Detectar ataques enumeracion http
Con este comando se pueden listar las ips que nos han echo un ataques de enumeracion.
Puede ser muy util pasar esas ips a la lista negra del cortafuegos.
Recuerda que la enumeracion es una fase previa a un ataque. si en la fase de enumeracion se encuentran vulnerabilidades.
Estas seran utilizadas en la fases de analisis y explotacion.
Dia actual: cat /var/log/apache2/access.log |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head
root@jejo.es ~# cat /var/log/apache2/access.log |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head 4 124.123.188.179 3 183.82.36.176 3 167.71.4.97 2 206.189.23.43No se detectan ataques porque esta activa la defensa httpenum que bloquea las ips que intentan enumerarnos via http. **Dia anterior:** `cat /var/log/apache2/access.log.1 |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head`
root@jejo.es ~# cat /var/log/apache2/access.log.1 |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head 830 187.122.248.165 486 118.24.38.122 4 49.207.238.102 4 106.51.2.127 3 66.249.66.52Se ven claramente dos enumeraciones. una de 800 y otra de 400. **Ultimos 10 Dias:** `zcat /var/log/apache2/access.log.?.gz |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head`
root@jejo.es ~# zcat /var/log/apache2/access.log.?.gz |awk '/" 40/&&!/favicon/&&!/robots/{print $1}' |sort|uniq -cd|sort -r | head 841 106.12.52.142 836 129.211.22.24 823 189.129.210.248 787 175.139.154.207 14 66.249.66.52 14 202.134.175.161 12 66.249.79.204 10 106.51.2.127 9 49.207.178.104Como se puede apreciar nos han enumerado __descaradmente__ 4 veces **Usando todo el historico:** `zcat /var/log/apache2/access.log.*.gz |awk '/" 40/&&!/jcloud/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head`
root@jejo.es ~# zcat /var/log/apache2/access.log.*.gz |awk '/" 40/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head 841 106.12.52.142 836 129.211.22.24 829 212.64.25.196 823 189.129.210.248 787 175.139.154.207 74 166.70.207.2 17 49.206.252.127 14 66.249.66.52 14 202.134.175.161 14 106.51.2.127
Bien si investigamos alguna ip (solo por curiosidad).
root@jejo.es ~# zcat /var/log/apache2/access.log.*.gz |awk '/106.12.52.142/{print $1 $7}'|sort|uniq -cd|sort -r 9 106.12.52.142/test.php 8 106.12.52.142/1.php 6 106.12.52.142/qq.php 5 106.12.52.142/x.php 5 106.12.52.142/shell.php 5 106.12.52.142/cmd.php 4 106.12.52.142/ss.php 4 106.12.52.142/log.php 4 106.12.52.142/confg.php 4 106.12.52.142/api.php 3 106.12.52.142/zzz.php 3 106.12.52.142/z.php 3 106.12.52.142/q.php 3 106.12.52.142/jsc.php 3 106.12.52.142/hell.php 3 106.12.52.142/aaa.php 3 106.12.52.142/2.php 3 106.12.52.142/123.php 3 106.12.52.142/ 2 106.12.52.142/zxy.php 2 106.12.52.142/zxc1.php 2 106.12.52.142/zxc.php 2 106.12.52.142/xx.php 2 106.12.52.142/xiaoxi.php 2 106.12.52.142/xiao.php 2 106.12.52.142/www.php 2 106.12.52.142/ww.php 2 106.12.52.142/v.phpPodemos sacar que diccionario ha utilizado.
