Questa mattina ho controllato i nostri log di nginx.
46.x.x.90 - - [17/Jul/2017:05:51:31 +0000] "HEAD http://x.x.71.1:80/PMA2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:31 +0000] "HEAD http://x.x.71.1:80/PMA2012/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:31 +0000] "HEAD http://x.x.71.1:80/PMA2013/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:32 +0000] "HEAD http://x.x.71.1:80/PMA2014/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:32 +0000] "HEAD http://x.x.71.1:80/PMA2015/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:32 +0000] "HEAD http://x.x.71.1:80/PMA2016/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:32 +0000] "HEAD http://x.x.71.1:80/PMA2017/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:32 +0000] "HEAD http://x.x.71.1:80/PMA2018/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:32 +0000] "HEAD http://x.x.71.1:80/pma2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:32 +0000] "HEAD http://x.x.71.1:80/pma2012/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/pma2013/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/pma2014/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/pma2015/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/pma2016/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/pma2017/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/pma2018/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:33 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2012/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:34 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2013/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:34 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2014/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:34 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2015/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:34 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2016/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:34 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2017/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:34 +0000] "HEAD http://x.x.71.1:80/phpmyadmin2018/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
46.x.x.90 - - [17/Jul/2017:05:51:34 +0000] "HEAD http://x.x.71.1:80/phpmanager/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
139.x.x.135 - - [17/Jul/2017:06:33:53 +0000] "GET / HTTP/1.1"302 219 "-" "Mozilla/5.0 (Windows NT 10.0; W0W64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" "-"
91.x.x.3 - - [17/Jul/2017:06:49:13 +0000] "GET / HTTP/1.0" 301 185 "-" "-" "-"
38.x.x.164 - - [17/Jul/2017:06:54:55 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 zgrab/0.x" "-"
91.x.x.3 - - [17/Jul/2017:07:48:04 +0000] "GET / HTTP/1.0" 301 185 "-" "-" "-"
139.x.x.204 - - [17/Jul/2017:08:19:50 +0000] "GET / HTTP/1.1" 302 219 "-" "Mozilla/5.0 (Windows NT 10.0; W0W64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" "-"
139.x.x.204 - - [17/Jul/2017:08:19:50 +0000] "GET /login HTTP/1.1" 301 185 "-" "Go-http-client/1.1" "-"
139.x.x.204 - - [17/Jul/2017:08:19:51 +0000] "GET /login HTTP/1.1" 200 2222 "http://x.x.71.1/login" "Go-http-client/1.1" "-"
Sospettavo un attacco dal momento che non abbiamo nessuno di questi percorsi.
Tuttavia, l'ultimo dice /login
. Ora sono paranoico e mi chiedo cosa potrei fare.
- Ci sono movimenti post-attacco che stai attraversando?
- Come potrei vedere se il perpetratore ha eseguito correttamente l'accesso?
- Chi è Jorgee?