Δημοσιεύτηκε: 01 Οκτ 2014, 16:00
Έλαβα email από τον provider μου έγιναν brute force attack από την ip μου.
Τους ζήτησα τα log της αναφοράς που πήραν και μου έστειλαν τα παρακάτω (κρύβω μόνο με xxxxxx τις ip) :
Την ίδια ημέρα στις 10:50 περίπου πήρα την νέα ip. Μήπως η ώρα που αναφέρεται δεν είναι η ώρα της επίθεσης;
Καταλαβαίνει κάποιος κάτι από το log;
Τους ζήτησα τα log της αναφοράς που πήραν και μου έστειλαν τα παρακάτω (κρύβω μόνο με xxxxxx τις ip) :
- Κώδικας: Επιλογή όλων
---------- Προωθούμενο μήνυμα ----------
From: "xxxxxx@xxxxxxxxx.xxx" <xxxxxx@xxxxxxxxx.xxx>
To: Abuse OTE <abuse@ote.gr>
Cc: "xxxxxx@xxxxxxxxx.xxx" <xxxxxx@xxxxxxxxx.xxx>
Date: Sun, 28 Sep 2014 15:11:22 +0300
Subject: modsec check (Joomla Hack) - xxx.xxx.xxx.xxx (OTE-SA - GR)
Hello,
This is an automatically generated email,
=== Sun, 28 Sep 2014 14:11:22 +0200
2 attacks from xxx.xxx.xxx.xxx has been detected against xxxxxxxx.xxxxx (94.23.44.69)
More abuses for OTE-SA at : http://www.xxxxxxxx.xxxxx/modsec/index.php?netname=OTE-SA
abuse mail : abuse@ote.gr
===
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to 'xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx’'
% Abuse contact for 'xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx’' is 'abuse@ote.gr'
inetnum: xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx’
netname: OTE-SA
descr: Multiprotocol Service Provider to other ISP's and End Users
country: GR
admin-c: OIA10-RIPE
tech-c: OIA10-RIPE
status: ASSIGNED PA
remarks: +---------------------------------+
remarks: General enquiries: noc@otenet.gr
remarks: Abuse & Spam: abuse@otenet.gr
remarks: DNS & RIPE: hostmaster@otenet.gr
remarks: +---------------------------------+
mnt-by: OTE-ADMIN-MNT
source: RIPE # Filtered
role: OTE IP ADM
address: Ote SA (Hellenic Telecommunications Organisation)
address: Kifissias 99
address: GR-15124 Athens
address: Greece
fax-no: +30 210 6116215
admin-c: AV323-RIPE
tech-c: PP5896-RIPE
tech-c: GZ1021-RIPE
nic-hdl: OIA10-RIPE
abuse-mailbox: abuse@ote.gr
mnt-by: OTE-ADMIN-MNT
source: RIPE # Filtered
% Information related to 'xxx.xxx.xxx.xxx/16AS6799'
route: xxx.xxx.xxx.xxx/16
descr: OTEnet
origin: AS6799
remarks: OTEnet S.A. Multiprotocol Backbone & ISP
mnt-by: OTE-ADMIN-MNT
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.75 (DB-2)
Some logs for xxx.xxx.xxx.xxx
========================================
Matched Transaction for Search String (xxx.xxx.xxx.xxx)
========================================
========================================
Matched Transaction for Search String (28/Sep/2014)
========================================
--514a9116-A--
[28/Sep/2014:14:09:21 +0200] VCf6cV4XLEUAACBEGLMAAAAF 94.23.44.69 38080 94.23.44.69 8080
--514a9116-B--
PUT /nyet.gif HTTP/1.1
Host: xxxxxx.xxxxxxxxx.xxxxxxxx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Length: 2657
X-Forwarded-For: xxx.xxx.xxx.xxx
X-Varnish: 485688040
--514a9116-F--
HTTP/1.1 405 Method Not Allowed
Allow: OPTIONS,GET,HEAD,POST
Vary: Accept-Encoding
Content-Length: 229
Content-Type: text/html; charset=iso-8859-1
--514a9116-H--
Stopwatch: 1411906161969080 7309 (- - -)
Stopwatch2: 1411906161969080 7309; combined=48, p1=0, p2=0, p3=0, p4=0, p5=48, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache/2.2.22
--514a9116-Z--
========================================
Matched Transaction for Search String (xxx.xxx.xxx.xxx)
========================================
========================================
Matched Transaction for Search String (28/Sep/2014)
========================================
--bb1cea2a-A--
[28/Sep/2014:14:09:25 +0200] VCf6dF4XLEUAACBEGLwAAAAF 94.23.44.69 38080 94.23.44.69 8080
