Re: [Guacamole hack attack?]

Thu, 12 Sep 2019 22:58:53 -0700 

Hi,
thanks for all the feedback. I really think this was just a random hit by someone scanning the internet and I can live with that. 

The only thing I'd like to mention is, that the request

- came from a public IP
- the server does not and has never hosted any instance of Guacamole


The latter made me thinking about sending an email to the list because 
why would someone go exactly for a path containing `guacamole`. Well it 
just might be that the attacker read [this 
document](https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf) 
from Blackhat 2019 where it is listed as an example on page 80. (btw. 
very interesting document...)



Anyway, nothing happened, server is secured let's move to the important 
things of life.


Regards

Peter

On 12.09.2019 18:07, Nick Couchman wrote:

On Thu, Sep 12, 2019 at 11:40 AM Der PCFreak <[email protected] 
<mailto:[email protected]>> wrote:


    Hi,

    by accident I found the following in my very reduced Apache SSL
    Error logs:

    ```
    [Thu Sep 05 02:35:53 2019] [error] [client xxx.xxx.xxx.xxx]
    Invalid URI
    in request GET
    
/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/hosts?/dana/html5acc/guacamole/

    HTTP/1.1
    ```

    The thing is, I do not host Guacamole to the public internet,
    neither on
    this machine.

    I just wanted to inform the list, that it might be the case that
    someone
    found a vulnerability in Guacamole and tries to find public
    vulnerable
    servers.



First, if you think you've found a vulnerability in Guacamole, please 
make sure to report it responsibly:


https://www.apache.org/security/


This involves reporting it *privately* to the project, not publicly on 
the lists.



That said, in your case, if your Guacamole instance is not hosted 
publicly, then I would be concerned that whatever network it is hosted 
on has something bad on it - the kind of attack you're seeing there 
looks less like an attack specific to Guacamole and more like a 
generic case of someone finding a valid URL and then trying to exploit 
a poorly-configured system to get access to system-level files.  The 
good news, for you, is that it appears that your Apache server is 
seeing it as an invalid request.  The bad news is that something is 
trying to do it in the first place.  Whatever client is represented by 
the redacted "[client xxx.xxx.xxx.xxx]" should probably be 
investigated for malware and/or threat actors present on the system.


-Nick






















					Reply via email to