Hi Yassine, > Hello All, > > Today, > Something caught my attention while looking for errors in log files. > > [code] > root@messagerie-principale[10.10.10.19] ~ # tail -f > /var/log/apache2/roundcube.error /var/log/fail2ban.log > /var/log/apache2/mail.radioalgerie.dz.error /var/log/dovecot.log > /var/log/mail.warn /var/log/auth.log /var/log/daemon.log /var/log/syslog > /var/log/mysql/error.log /var/log/apache2/error.log | egrep -i > '(fail|reject|error|banned|quarantine|virus|malware|detected|critic|fatal)' > ==> /var/log/apache2/roundcube.error <== > [Mon Feb 13 07:44:16.915147 2023] [core:error] [pid 57379] [client > 162.241.181.215:44188] AH00126: Invalid URI in request GET > /../../web.config HTTP/1.1 > [Mon Feb 13 07:45:51.144701 2023] [core:error] [pid 57489] [client > 162.241.181.215:37200] AH00126: Invalid URI in request GET > /../../web.config HTTP/1.1 > [Mon Feb 13 08:00:31.454599 2023] [:error] [pid 58898] [client > 162.241.181.215:43894] script '/var/www/roundcubemail/xprober.php' not > found or unable to stat > [Mon Feb 13 08:41:00.277895 2023] [core:error] [pid 64359] [client > 162.241.181.215:40784] AH00126: Invalid URI in request GET > /../../web.config HTTP/1.1 > [Mon Feb 13 08:56:03.854510 2023] [:error] [pid 1513] [client > 162.241.181.215:45126] script '/var/www/roundcubemail/login.php' not found > or unable to stat > ==> /var/log/fail2ban.log <== > ==> /var/log/apache2/mail.radioalgerie.dz.error <== > [Mon Feb 13 07:59:40.234190 2023] [:error] [pid 58662] [client > 162.241.181.215:33764] script '/var/www/roundcubemail/xprober.php' not > found or unable to stat > [Mon Feb 13 08:39:12.997684 2023] [core:error] [pid 63800] [client > 162.241.181.215:47014] AH00126: Invalid URI in request GET > /../../web.config HTTP/1.1 > [Mon Feb 13 08:55:12.770692 2023] [:error] [pid 1508] [client > 162.241.181.215:36254] script '/var/www/roundcubemail > /login.php' not found or unable to stat > Feb 13 09:26:35 messagerie freshclam[854]: ERROR: Can't download main.cvd > from database.clamav.net > Feb 13 09:26:35 messagerie freshclam[854]: Update failed. Your network may > be down or none of the mirrors listed in /etc/clamav/freshclam.conf is > working. Check http://www.clamav.net/doc/mirrors-faq.html for possible > reasons. > Feb 13 09:29:44 messagerie smartd[857]: Device: /dev/sda, failed to read > Temperature > Feb 13 09:29:44 messagerie smartd[857]: Device: /dev/sdb, failed to read > Temperature > [/code] > > In particular, > > [code] > [Mon Feb 13 08:00:31.454599 2023] [:error] [pid 58898] [client > 162.241.181.215:43894] script '/var/www/roundcubemail/xprober.php' not > found or unable to stat > [/code] > > I looked again at the logs, > and found that this particular IP was scanning my webmail for > vulnerabilities. > > [code] > root@messagerie-principale[10.10.10.19] /var/log # grep 162.241.181.215 > /var/log/apache2/roundcube.access | head > 162.241.181.215 - - [13/Feb/2023:06:33:37 +0100] "GET /.ftpconfig > HTTP/1.1" 301 570 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:34:26 +0100] "GET /.ftpconfig > HTTP/1.1" 301 594 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:34:51 +0100] "GET > /google-services.json HTTP/1.1" 404 5101 "-" "Mozilla/5.0 (Windows NT 5.1) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:34:52 +0100] "GET > /app/google-services.json HTTP/1.1" 404 5105 "-" "Mozilla/5.0 (Windows NT > 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 > Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:34:52 +0100] "GET > /android/app/google-services.json HTTP/1.1" 404 5113 "-" "Mozilla/5.0 > (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/35.0.3319.102 Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:35:26 +0100] "GET /php.ini HTTP/1.1" > 301 564 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:36:13 +0100] "GET /php.ini HTTP/1.1" > 301 588 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, > like Gecko) Chrome/34.0.1847.137 Safari/4E423F" > 162.241.181.215 - - [13/Feb/2023:06:36:20 +0100] "GET /configuration.yml > HTTP/1.1" 404 5098 "-" "Mozilla/5.0 (Windows NT 4.0; WOW64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:36:21 +0100] "GET > /config/configuration.yml HTTP/1.1" 404 5105 "-" "Mozilla/5.0 (Windows NT > 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 > Safari/537.36" > 162.241.181.215 - - [13/Feb/2023:06:36:22 +0100] "GET > /redmine/config/configuration.yml HTTP/1.1" 404 5113 "-" "Mozilla/5.0 > (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/35.0.2309.372 Safari/537.36" > root@messagerie-principale[10.10.10.19] /var/log # > [/code] > > This is a targeted attack, > because it started at the end of last week, > at 19:11, > the guy knows that it as around that time that I leave, > and he knows that end of week in Algeria is thursday, > not friday. > > > [code] > root@messagerie-principale[10.10.10.19] /var/log # zgrep -l > 162.241.181.215 /var/log/apache2/roundcube.access* > /var/log/apache2/roundcube.access > /var/log/apache2/roundcube.access.1 > /var/log/apache2/roundcube.access.2.gz > /var/log/apache2/roundcube.access.3.gz > /var/log/apache2/roundcube.access.4.gz > root@messagerie-principale[10.10.10.19] /var/log # > [/code] > > [code] > root@messagerie-principale[10.10.10.19] /var/log # zgrep 162.241.181.215 > /var/log/apache2/roundcube.access.4.gz | head > 162.241.181.215 - - [09/Feb/2023:19:11:27 +0100] "GET / HTTP/1.1" 301 550 > "-" "Go-http-client/1.1" > 162.241.181.215 - - [09/Feb/2023:19:11:30 +0100] "GET / HTTP/1.1" 200 7837 > "-" "Go-http-client/1.1" > 162.241.181.215 - - [09/Feb/2023:19:11:31 +0100] "GET / HTTP/1.1" 301 574 > "-" "Go-http-client/1.1" > 162.241.181.215 - - [09/Feb/2023:21:19:27 +0100] "GET > /downloads/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd > HTTP/1.1" 301 716 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" > 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET > /loginsave.php?u=http://interact.sh HTTP/1.1" 301 618 "-" "Mozilla/5.0 > (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/36.0.1985.67 Safari/537.36" > 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET > /te%253Cimg%2520src=x%2520onerror=alert%2842%29%253Est HTTP/1.1" 301 648 > "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/35.0.3319.102 Safari/537.36" > 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET > /wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://%22-alert(document.domain)-%22 > HTTP/1.1" 301 734 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) > AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36" > 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "POST /mailingupgrade.php > HTTP/1.1" 301 586 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" > 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET > /IND780/excalweb.dll?webpage=../../AutoCE.ini HTTP/1.1" 301 638 "-" > "Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like > Gecko) Chrome/41.0.2225.0 Safari/537.36" > 162.241.181.215 - - [09/Feb/2023:21:19:28 +0100] "GET > /sidekiq/queues/%22onmouseover=%22alert%28nuclei%29%22 HTTP/1.1" 301 648 > "-" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/40.0.2214.93 Safari/537.36" > root@messagerie-principale[10.10.10.19] /var/log # > [/code] > > I immediately tried to stop the IP from continuing its scan with a > shorewall logdrop command. > > [Code] > $ shorewall logdrop 162.241.181.215 > [/Code] > > But the IP continued to log in : > > root@messagerie-principale[10.10.10.19] /var/log # tcpdump -i eth1 -q -l > -n "(tcp[13]==2 or icmp or udp) and src net not (192.168.0.0/16 or > 172.16.0.0/16 or 10.0.0.0/8)" | tcpdump.ip.info IP_column=3 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes > 10:28:24.841391 105.96.27.45.62125 - 10.10.10.19.443: DZ Tipaza > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:24.841578 105.96.27.45.62126 - 10.10.10.19.443: DZ Tipaza > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:24.873900 105.96.27.45.62127 - 10.10.10.19.443: DZ Tipaza > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:26.877425 149.12.118.153.26349 - 10.10.10.19.25: US New > York PSINet, Inc. > 10:28:27.915445 197.200.176.81.52833 - 10.10.10.19.443: DZ Bejaia > PLS-POOLS 197.200.128.0/19 ANIS BENAKNOUN > 10:28:29.184396 38.107.124.7.34707 - 10.10.10.19.25: US New > York PSINet, Inc. > 10:28:29.813726 105.96.45.148.51692 - 10.10.10.19.443: DZ Alger > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:29.875461 105.96.73.64.10380 - 10.10.10.19.443: DZ Alger > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:29.919179 105.96.73.64.3463 - 10.10.10.19.443: DZ Alger > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:30.700453 105.96.60.35.55994 - 10.10.10.19.443: DZ Skikda > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:33.149986 162.241.181.215.58446 - 10.10.10.19.443: US Utah > Unified Layer > 10:28:34.083508 105.96.61.134.20218 - 10.10.10.19.443: DZ Alger > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:34.142935 162.241.181.215.58446 - 10.10.10.19.443: US Utah > Unified Layer > 10:28:36.142824 162.241.181.215.58446 - 10.10.10.19.443: US Utah > Unified Layer > 10:28:38.277058 197.201.1.122.59377 - 10.10.10.19.443: DZ Alger > IP-FIXE pool pour plage fixe > 10:28:38.387334 105.96.57.103.18009 - 10.10.10.19.443: DZ Alger > PLS-POOLS IP fixe 105.96.0.0/17 > 10:28:40.152838 162.241.181.215.58446 - 10.10.10.19.443: US Utah > Unified Layer > 10:28:43.164360 162.241.181.215.32986 - 10.10.10.19.443: US Utah > Unified Layer > 10:28:43.477101 105.96.82.133.52542 - 10.10.10.19.443: DZ Alger > PLS-POOLS IP fixe 105.96.0.0/17 > ^C23 packets captured > 23 packets received by filter > 0 packets dropped by kernel > > root@messagerie-principale[10.10.10.19] /var/log # > > 162.241.181.215, > an IP located in Utah, USA, > was still connecting. > > /var/log/messsages, > which used to be populated with shorewall ban messages, > is empty > > root@messagerie-principale[10.10.10.19] /var/log # cat messages > Feb 13 06:25:06 messagerie rsyslogd: [origin software="rsyslogd" > swVersion="8.4.2" x-pid="938" x-info="http://www.rsyslog.com";] rsyslogd > was HUPed > Feb 13 06:25:19 messagerie rsyslogd0: action 'action 17' resumed (module > 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ] > Feb 13 06:25:19 messagerie rsyslogd-2359: action 'action 17' resumed > (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ] > Feb 13 06:36:00 messagerie rsyslogd-2007: action 'action 17' suspended, > next retry is Mon Feb 13 06:36:30 2023 [try http://www.rsyslog.com/e/2007 > ] > Feb 13 10:24:04 messagerie kernel: [561655.405498] device eth1 entered > promiscuous mode > Feb 13 10:24:09 messagerie kernel: [561660.814079] device eth1 left > promiscuous mode > Feb 13 10:24:13 messagerie kernel: [561664.771916] device eth1 entered > promiscuous mode > Feb 13 10:24:25 messagerie kernel: [561676.160617] device eth1 left > promiscuous mode > Feb 13 10:25:06 messagerie kernel: [561717.262545] device eth1 entered > promiscuous mode > Feb 13 10:25:13 messagerie kernel: [561724.786655] device eth1 left > promiscuous mode > Feb 13 10:25:49 messagerie kernel: [561760.974065] device eth1 entered > promiscuous mode > Feb 13 10:25:54 messagerie kernel: [561765.590239] device eth1 left > promiscuous mode > Feb 13 10:26:48 messagerie kernel: [561819.290131] device eth1 entered > promiscuous mode > Feb 13 10:26:51 messagerie kernel: [561822.934034] device eth1 left > promiscuous mode > Feb 13 10:27:35 messagerie kernel: [561866.239144] device eth1 entered > promiscuous mode > Feb 13 10:27:35 messagerie kernel: [561866.748364] device eth1 left > promiscuous mode > Feb 13 10:28:24 messagerie kernel: [561915.696483] device eth1 entered > promiscuous mode > Feb 13 10:28:44 messagerie kernel: [561935.822362] device eth1 left > promiscuous mode > Feb 13 10:29:42 messagerie kernel: [561993.846244] device eth1 entered > promiscuous mode > Feb 13 10:29:58 messagerie kernel: [562009.847237] device eth1 left > promiscuous mode > root@messagerie-principale[10.10.10.19] /var/log # > > So I checked again that the IP was really blocked by shorewall by doing a > shorewall show dynamic > > [CODE] > root@messagerie-principale[10.10.10.19] /var/log # shorewall show dynamic > | tail > 0 0 logdrop all -- * * 46.38.145.0/24 > 0.0.0.0/0 > 0 0 logdrop all -- * * 212.227.15.0/24 > 0.0.0.0/0 > 0 0 reject all -- * * 104.168.34.178 > 0.0.0.0/0 > 0 0 reject all -- * * 104.168.34.177 > 0.0.0.0/0 > 0 0 reject all -- * * 105.102.33.176 > 0.0.0.0/0 > 11 660 reject all -- * * 105.102.42.31 > 0.0.0.0/0 > 20 1200 reject all -- * * 105.96.195.57 > 0.0.0.0/0 > 0 0 reject all -- * * 41.108.14.140 > 0.0.0.0/0 > 185 11100 logdrop all -- * * 162.241.181.215 > 0.0.0.0/0 > > root@messagerie-principale[10.10.10.19] /var/log # > [/CODE] > > "shorewall show dynamic" lists the IP that I banned. > Its target is logdrop, > but it could still connect to my machine, > and nothing is logged in /var/log/messages. > > Any ideas how I could troubleshoot this further?
Isn't it possible that all the requests you see are coming in over the already established TCP connection? I guess only new connections will then be blocked. I remember that I once used this tool https://directory.fsf.org/wiki/Cutter to terminate established connections in such a situation. Regards, Simon _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
