img

Do zablokowania na firewallu: 112.124.0.0/14 lub chociaż 112.126.80.71

img

Tym razem z grubej rury: w sieci należącej do chińskiej firmy ALISOFT jest urządzenie o adresie IP 112.126.80.71, które lubi skanować serwery pod kątem obecności PHPMyAdmina. Blokujemy na firewallu cały zakres.

IP do zablokowania: 112.124.0.0/14

Maszyna w tej sieci pod adresem IP 112.126.80.71 bardzo sprytnie skanuje serwer w poszukiwaniu PHPMyAdmina. Czym objawia się ten spryt?

Otóż wykorzystuje polecenie HEAD zamiast GET, więc serwer odpowiada wyłącznie nagłówkami, bez przesyłania całej treści. A to oznacza, że skanowanie może być nawet kilkadziesiąt (!) razy szybsze niż w przypadku metody GET.

Dowód:

112.126.80.71 - - [14/Mar/2017:17:28:11 +0100] "HEAD http://94.75.70.6:80/mysql/admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:11 +0100] "HEAD http://94.75.70.6:80/mysql/dbadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:12 +0100] "HEAD http://94.75.70.6:80/mysql/sqlmanager/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:12 +0100] "HEAD http://94.75.70.6:80/mysql/mysqlmanager/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:12 +0100] "HEAD http://94.75.70.6:80/phpmyadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:13 +0100] "HEAD http://94.75.70.6:80/phpMyadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:13 +0100] "HEAD http://94.75.70.6:80/phpMyAdmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:14 +0100] "HEAD http://94.75.70.6:80/phpmyAdmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:14 +0100] "HEAD http://94.75.70.6:80/phpmyadmin2/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:14 +0100] "HEAD http://94.75.70.6:80/phpmyadmin3/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:15 +0100] "HEAD http://94.75.70.6:80/phpmyadmin4/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:15 +0100] "HEAD http://94.75.70.6:80/2phpmyadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:15 +0100] "HEAD http://94.75.70.6:80/phpmy/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:16 +0100] "HEAD http://94.75.70.6:80/phppma/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:16 +0100] "HEAD http://94.75.70.6:80/myadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:16 +0100] "HEAD http://94.75.70.6:80/shopdb/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:17 +0100] "HEAD http://94.75.70.6:80/MyAdmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:17 +0100] "HEAD http://94.75.70.6:80/program/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:17 +0100] "HEAD http://94.75.70.6:80/PMA/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:18 +0100] "HEAD http://94.75.70.6:80/dbadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:18 +0100] "HEAD http://94.75.70.6:80/pma/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:19 +0100] "HEAD http://94.75.70.6:80/db/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:19 +0100] "HEAD http://94.75.70.6:80/admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:19 +0100] "HEAD http://94.75.70.6:80/mysql/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:20 +0100] "HEAD http://94.75.70.6:80/database/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:20 +0100] "HEAD http://94.75.70.6:80/db/phpmyadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:20 +0100] "HEAD http://94.75.70.6:80/db/phpMyAdmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:21 +0100] "HEAD http://94.75.70.6:80/sqlmanager/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:21 +0100] "HEAD http://94.75.70.6:80/mysqlmanager/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:21 +0100] "HEAD http://94.75.70.6:80/php-myadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:22 +0100] "HEAD http://94.75.70.6:80/phpmy-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:22 +0100] "HEAD http://94.75.70.6:80/mysqladmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:22 +0100] "HEAD http://94.75.70.6:80/mysql-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:23 +0100] "HEAD http://94.75.70.6:80/admin/phpmyadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:23 +0100] "HEAD http://94.75.70.6:80/admin/phpMyAdmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:24 +0100] "HEAD http://94.75.70.6:80/admin/sysadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:24 +0100] "HEAD http://94.75.70.6:80/admin/sqladmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:24 +0100] "HEAD http://94.75.70.6:80/admin/db/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:25 +0100] "HEAD http://94.75.70.6:80/admin/web/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:25 +0100] "HEAD http://94.75.70.6:80/admin/pMA/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:25 +0100] "HEAD http://94.75.70.6:80/mysql/pma/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:26 +0100] "HEAD http://94.75.70.6:80/mysql/db/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:26 +0100] "HEAD http://94.75.70.6:80/mysql/web/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:26 +0100] "HEAD http://94.75.70.6:80/mysql/pMA/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:27 +0100] "HEAD http://94.75.70.6:80/sql/phpmanager/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:27 +0100] "HEAD http://94.75.70.6:80/sql/php-myadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:28 +0100] "HEAD http://94.75.70.6:80/sql/phpmy-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:28 +0100] "HEAD http://94.75.70.6:80/sql/sql/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:28 +0100] "HEAD http://94.75.70.6:80/sql/myadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:29 +0100] "HEAD http://94.75.70.6:80/sql/webadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:29 +0100] "HEAD http://94.75.70.6:80/sql/sqlweb/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:29 +0100] "HEAD http://94.75.70.6:80/sql/websql/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:30 +0100] "HEAD http://94.75.70.6:80/sql/webdb/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:30 +0100] "HEAD http://94.75.70.6:80/sql/sqladmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:30 +0100] "HEAD http://94.75.70.6:80/sql/sql-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:31 +0100] "HEAD http://94.75.70.6:80/sql/phpmyadmin2/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:31 +0100] "HEAD http://94.75.70.6:80/sql/phpMyAdmin2/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:32 +0100] "HEAD http://94.75.70.6:80/sql/phpMyAdmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:32 +0100] "HEAD http://94.75.70.6:80/db/myadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:32 +0100] "HEAD http://94.75.70.6:80/db/webadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:33 +0100] "HEAD http://94.75.70.6:80/db/dbweb/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:33 +0100] "HEAD http://94.75.70.6:80/db/websql/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:33 +0100] "HEAD http://94.75.70.6:80/db/webdb/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:34 +0100] "HEAD http://94.75.70.6:80/db/dbadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:34 +0100] "HEAD http://94.75.70.6:80/db/db-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:34 +0100] "HEAD http://94.75.70.6:80/db/phpmyadmin3/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:35 +0100] "HEAD http://94.75.70.6:80/db/phpMyAdmin3/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:35 +0100] "HEAD http://94.75.70.6:80/db/phpMyAdmin-3/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:35 +0100] "HEAD http://94.75.70.6:80/administrator/phpmyadmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:36 +0100] "HEAD http://94.75.70.6:80/administrator/phpMyAdmin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:36 +0100] "HEAD http://94.75.70.6:80/administrator/db/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:37 +0100] "HEAD http://94.75.70.6:80/administrator/web/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:37 +0100] "HEAD http://94.75.70.6:80/administrator/pma/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:37 +0100] "HEAD http://94.75.70.6:80/administrator/PMA/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:38 +0100] "HEAD http://94.75.70.6:80/administrator/admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:38 +0100] "HEAD http://94.75.70.6:80/phpMyAdmin2/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:38 +0100] "HEAD http://94.75.70.6:80/phpMyAdmin3/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:39 +0100] "HEAD http://94.75.70.6:80/phpMyAdmin4/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:39 +0100] "HEAD http://94.75.70.6:80/phpMyAdmin-3/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:39 +0100] "HEAD http://94.75.70.6:80/php-my-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:40 +0100] "HEAD http://94.75.70.6:80/PMA2012/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:40 +0100] "HEAD http://94.75.70.6:80/pma2012/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:40 +0100] "HEAD http://94.75.70.6:80/PMA2011/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:41 +0100] "HEAD http://94.75.70.6:80/pma2011/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"
112.126.80.71 - - [14/Mar/2017:17:28:41 +0100] "HEAD http://94.75.70.6:80/phpmanager/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 Jorgee" "-"

