{"id":362842,"date":"2023-11-03T11:41:01","date_gmt":"2023-11-03T10:41:01","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=362842"},"modified":"2023-11-03T11:41:05","modified_gmt":"2023-11-03T10:41:05","slug":"kdyz-utoci-162-tisic-unikatnich-ip-na-143-tisic-webu","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/kdyz-utoci-162-tisic-unikatnich-ip-na-143-tisic-webu","title":{"rendered":"Kdy\u017e \u00fato\u010d\u00ed 162 tis\u00edc unik\u00e1tn\u00edch IP na 143 tis\u00edc web\u016f"},"content":{"rendered":"\n

V pond\u011bl\u00ed 23. \u0159\u00edjna jsme za\u017eili nejrozs\u00e1hlej\u0161\u00ed \u00fatok na instalace WordPress. Naplno se probudil „Indon\u00e9sk\u00fd botnet“ a za\u010dal masivn\u011b \u00fato\u010dit na soubory xmlrpc.php<\/code>. A\u010dkoliv se \u00fatok sna\u017eil vypadat nen\u00e1padn\u011b, ve v\u00fdsledku byl opravdu masivn\u00ed.<\/p>\n\n\n\n\n\n\n\n

Indon\u00e9sk\u00fd botnet<\/h2>\n\n\n\n

Ka\u017ed\u00fd den d\u011bl\u00e1me n\u011bkolik agregac\u00ed dat s c\u00edlem zjistit nov\u00e9 potenci\u00e1ln\u00ed hrozby. Jednou z nich je hled\u00e1n\u00ed \u00fatok\u016f SQLi. Nov\u00e9 botnety se v\u011bt\u0161inou sna\u017e\u00ed chovat nen\u00e1padn\u011b ne\u017e narostou. Ti, co je ovl\u00e1daj\u00ed, je tak vyu\u017e\u00edvaj\u00ed k nen\u00e1padn\u00e9mu hled\u00e1n\u00ed zranitelnost\u00ed pro dal\u0161\u00ed r\u016fst. B\u011bhem \u0159\u00edjna jsme vid\u011bli pom\u011brn\u011b slu\u0161n\u00fd n\u00e1r\u016fst aktivit z Asie, kde v \u010dele byl poskytovatel „PT Telekomunikasi Indonesia“. Odsud tedy intern\u00ed ozna\u010den\u00ed „Indon\u00e9sk\u00fd botnet“. <\/p>\n\n\n\n

Kdy\u017e takto vid\u00edme lok\u00e1ln\u00ed n\u00e1r\u016fst r\u016fzn\u00fdch \u0161kodliv\u00fdch aktivit, v\u011bt\u0161inou to souvis\u00ed s roz\u0161\u00ed\u0159en\u00edm n\u011bjak\u00e9ho malware na mobiln\u00edch telefonech. \u010casto je to v oblastech, kde jsou z politick\u00fdch, n\u00e1bo\u017eensk\u00fdch anebo \u010dist\u011b obchodn\u00edch d\u016fvod\u016f omezen\u00e9 obl\u00edben\u00e9 mobiln\u00ed aplikace a lid\u00e9 si je pak stahuj\u00ed ze server\u016f t\u0159et\u00edch stran, kde mohou obsahovat \u0161kodliv\u00fd k\u00f3d. <\/p>\n\n\n\n

Pak prov\u00e1d\u00ed \u00fatoky p\u0159es s\u00edt\u011b mobiln\u00edch oper\u00e1tor\u016f a pevn\u00fdch p\u0159ipojen\u00ed, kter\u00e9 nab\u00edz\u00ed Wi-Fi. Kdy\u017e jsme zagregovali data za 24 hodin, „PT Telekomunikasi Indonesia“ byl v\u017edy vid\u011bt na vrcholu.<\/p>\n\n\n\n

WordPress a xmlrpc.php <\/h2>\n\n\n\n

Soubor xmlrpc.php<\/code> ve WordPress obsahuje skript pro implementaci XML-RPC protokolu, kter\u00fd umo\u017e\u0148uje syst\u00e9m\u016fm komunikovat mezi sebou. XML-RPC je protokol umo\u017e\u0148uj\u00edc\u00ed jednoduch\u00e9 vzd\u00e1len\u00e9 procedur\u00e1ln\u00ed vol\u00e1n\u00ed. V kontextu WordPressu xmlrpc.php<\/code> umo\u017e\u0148oval extern\u00edm aplikac\u00edm (jako jsou mobiln\u00ed aplikace nebo jin\u00e9 webov\u00e9 slu\u017eby) komunikovat s WordPressem, nap\u0159\u00edklad pro publikov\u00e1n\u00ed p\u0159\u00edsp\u011bvk\u016f, spr\u00e1vu koment\u00e1\u0159\u016f a podobn\u011b.<\/p>\n\n\n\n

Nicm\u00e9n\u011b, xmlrpc.php<\/code> se b\u011b\u017en\u011b st\u00e1v\u00e1 c\u00edlem \u00fatok\u016f z n\u011bkolika d\u016fvod\u016f:<\/p>\n\n\n\n

Brute Force \u00fatoky<\/strong>: \u00dato\u010dn\u00edci mohou pou\u017e\u00edvat xmlrpc.php<\/code> pro prov\u00e1d\u011bn\u00ed brute force \u00fatok\u016f na u\u017eivatelsk\u00e1 jm\u00e9na a hesla, co\u017e je metoda, kdy \u00fato\u010dn\u00edk opakovan\u011b zkou\u0161\u00ed r\u016fzn\u00e9 kombinace u\u017eivatelsk\u00fdch jmen a hesel, dokud se nep\u0159ihl\u00e1s\u00ed.<\/p>\n\n\n\n

