search

mitchellkrogza / nginx-ultimate-bad-bot-blocker

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Other
3.81k stars 472 forks source link

Hex Payload type attacks (?!) from specific IPs #544

Open maxdd opened 6 months ago

maxdd commented 6 months ago

Paste the full Domain name / Referrer String here


62.133.46.11 - - [01/Jan/2024:12:08:56 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABu\xA4\x95\xA8J\xE6\x8A\x80\xCE\xC3\xCF\xC6\x95\xCC\xC8\xC1\xABf\xE6\x93\xE8\xA0\x83-Dx\xE4\x9ES\x00\x00*\xC0,\xC0+\xC00\xC0/\x00\x9F\x00\x9E\xC0$\xC0#\xC0(\xC0'\xC0" 400 154 "-" "-"

172.233.57.47 - - [01/Jan/2024:08:50:47 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xB7\x95\xEB\xEE\xF5Gk\xD2E\xB2\x84\x05\xF2\x07\xE18\xCA\xBB\xB1\x8A,\xF7\x04\xBA\x1DI\xFE\x08(7#\xAD \xB3\x81/hN\x95\x1A.q\x7FI\xDBZRUU\xB5\x05\xDF!\x91\x1B\xF2\xB3e\xBE\x8Cl\x08\xB04R\x00&\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x09\xC0\x13\xC0" 400 154 "-" "-"

Is this for Addition / Removal?

Post Log Excerpt to show User-Agent behavior (10-20 lines is enough)


62.133.46.11 - - [01/Jan/2024:12:08:54 +0000] "GET / HTTP/1.1" 404 552 "http://xxx:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4896.127 Safari/537.36"
62.133.46.11 - - [01/Jan/2024:12:08:54 +0000] "GET / HTTP/1.1" 404 552 "http://xxx:80/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4896.127 Safari/537.36"
62.133.46.11 - - [01/Jan/2024:12:08:56 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABu\xA4\x95\xA8J\xE6\x8A\x80\xCE\xC3\xCF\xC6\x95\xCC\xC8\xC1\xABf\xE6\x93\xE8\xA0\x83-Dx\xE4\x9ES\x00\x00*\xC0,\xC0+\xC00\xC0/\x00\x9F\x00\x9E\xC0$\xC0#\xC0(\xC0'\xC0" 400 154 "-" "-"
62.133.46.11 - - [01/Jan/2024:12:08:56 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABv\xD5\x8B\x0C\xC8\x1DL;X\xE9\xB0\xCE\xDEf\x91" 400 154 "-" "-"
62.133.46.11 - - [01/Jan/2024:12:08:57 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABw\xB7\xB7\xBA*_" 400 154 "-" "-"
62.133.46.11 - - [01/Jan/2024:12:08:57 +0000] "\x16\x03\x03\x00\x94\x01\x00\x00\x90\x03\x03e\x92\xABw\x9A\xEE\xA8@%c]\xE4xm" 400 154 "-" "-"

172.233.57.47 - - [01/Jan/2024:08:50:47 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03\xB7\x95\xEB\xEE\xF5Gk\xD2E\xB2\x84\x05\xF2\x07\xE18\xCA\xBB\xB1\x8A,\xF7\x04\xBA\x1DI\xFE\x08(7#\xAD \xB3\x81/hN\x95\x1A.q\x7FI\xDBZRUU\xB5\x05\xDF!\x91\x1B\xF2\xB3e\xBE\x8Cl\x08\xB04R\x00&\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x09\xC0\x13\xC0" 400 154 "-" "-"
172.233.57.47 - - [01/Jan/2024:08:50:51 +0000] "GET / HTTP/1.1" 404 122 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1)"

Additional information

Today I've received these two requests and i'm wondering what exactly that hex payload is. A rapid search of those two IPs shows some spamming/attacking activities

mitchellkrogza commented 3 months ago

I had a rule somewhere to grab these, I'll have a look if I can find it and if it is still doing the job

maxdd commented 2 months ago

ty for the feedback! Let me add more

159.223.225.251 - - [15/Apr/2024:01:51:54 +0000] "\x16\x03\x01\x00u\x01\x00\x00q\x03\x03\x13\x9F\xDE\xCB\x9E\x8D\x9B\x02\xCD=I$\x18\x07\x06G\x821\xFFkz\x8EO\xFE?!\xF9$\xF8\x9F\x22R\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 154 "-" "-"
45.33.80.243 - - [15/Apr/2024:02:23:24 +0000] "\x16\x03\x01\x00\x85\x01\x00\x00\x81\x03\x03\xF6\xFE\xBD\x1C\xD1\xA9\xB5\x86;|\x13,\x89\xFE\xCC\x14 \x99\x04Mi\xDE\xA31\xEF\x11PT\xD9G\x1F\x1B\x00\x00 \xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:15 +0000] "\x16\x03\x01\x01\x17\x01\x00\x01\x13\x03\x031cj,\x85@e\xD4\x9E\xDCBA\x0B\x22e\xF0\xD6\xE7q\xFFI\x9E\xFF\xE5\xB2\xB5\xAEA\xFFTfg \x5C\xFFd\xCD\xD8\xA3\xB8\xF4\xB6x\xA1\xCF\xE2\xDD\xD7I\xB5s\x01.\xB5\xE4!'\xCF%j\xAF\xC3I<M\x004\xCC\xA8\xCC\xA9\xC0/\xC00\xC0+\xC0,\xC0\x09\x00\x9E\xCC\xA8\xCC\xAA\x003\x00=\x00\x16\xC0" 400 154 "-" "-"

152.32.181.108 - - [15/Apr/2024:02:34:36 +0000] "\x00\x00\x00\xC7\x00\x00\x00\xC3{\x22code\x22:105,\x22extFields\x22:{\x22Signature\x22:\x22/u5P/wZUbhjanu4LM/UzEdo2u2I=\x22,\x22topic\x22:\x22TBW102\x22,\x22AccessKey\x22:\x22rocketmq2\x22},\x22flag\x22:0,\x22language\x22:\x22JAVA\x22,\x22opaque\x22:1,\x22serializeTypeCurrentRPC\x22:\x22JSON\x22,\x22version\x22:401}" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:36 +0000] "\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00" 400 154 "-" "-"
152.32.181.108 - - [15/Apr/2024:02:34:37 +0000] "\x03\x00\x003.\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administrator" 400 154 "-" "-"
45.79.168.172 - - [15/Apr/2024:15:16:12 +0000] "\x00\x00\x00'\xFFSMBr\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0E\x00\x02NT LM 0.12\x00" 400 154 "-" "-"

image

Hopefully is not pegasus :D The first 3 are TLS handshake (xz backdoor :D ? ), other are RDP vulnerabilities scan and samba login attempt. I'm still looking into this so i might be wrong