Powyższa lista jest o tyle ciekawa, że pokazuje, pod jakimi adresami administratorzy ukrywają PHPMyAdmina (pma2012, phpmanager, administrator/db/, …). A to oznacza, że w przypadku instalacji PHPMyAdmina warto dodać do nazwy katalogu ciąg kilku (4-6) znaków alfanumerycznych, by ustrzec się wielu zautomatyzowanych ataków.

Poziom zagrożenia: niski/średni

Do kogo należy adres 112.126.80.71?

Łatwo sprawdzić z użyciem polecenia whois, że adres należy do większej puli 112.124.0.0/14, którą zarządza firma w Chinach:

% Information related to '112.124.0.0 - 112.127.255.255'

inetnum:        112.124.0.0 - 112.127.255.255
netname:        ALISOFT
descr:          Aliyun Computing Co., LTD
descr:          5F, Builing D, the West Lake International Plaza of S&T
descr:          No.391 Wen'er Road, Hangzhou, Zhejiang, China, 310099
country:        CN


Co się stanie po zablokowaniu?

Wszystkie urządzenia pod adresami IP należącymi do zakresu od 112.124.0.0 do 112.127.255.255 przestaną widzieć naszą maszynę.

Oznacza to, że nie wejdą na naszą stronę WWW, bo przychodzące z tych adresów IP pakiety będą automatycznie porzucane.

Dlaczego warto zablokować całą pulę adresów?

Skrypt, którym posługuje się firma ALISOFT sprytnie wykorzystuje HEAD zamiast GET. Oznacza to, że osoba, która z niego korzysta, może znać inne sztuczki z pomocą których zechce dostać się do naszego serwera.

img

Zalecana akcja: zablokować na firewallu cały zakres adresów IP należący do ALISOFT

[Głosów:0    Średnia:0/5]
img
Tagi: , , , , , , , , , , , , , , , , , , , , ,
img
img
img
img