Il server MongoDB / Debian è stato attaccato con successo - motivo per cui l'IP pubblico deve arrivare al server mongodb?

Naviga le tue risposte
6

Ho ottenuto un server mongodb che dai file di log ha ottenuto una connessione da un indirizzo IP remoto, anche se ovviamente non è permesso (o per essere più preciso: il mongod non è legato a nessuna interfaccia pubblica) a causa del file di configurazione di mongodb come mostrato sotto.

L'indirizzo IP ha provato a connettersi senza ssl e l'accesso è stato negato - ma, ovviamente, mancano i log. Quindi, presumo, hanno pulito parti di mongodb.log, anche se non tutte, quindi ad esempio c'è una voce lasciata dove viene mostrato l'indirizzo IP remoto (potrebbe essere uno di quelli che hanno usato?).

Quindi, la domanda è: come si può ottenere un indirizzo IP pubblico sul server mongodb? Sembrano avere accesso ssh a causa di vari fatti sottostanti, ma anche in questo caso avrebbero bisogno di usare l'interfaccia locale per connettersi a mongodb, giusto?

Quello che ho scoperto finora:

  • /var/log/auth.log è stato rimosso all'interno del contenitore docker mongodb (o non esisteva ancora, perché non ho eseguito direttamente ssh ai contenitori docker), ma esiste ancora sulla macchina madre di deamon anche se inizia alle 24 aprile alle 06:25:29 quindi presumo che l'abbiano rimosso.
  • hanno lasciato una cartella READ_ME (vuota) & PLEASE_READ_ME cartella all'interno della directory root di mongodb, con un file "./PLEASE_READ_ME/collection-0-*****.wt" (mascherato) che inizia con il seguente messaggio: %codice%
  • non hanno creato ulteriori utenti db (o almeno, altri utenti non esistono atm)

  • questo è l'elenco del servizio sulla macchina principale (netstat)

    tcp 0 0 0.0.0.0:22 0.0.0.0:* ASCOLTA 1281 / sshd
    tcp 0 0 127.0.0.1:25 0.0.0.0:* ASCOLTA 1296 / exim4
    tcp 0 0 0.0.0.0:54885 0.0.0.0:* ASCOLTA 707 / rpc.statd
    tcp 0 0 0.0.0.0:111 0.0.0.0:* ASCOLTA 697 / rpcbind
    tcp6 0 0 ::: 22 ::: * ASCOLTA 1281 / sshd
    tcp6 0 0 :: 1: 25 ::: * ASCOLTA 1296 / exim4
    tcp6 0 0 ::: 35619 ::: * ASCOLTA 707 / rpc.statd
    tcp6 0 0 ::: 27017 ::: * LISTEN 1172 / docker-proxy tcp6 0 0 ::: 111 ::: * ASCOLTA 697 / rpcbind
    udp 0 0 127.0.0.1:883 0.0.0.0:* 707 / rpc.statd
    udp 0 0 0.0.0.0:39217 0.0.0.0:* 707 / rpc.statd
    udp 0 0 0.0.0.0:872 0.0.0.0:* 697 / rpcbind
    udp 0 0 0.0.0.0:111 0.0.0.0:* 697 / rpcbind
    udp6 0 0 ::: 49550 ::: * 707 / rpc.statd
    udp6 0 0 ::: 872 ::: * 697 / rpcbind
    udp6 0 0 ::: 111 ::: * 697 / rpcbind

Architettura:

  • Docking deamon in esecuzione su una macchina virtuale con debian 8.7
  • Ogni contenitore finestra mobile esegue anche debian 8.7
  • Un contenitore finestra mobile per mongodb, uno per applicazione (connesso tramite la rete mobile)

Versione Don't panic. Your DB is in safety and backed up (check logs). To restore send 0.1 BTC and email with your server ip or domain name. Each 48 hours we erase all the data...

Log (nome del database, nome principale e ip mascherati): 

