search

0xPolygonID / issuer-node

Privado ID Self-Hosted Issuer Node
Apache License 2.0
86 stars 83 forks source link

Massive postgres port scan on ip range #480

Closed mjorgegulab closed 12 months ago

mjorgegulab commented 1 year ago

Hello, in a fresh Debian with only docker + make installed, i saw that something is trying to contact a range of IPs on the postgres port. Is that normal??

I've looked at the issuer-node code and i haven't seen anything related to this event...so...could it be something from the docker postgres image? Thanks in advance 🙃

here you have the result of the logs ⬇️⬇️⬇️

##########################################################################
#               Netscan detected from host   91.107.***.***               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 51698 =>    138.52.236.0 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 48850 =>    138.52.236.1 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 56264 =>    138.52.236.2 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 48096 =>    138.52.236.3 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 48354 =>    138.52.236.4 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 56922 =>    138.52.236.5 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60100 =>    138.52.236.6 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 57118 =>    138.52.236.7 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 32860 =>    138.52.236.8 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 41218 =>    138.52.236.9 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 50204 =>   138.52.236.10 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 38648 =>   138.52.236.11 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 55414 =>   138.52.236.12 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 39206 =>   138.52.236.13 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 36556 =>   138.52.236.14 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60688 =>   138.52.236.15 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 54518 =>   138.52.236.16 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 54550 =>   138.52.236.17 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60470 =>   138.52.236.18 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 44828 =>   138.52.236.19 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 34234 =>   138.52.236.20 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 37668 =>   138.52.236.21 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 48236 =>   138.52.236.22 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 58470 =>   138.52.236.23 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60738 =>   138.52.236.24 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 52202 =>   138.52.236.25 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 55808 =>   138.52.236.26 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 33402 =>   138.52.236.27 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 50984 =>   138.52.236.28 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 55708 =>   138.52.236.29 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 55336 =>   138.52.236.30 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 58142 =>   138.52.236.31 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 56126 =>   138.52.236.32 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 33024 =>   138.52.236.33 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 49326 =>   138.52.236.34 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60618 =>   138.52.236.35 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 56038 =>   138.52.236.36 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60152 =>   138.52.236.37 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60008 =>   138.52.236.38 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 34358 =>   138.52.236.39 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 57768 =>   138.52.236.40 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 38358 =>   138.52.236.41 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 36956 =>   138.52.236.42 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 57634 =>   138.52.236.43 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 51464 =>   138.52.236.44 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 37912 =>   138.52.236.45 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 47284 =>   138.52.236.46 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 52602 =>   138.52.236.47 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 55636 =>   138.52.236.48 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 50182 =>   138.52.236.49 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 37298 =>   138.52.236.50 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 44936 =>   138.52.236.51 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 56568 =>   138.52.236.52 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 34996 =>   138.52.236.53 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 53240 =>   138.52.236.54 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 52596 =>   138.52.236.55 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 37094 =>   138.52.236.56 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 50618 =>   138.52.236.57 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 34626 =>   138.52.236.58 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 54720 =>   138.52.236.59 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 34796 =>   138.52.236.60 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 34118 =>   138.52.236.61 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 51734 =>   138.52.236.62 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 55340 =>   138.52.236.63 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 52988 =>   138.52.236.64 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 39734 =>   138.52.236.65 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 36094 =>   138.52.236.88 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 54944 =>   138.52.236.89 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 50706 =>   138.52.236.90 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 43700 =>   138.52.236.91 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 58822 =>   138.52.236.92 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 34480 =>   138.52.236.93 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 45438 =>   138.52.236.94 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 46270 =>   138.52.236.95 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 35180 =>   138.52.236.96 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 42104 =>   138.52.236.97 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 49452 =>   138.52.236.98 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 51920 =>   138.52.236.99 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 42540 =>  138.52.236.100 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 42242 =>  138.52.236.101 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 33628 =>  138.52.236.102 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 59098 =>  138.52.236.103 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 59272 =>  138.52.236.104 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 32776 =>  138.52.236.105 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 53394 =>  138.52.236.106 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 41434 =>  138.52.236.107 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 59666 =>  138.52.236.108 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 37278 =>  138.52.236.109 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 36922 =>  138.52.236.110 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 40914 =>  138.52.236.111 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 46250 =>  138.52.236.112 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 48562 =>  138.52.236.113 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 38012 =>  138.52.236.114 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 51768 =>  138.52.236.115 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 38268 =>  138.52.236.116 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 36732 =>  138.52.236.117 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 48992 =>  138.52.236.118 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60112 =>  138.52.236.119 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 60870 =>  138.52.236.120 5432 
Fri Aug 11 12:35:00 2023 TCP   91.107.***.*** 49160 =>  138.52.236.149 5432
Groovytent commented 1 year ago

As we have checked, This problem is not related to the issuer node.

chrisDeFouRire commented 1 year ago

Postgres, when deployed with Docker on Linux and exposed (with 5432:5432 and not 127.0.0.1:5432:5432), will end up exposed on the internet if you're not behind a residential router. Bad actors are scanning the postgres port because they can abuse postgres if it's using the default postgres/postgres password. This lets them into the container, as an admin, free to do whatever they please. Then they run crypto miners on your hardware.

That's what happened to me. Either don't expose on 0.0.0.0 (the default) or change the postgres password.

x1m3 commented 12 months ago

Thanks @mjorgegulab @chrisDeFouRire. Postgresql, Redis and Vault images are provided only as tool to evaluate the project. Security, backups, maintenance, patches, etc. should be managed by the user.

We take note of your comments.