Si la ip es un atacante habitual. (disclaimer)
jejo@em50l:~$ curl -s https://www.badips.com/get/info/106.12.52.142/Report |grep listed { "ReporterCount":{"sum":2,"apache":1,"wordpress":1}, "Categories":["apache","wordpress"]," Score":{"apache":0,"wordpress":0}," LastReport":{"apache":1566860200,"wordpress":1566690496}," "IP 106.12.52.142 is listed on badips.com!" }En este caso **1566Millones de notificaciones** Apache Y wordpress.
jejo@em50l:~$ curl ipinfo.io/106.12.52.142 { "ip": "106.12.52.142", "city": "", "region": "Beijing", "country": "CN", "loc": "39.9289,116.3880", "org": "AS38365 Beijing Baidu Netcom Science and Technology Co., Ltd.", "readme": "https://ipinfo.io/missingauth" }
Si el servidor no es Debian/Ubuntu. el comando puede cambiar ligeramente.
Ej para un CentOS Seria algo asi: cat /var/log/httpd/access_log-* |awk '/" 40/&&!/jcloud/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head
[root@centos1 ~]# cat /var/log/httpd/access_log-* |awk '/" 40/&&!/jcloud/&&!/favicon/&&!/robots/{print $1}'|sort|uniq -cd|sort -r|head 827 112.78.161.101 6 94.102.50.96 6 77.154.194.148 6 41.216.186.201 4 35.190.141.79 42 95.88.161.201 4 209.141.53.82 4 193.188.22.56 41 62.173.140.193 4 134.209.216.67
Para ver la enumeracion de una IP por ejemplo seria:
[root@centos1 ~]# cat /var/log/httpd/access_log-* |awk '/112.78.161.101/{print $1,$7}'|sort|uniq -cd|sort -r 9 112.78.161.101 /test.php 8 112.78.161.101 /1.php 6 112.78.161.101 /qq.php 5 112.78.161.101 /x.php 5 112.78.161.101 /cmd.php 4 112.78.161.101 /ss.php 4 112.78.161.101 /shell.php 4 112.78.161.101 /log.php 4 112.78.161.101 /confg.php 4 112.78.161.101 /api.php 3 112.78.161.101 /zzz.php 3 112.78.161.101 /z.php 3 112.78.161.101 /q.php 3 112.78.161.101 /jsc.php 3 112.78.161.101 /hell.php 3 112.78.161.101 /aaa.php 3 112.78.161.101 /2.php 3 112.78.161.101 /123.php 3 112.78.161.101 / 2 112.78.161.101 /zxy.php 2 112.78.161.101 /zxc.php 2 112.78.161.101 /zxc1.php 2 112.78.161.101 /xx.php 2 112.78.161.101 /xiaoxi.php 2 112.78.161.101 /xiao.php 2 112.78.161.101 /www.php 2 112.78.161.101 /ww.php 2 112.78.161.101 /v.php 2 112.78.161.101 /uuu.php 2 112.78.161.101 /uu.php 2 112.78.161.101 /up.php 2 112.78.161.101 /test404.php 2 112.78.161.101 /test123.php 2 112.78.161.101 /sss.php 2 112.78.161.101 /ssaa.php 2 112.78.161.101 /s.php 2 112.78.161.101 /secure.php 2 112.78.161.101 /qwq.php 2 112.78.161.101 /qqq.php 2 112.78.161.101 /qiqi.php 2 112.78.161.101 /python.php 2 112.78.161.101 /ppp.php 2 112.78.161.101 /php.php 2 112.78.161.101 /paylog.php 2 112.78.161.101 /payload.php 2 112.78.161.101 /ooo.php 2 112.78.161.101 /my.php 2 112.78.161.101 /muhstik.php 2 112.78.161.101 /MCLi.php 2 112.78.161.101 /lucky.php 2 112.78.161.101 /lr.php 2 112.78.161.101 /lanyecn.php 2 112.78.161.101 /izom.php 2 112.78.161.101 /infos.php 2 112.78.161.101 /info.php 2 112.78.161.101 /index.php 2 112.78.161.101 /help.php 2 112.78.161.101 /hello.php 2 112.78.161.101 /hack.php 2 112.78.161.101 /dns.php 2 112.78.161.101 /ddd.php 2 112.78.161.101 /data.php 2 112.78.161.101 /c.php 2 112.78.161.101 /conf.php 2 112.78.161.101 /conflg.php 2 112.78.161.101 /config.php 2 112.78.161.101 /code.php 2 112.78.161.101 /cnm.php 2 112.78.161.101 /can.php 2 112.78.161.101 /app.php 2 112.78.161.101 /a.php 2 112.78.161.101 /ak.php 2 112.78.161.101 /aa.php 2 112.78.161.101 /7.php 2 112.78.161.101 /3.php 2 112.78.161.101 /1ndex.php 2 112.78.161.101 /12.php