--bb1cea2a-B--
POST /index.php?option=com_jdownloads&Itemid=0&view=upload HTTP/1.1
Host: xxxxxx.xxxxxxxxx.xxxxxxxx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Length: 4175
Content-Type: multipart/form-data; boundary=----------------------------18c2841ab822
X-Forwarded-For: xxx.xxx.xxx.xxx
X-Varnish: 485688062
--bb1cea2a-I--
name=defacerid&mail=haxorid%40gmail%2ecom&catlist=1&filetitle=document&description=id&0537bf34386f2f179b57f09ed020e2c0=1&send=1&senden=Send+file&description=defacerid&option=com%5fjdownloads&view=upload
--bb1cea2a-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Length: 211
Content-Type: text/html; charset=iso-8859-1
--bb1cea2a-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php
on this server.</p>
</body></html>
--bb1cea2a-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" at ARGS:mail. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: xor found within ARGS:mail: haxorid@gmail.com"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1411906164981643 111678 (- - -)
Stopwatch2: 1411906164981643 111678; combined=1059, p1=140, p2=725, p3=0, p4=0, p5=167, sr=33, sw=27, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache/2.2.22
--bb1cea2a-J--
4,6,"doczxcvbnm.zip","<Unknown ContentType>"
13,2657,"nyet.gif","<Unknown ContentType>"
Total,2663
--bb1cea2a-Z--
========================================
Matched Transaction for Search String (xxx.xxx.xxx.xxx)
========================================
========================================
Matched Transaction for Search String (28/Sep/2014)
========================================
--df5bd448-A--
[28/Sep/2014:14:09:28 +0200] VCf6d14XLEUAAA@B3RoAAAAA 94.23.44.69 38497 94.23.44.69 8080
--df5bd448-B--
POST /forum/index.php?option=com_jdownloads&Itemid=0&view=upload HTTP/1.1
Host: xxxxxx.xxxxxxxxx.xxxxxxxx
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Length: 4175
Content-Type: multipart/form-data; boundary=----------------------------5c12236259d8
X-Forwarded-For: xxx.xxx.xxx.xxx
X-Varnish: 485688074
--df5bd448-I--
name=defacerid&mail=haxorid%40gmail%2ecom&catlist=1&filetitle=document&description=id&0537bf34386f2f179b57f09ed020e2c0=1&send=1&senden=Send+file&description=defacerid&option=com%5fjdownloads&view=upload
--df5bd448-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Length: 217
Content-Type: text/html; charset=iso-8859-1
--df5bd448-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /forum/index.php
on this server.</p>
</body></html>
--df5bd448-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?i:(\\!\\=|\\&\\&|\\|\\||>>|<<|>=|<=|<>|<=>|xor|rlike|regexp|isnull)|(?:not\\s+between\\s+0\\s+and)|(?:is\\s+null)|(like\\s+null)|(?:(?:^|\\W)in[+\\s]*\\([\\s\\d\"]+[^()]*\\))|(?:xor|<>|rlike(?:\\s+binary)?)|(?:regexp\\s+binary))" at ARGS:mail. [file "/etc/modsecurity/modsecurity_crs_41_sql_injection_attacks.conf"] [line "70"] [id "981319"] [rev "2"] [msg "SQL Injection Attack: SQL Operator Detected"] [data "Matched Data: xor found within ARGS:mail: haxorid@gmail.com"] [severity "CRITICAL"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Action: Intercepted (phase 2)
Stopwatch: 1411906167979276 78289 (- - -)
Stopwatch2: 1411906167979276 78289; combined=1171, p1=262, p2=799, p3=0, p4=0, p5=74, sr=133, sw=36, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.8.
Server: Apache/2.2.22
--df5bd448-J--
4,6,"doczxcvbnm.zip","<Unknown ContentType>"
13,2657,"nyet.gif","<Unknown ContentType>"
Total,2663
--df5bd448-Z--
Την ίδια ημέρα στις 10:50 περίπου πήρα την νέα ip. Μήπως η ώρα που αναφέρεται δεν είναι η ώρα της επίθεσης;
Καταλαβαίνει κάποιος κάτι από το log;