2017-04-23T12:03:03.511Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:44575 #16 (5 connections now open)
2017-04-23T12:03:03.540Z I ACCESS   [conn16] Successfully authenticated as principal *** on testdatabase
2017-04-23T12:03:15.461Z I NETWORK  [conn16] end connection ***.***.***.***:44575 (4 connections now open)
2017-04-24T05:07:57.711Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:27790 #17 (5 connections now open)
2017-04-24T05:07:57.724Z I NETWORK  [conn17] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-24T05:45:35.997Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54235 #18 (5 connections now open)
2017-04-24T05:45:36.027Z I ACCESS   [conn18] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:36.053Z I NETWORK  [conn18] end connection ***.***.***.***:54235 (4 connections now open)
2017-04-24T05:45:36.063Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54236 #19 (5 connections now open)
2017-04-24T05:45:36.086Z I ACCESS   [conn19] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:39.843Z I NETWORK  [conn19] end connection ***.***.***.***:54236 (4 connections now open)
2017-04-24T05:45:39.853Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54237 #20 (5 connections now open)
2017-04-24T05:45:39.874Z I ACCESS   [conn20] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.071Z I NETWORK  [conn20] end connection ***.***.***.***:54237 (4 connections now open)
2017-04-24T05:45:40.080Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54238 #21 (5 connections now open)
2017-04-24T05:45:40.101Z I ACCESS   [conn21] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.108Z I NETWORK  [conn21] end connection ***.***.***.***:54238 (4 connections now open)                                                                                                                                                                
2017-04-24T05:45:40.117Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54239 #22 (5 connections now open)
2017-04-24T05:45:40.138Z I ACCESS   [conn22] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.784Z I NETWORK  [conn22] end connection ***.***.***.***:54239 (4 connections now open)
2017-04-24T05:45:44.797Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54245 #23 (5 connections now open)
2017-04-24T05:45:44.820Z I ACCESS   [conn23] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.824Z I NETWORK  [conn23] end connection ***.***.***.***:54245 (4 connections now open)
2017-04-24T05:45:44.833Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54246 #24 (5 connections now open)
2017-04-24T05:45:44.854Z I ACCESS   [conn24] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.858Z I NETWORK  [conn24] end connection ***.***.***.***:54246 (4 connections now open)
2017-04-24T05:45:44.868Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54247 #25 (5 connections now open)
2017-04-24T05:45:44.888Z I ACCESS   [conn25] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:56.683Z I NETWORK  [conn25] end connection ***.***.***.***:54247 (4 connections now open)
2017-04-24T06:00:01.936Z I NETWORK  [conn3] end connection ***.***.***.***:39610 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK  [conn2] end connection ***.***.***.***:39609 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK  [conn4] end connection ***.***.***.***:39636 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK  [conn1] end connection ***.***.***.***:39548 (3 connections now open)
2017-04-24T06:00:05.915Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49695 #26 (1 connection now open)
2017-04-24T06:00:05.951Z I ACCESS   [conn26] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:09.089Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49758 #27 (2 connections now open)
2017-04-24T06:00:09.103Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49760 #28 (3 connections now open)
2017-04-24T06:00:09.125Z I ACCESS   [conn28] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:20.916Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49790 #29 (4 connections now open)
2017-04-24T06:05:32.404Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54712 #30 (5 connections now open)
2017-04-24T06:05:32.414Z I ACCESS   [conn30] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }

File di configurazione (nome del database mascherato): 

storage:
    dbPath: "/***"
    directoryPerDB: true
    journal:
        enabled: true
systemLog:
    destination: file
    path:   "/***/mongodb.log"                                                                                                     
    logAppend: true
    timeStampFormat: iso8601-utc
processManagement:
    fork: true
net:
    bindIp: [127.0.0.1,172.0.0.5]
    port: 27017
    wireObjectCheck : false
    unixDomainSocket: 
        enabled : true
    http:
        enabled: false
    ssl:
        mode: requireSSL
        PEMKeyFile: /certs/server-***.***.***.***.pem
        CAFile: /certs/ca.pem
        #CRLFile: <string>
        allowConnectionsWithoutCertificates: false
        allowInvalidCertificates: false
        allowInvalidHostnames: true
        #disabledProtocols: false
        #FIPSMode: <boolean>
security:
    authorization: enabled

Responsabile dei deamons docker /var/log/auth.log (ip's masked) 