___ ### Como mitigarlos. Los ataques en su fase de enumeracion pueden acabar tirando nuestro servidor abajo. Muchos son un ataque de diccionario y otros un ataque de fuerza bruta. Mara mitigarlo podemos instalar `mod_evasive` y `mod_security`. **Debian/Ubuntu** ```txt sudo apt-get install libapache2-mod-evasive sudo a2enmod evasive sudo /etc/init.d/apache2 force-reload ```
root@deb1:/# sudo apt-get install libapache2-mod-evasive Reading package lists... Done Building dependency tree Reading state information... Done libapache2-mod-evasive is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@deb1:/# ls /etc/apache2/mods-available/|grep evasive evasive.conf evasive.load root@deb1:/# sudo a2enmod evasive Module evasive already enabled root@deb1:/# apache2ctl -M |grep evasive evasive20_module (shared)
CentOS, Fedora, RHEL: sudo yum install mod_evasive && /etc/init.d/httpd restart
[root@centos1]# yum install mod_evasive Complementos cargados:fastestmirror, presto, priorities Configurando el proceso de instalación Loading mirror speeds from cached hostfile epel/metalink | 31 kB 00:00
* base: mirrors.prometeus.net * epel: mirror.de.leaseweb.net * extras: mirrors.prometeus.net * updates: mirrors.prometeus.net base | 3.7 kB 00:00
extras | 3.4 kB 00:00
iRedMail | 2.9 kB 00:00
updates | 3.4 kB 00:00
Resolviendo dependencias –> Ejecutando prueba de transacción —> Package mod_evasive.x86_64 0:1.10.1-10.el6 will be instalado –> Resolución de dependencias finalizadaDependencias resueltas
========================================================================================================================
Paquete Arquitectura Versión Repositorio Tamaño
Instalando: mod_evasive x86_64 1.10.1-10.el6 epel 24 k
Resumen de la transacción
Instalar 1 Paquete(s)
Tamaño total de la descarga: 24 k Tamaño instalado: 52 k Está de acuerdo [s/N]:s Descargando paquetes: Setting up and reading Presto delta metadata epel/prestodelta | 2.4 kB 00:00
Processing delta metadata Package(s) data still to download: 24 k mod_evasive-1.10.1-10.el6.x86_64.rpm | 24 kB 00:00
Ejecutando el rpm_check_debug Ejecutando prueba de transacción La prueba de transacción ha sido exitosa Ejecutando transacción Instalando : mod_evasive-1.10.1-10.el6.x86_64 1⁄1 Verifying : mod_evasive-1.10.1-10.el6.x86_64 1⁄1Instalado: mod_evasive.x86_64 0:1.10.1-10.el6
¡Listo! [root@centos1]# /etc/init.d/httpd restart Parando httpd: [ OK ] Iniciando httpd: [ OK ]
###Mas info en:
Enum_Detector
Filtrar_ataques_log_http
Vulnerabilidad thinkphp (remote code execution)
Detectar ataques enumeracion http
###Referencias:
https://ipinfo.io/
https://www.badips.com/
https://www.cyberciti.biz/faq/unix-linux-shell-removing-duplicate-lines/
https://www.tecmint.com/use-linux-awk-command-to-filter-text-string-in-files/
https://www.tecmint.com/awk-filter-text-or-string-using-patterns/
https://dzone.com/articles/35-examples-of-regex-patterns-using-sed-and-awk-in