ Skikda PLS-POOLS IP fixe 105.96.0.0/17 10:28:33.149986 162.241.181.215.58446 - 10.10.10.19.443: US Utah Unified Layer 10:28:34.083508 105.96.61.134.20218 - 10.10.10.19.443: DZ Alger PLS-POOLS IP fixe 105.96.0.0/17 10:28:34.142935 162.241.181.215.58446 - 10.10.10.19.443: US Utah Unified Layer 10:28:36.142824 162.241.181.215.58446 - 10.10.10.19.443: US Utah Unified Layer 10:28:38.277058 197.201.1.122.59377 - 10.10.10.19.443: DZ Alger IP-FIXE pool pour plage fixe 10:28:38.387334 105.96.57.103.18009 - 10.10.10.19.443: DZ Alger PLS-POOLS IP fixe 105.96.0.0/17 10:28:40.152838 162.241.181.215.58446 - 10.10.10.19.443: US Utah Unified Layer 10:28:43.164360 162.241.181.215.32986 - 10.10.10.19.443: US Utah Unified Layer 10:28:43.477101 105.96.82.133.52542 - 10.10.10.19.443: DZ Alger PLS-POOLS IP fixe 105.96.0.0/17 ^C23 packets captured 23 packets received by filter 0 packets dropped by kernel root@messagerie-principale[10.10.10.19] /var/log # 162.241.181.215, an IP located in Utah, USA, was still connecting. /var/log/messsages, which used to be populated with shorewall ban messages, is empty root@messagerie-principale[10.10.10.19] /var/log # cat messages Feb 13 06:25:06 messagerie rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="938" x-info="http://www.rsyslog.com";] rsyslogd was HUPed Feb 13 06:25:19 messagerie rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ] Feb 13 06:25:19 messagerie rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ] Feb 13 06:36:00 messagerie rsyslogd-2007: action 'action 17' suspended, next retry is Mon Feb 13 06:36:30 2023 [try http://www.rsyslog.com/e/2007 ] Feb 13 10:24:04 messagerie kernel: [561655.405498] device eth1 entered promiscuous mode Feb 13 10:24:09 messagerie kernel: [561660.814079] device eth1 left promiscuous mode Feb 13 10:24:13 messagerie kernel: [561664.771916] device eth1 entered promiscuous mode Feb 13 10:24:25 messagerie kernel: [561676.160617] device eth1 left promiscuous mode Feb 13 10:25:06 messagerie kernel: [561717.262545] device eth1 entered promiscuous mode Feb 13 10:25:13 messagerie kernel: [561724.786655] device eth1 left promiscuous mode Feb 13 10:25:49 messagerie kernel: [561760.974065] device eth1 entered promiscuous mode Feb 13 10:25:54 messagerie kernel: [561765.590239] device eth1 left promiscuous mode Feb 13 10:26:48 messagerie kernel: [561819.290131] device eth1 entered promiscuous mode Feb 13 10:26:51 messagerie kernel: [561822.934034] device eth1 left promiscuous mode Feb 13 10:27:35 messagerie kernel: [561866.239144] device eth1 entered promiscuous mode Feb 13 10:27:35 messagerie kernel: [561866.748364] device eth1 left promiscuous mode Feb 13 10:28:24 messagerie kernel: [561915.696483] device eth1 entered promiscuous mode Feb 13 10:28:44 messagerie kernel: [561935.822362] device eth1 left promiscuous mode Feb 13 10:29:42 messagerie kernel: [561993.846244] device eth1 entered promiscuous mode Feb 13 10:29:58 messagerie kernel: [562009.847237] device eth1 left promiscuous mode root@messagerie-principale[10.10.10.19] /var/log # So I checked again that the IP was really blocked by shorewall by doing a shorewall show dynamic [CODE] root@messagerie-principale[10.10.10.19] /var/log # shorewall show dynamic | tail 0 0 logdrop all -- * * 46.38.145.0/24 0.0.0.0/0 0 0 logdrop all -- * * 212.227.15.0/24 0.0.0.0/0 0 0 reject all -- * * 104.168.34.178 0.0.0.0/0 0 0 reject all -- * * 104.168.34.177 0.0.0.0/0 0 0 reject all -- * * 105.102.33.176 0.0.0.0/0 11 660 reject all -- * * 105.102.42.31 0.0.0.0/0 20 1200 reject all -- * * 105.96.195.57 0.0.0.0/0 0 0 reject all -- * * 41.108.14.140 0.0.0.0/0 185 11100 logdrop all -- * * 162.241.181.215 0.0.0.0/0 root@messagerie-principale[10.10.10.19] /var/log # [/CODE] "shorewall show dynamic" lists the IP that I banned. Its target is logdrop, but it could still connect to my machine, and nothing is logged in /var/log/messages. Any ideas how I could troubleshoot this further? Best, -- yassine -- sysadm Viber/GSM : 00213-779 06 06 23 http://about.me/ychaouche Looking for side gigs. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