Apr 24 06:25:29 *** sshd[5332]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:25:32 *** sshd[4660]: Received disconnect from ***.***.***.***: 11: disconnected by user
Apr 24 06:25:32 *** sshd[4660]: pam_unix(sshd:session): session closed for user root
Apr 24 06:25:41 *** CRON[5111]: pam_unix(cron:session): session closed for user root
Apr 24 06:25:44 *** sshd[5342]: Invalid user admin from ***.***.***.***
Apr 24 06:25:44 *** sshd[5342]: input_userauth_request: invalid user admin [preauth]
Apr 24 06:25:44 *** sshd[5342]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 41822 ssh2 [preauth]
Apr 24 06:26:19 *** sshd[5393]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:26 *** sshd[5423]: Invalid user pat from ***.***.***.***
Apr 24 06:28:26 *** sshd[5423]: input_userauth_request: invalid user pat [preauth]
Apr 24 06:28:26 *** sshd[5423]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:28 *** sshd[5421]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:30:46 *** sshd[5450]: Accepted publickey for root from ***.***.***.*** port 47739 ssh2: RSA 74:72:c0:b4:6e:6d:11:3a:2e:c5:4e:be:34:60:e1:99
Apr 24 06:30:46 *** sshd[5450]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 24 06:30:49 *** sshd[5499]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:33:16 *** sshd[5842]: Invalid user postgres from ***.***.***.***
Apr 24 06:33:16 *** sshd[5842]: input_userauth_request: invalid user postgres [preauth]
Apr 24 06:33:16 *** sshd[5842]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:36:16 *** sshd[5844]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:02 *** sshd[5846]: Invalid user nginx from ***.***.***.***
Apr 24 06:38:02 *** sshd[5846]: input_userauth_request: invalid user nginx [preauth]
Apr 24 06:38:02 *** sshd[5846]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:28 *** sshd[3979]: Timeout, client not responding.
Apr 24 06:38:28 *** sshd[3979]: pam_unix(sshd:session): session closed for user root
Apr 24 06:38:32 *** sshd[5450]: Timeout, client not responding.
Apr 24 06:38:32 *** sshd[5450]: pam_unix(sshd:session): session closed for user root
Apr 24 06:39:14 *** sshd[4027]: Timeout, client not responding.
Apr 24 06:39:14 *** sshd[4027]: pam_unix(sshd:session): session closed for user root
Apr 24 06:41:42 *** sshd[5848]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:07 *** sshd[5850]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:08 *** sshd[5852]: Invalid user  from ***.***.***.***
Apr 24 06:42:08 *** sshd[5852]: input_userauth_request: invalid user  [preauth]
Apr 24 06:42:08 *** sshd[5852]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:55 *** sshd[5854]: Invalid user spark from ***.***.***.***
Apr 24 06:42:55 *** sshd[5854]: input_userauth_request: invalid user spark [preauth]
Apr 24 06:42:55 *** sshd[5854]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:06 *** sshd[5859]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Invalid user odoo from ***.***.***.***
Apr 24 06:47:48 *** sshd[5861]: input_userauth_request: invalid user odoo [preauth]
Apr 24 06:47:48 *** sshd[5857]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:32 *** sshd[5872]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:34 *** sshd[5870]: Invalid user steam from ***.***.***.***
Apr 24 06:52:34 *** sshd[5870]: input_userauth_request: invalid user steam [preauth]
Apr 24 06:52:34 *** sshd[5870]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:54:00 *** sshd[5874]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 46803 ssh2 [preauth]
Apr 24 06:57:22 *** sshd[5877]: Invalid user teste from ***.***.***.***
Apr 24 06:57:22 *** sshd[5877]: input_userauth_request: invalid user teste [preauth]
Apr 24 06:57:22 *** sshd[5877]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:57:58 *** sshd[5879]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:02:13 *** sshd[5881]: Invalid user hadoop from ***.***.***.***
Apr 24 07:02:13 *** sshd[5881]: input_userauth_request: invalid user hadoop [preauth]
Apr 24 07:02:13 *** sshd[5881]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:03:16 *** sshd[5885]: Invalid user admin from ***.***.***.***
Apr 24 07:03:16 *** sshd[5885]: input_userauth_request: invalid user admin [preauth]
Apr 24 07:03:16 *** sshd[5883]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 4792 ssh2 [preauth]
Apr 24 07:03:17 *** sshd[5885]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 4802 ssh2 [preauth]
    
posta Techradar 25.04.2017 - 11:51
fonte

2 risposte

2

Come mancanza di informazioni la prossima volta che il plizz include la versione del kernel, la versione docker e se l'applicazione client si connette con l'utente root.

Possibili exploit che hanno usato:

  • client di database compromesso l'applicazione quindi controlla anche le vulnerabilità

  • come contenitori docker condividono il kernel con l'host e altri contenitori controllano la versione del kernel per possibili vulnerabilità

  • exploited ssh. Poiché non vedo alcuna informazione ci sono fail2ban o autenticazione ssh basata su chiave o solo password o VPN (consigliato per cambiare porta ssh, autenticazione chiave pubblica e fail2ban o consentire solo la connessione a ssh tramite VPN privata)

La cosa che devi capire è che non esiste forse una sola vulnerabilità trasformata in exploit, può essere una catena di vulnerabilità.

    
risposta data 12.09.2017 - 16:26
fonte
-2

Controlla quante interfacce sono attive sull'host MDB. è possibile che tu stia proteggendo una rete e una sia vulnerabile. un semplice ifconfig potrebbe darti un'idea.

    
risposta data 08.08.2017 - 09:21
fonte

Leggi altre domande sui tag

Come è stato ignorato Google recaptcha v2 più volte? In che modo esattamente Burp Sequencer calcola i valori che deriva?