DDoS \u00fatoky<\/strong>: Soubor tak\u00e9 m\u016f\u017ee b\u00fdt zneu\u017eit k proveden\u00ed distribuovan\u00fdch denial-of-service (DDoS) \u00fatok\u016f, kde \u00fato\u010dn\u00edk vol\u00e1 xmlrpc.php<\/code> s velk\u00fdm mno\u017estv\u00edm po\u017eadavk\u016f, co\u017e p\u0159et\u011b\u017euje server. <\/p>\n\n\n\n

Amplifikace \u00fatok\u016f<\/strong>: xmlrpc.php<\/code> lze zneu\u017e\u00edt k amplifikaci \u00fatok\u016f, kde \u00fato\u010dn\u00edk po\u0161le mal\u00fd po\u017eadavek, kter\u00fd vede k v\u011bt\u0161\u00ed odpov\u011bdi od serveru, zvy\u0161uj\u00edc\u00ed s\u00edlu \u00fatoku.<\/p>\n\n\n\n

Pokud m\u00e1te va\u0161i dom\u00e9nu chr\u00e1n\u011bnou WEDOS Global Protection<\/a>, tak je soubor xmlrpc.php<\/code> chr\u00e1n\u011bn \u0159adou komplexn\u00edch pravidel, kter\u00e9 neomezuj\u00ed WordPress a z\u00e1rove\u0148 zahazuj\u00ed pokusy o \u00fatoky. <\/p>\n\n\n\n

Pond\u011bl\u00ed 23. \u0159\u00edjna 2023<\/h2>\n\n\n\n

Po p\u016flnoci n\u00e1\u0161 automatizovan\u00fd extern\u00ed monitoring agreguj\u00edc\u00ed data podle server\u016f ze v\u0161ech web\u016f WEDOS OnLine<\/a> detekoval men\u0161\u00ed zpomalen\u00ed web\u016f na n\u011bkter\u00fdch serverech. Vy\u0161\u0161\u00ed z\u00e1t\u011b\u017e potvrdil i intern\u00ed monitoring z\u00e1t\u011b\u017ee server\u016f. <\/p>\n\n\n\n

No\u010dn\u00ed hl\u00eddka provedla p\u00e1r z\u00e1sah\u016f, kter\u00e9 situaci stabilizovaly. K \u017e\u00e1dn\u00e9 krizov\u00e9 situaci nedoch\u00e1zelo, proto\u017ee servery udr\u017eujeme polopr\u00e1zdn\u00e9, aby byl dostatek prostoru pro vyrovn\u00e1n\u00ed se s n\u00e1razovou z\u00e1t\u011b\u017e\u00ed. Nav\u00edc byl no\u010dn\u00ed provoz.<\/p>\n\n\n\n

\"\"
Na grafu vid\u00edte pr\u016fm\u011brnou dobu vr\u00e1cen\u00ed xmlrpc.php pro \u00fato\u010d\u00edc\u00ed IP adresy. Po p\u016flno\u010dn\u00edm \u00fatoku zas\u00e1hla podpora a situaci stabilizovala.<\/figcaption><\/figure>\n\n\n\n

\u00datoky d\u00e1l prob\u00edhaly, na serverech to nebylo zn\u00e1t a\u017e do r\u00e1na, kdy za\u010dal b\u011b\u017en\u00fd denn\u00ed provoz a za\u010dala chodit hl\u00e1\u0161en\u00ed z WEDOS OnLine, \u017ee n\u011bkter\u00e9 servery jsou pomalej\u0161\u00ed ne\u017e je b\u011b\u017en\u00e9. Za\u010dali jsme se t\u00edm intenzivn\u011bji zab\u00fdvat a analyzovat provoz.<\/p>\n\n\n\n

Brzy se n\u00e1m poda\u0159ilo zjistit, \u017ee se jedn\u00e1 o \u00fatok na xmlrpc.php<\/code>. IP adresy „Indon\u00e9sk\u00e9ho botnetu“ n\u00e1m byly zn\u00e1m\u00e9. Ud\u011blali jsme tak hromadnou agregaci dat, a p\u0159esto\u017ee se \u00fato\u010dn\u00edci opravdu hezky sna\u017eili maskovat, tak pou\u017e\u00edvali pouze 6 spole\u010dn\u00fdch useragent<\/code>. <\/p>\n\n\n\n

Useragent<\/code> je kr\u00e1tk\u00fd textov\u00fd \u0159et\u011bzec, kter\u00fd webov\u00fd prohl\u00ed\u017ee\u010d nebo jin\u00fd klient pos\u00edl\u00e1 webserveru p\u0159i ka\u017ed\u00e9m po\u017eadavku, a identifikuje tak sv\u016fj internetov\u00fd prohl\u00ed\u017ee\u010d, opera\u010dn\u00ed syst\u00e9m, verze a dal\u0161\u00ed informace. Slou\u017e\u00ed k tomu, aby server poznal, s jak\u00fdm typem za\u0159\u00edzen\u00ed nebo aplikace komunikuje. <\/p>\n\n\n\n

Sta\u010dilo tedy odfiltrovat z agregac\u00ed ostatn\u00ed useragent<\/code> a nechat pouze tyto:<\/p>\n\n\n\n

Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.116 Safari\/537.36 Edge\/15.15063\nMozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/89.0.4389.114 Safari\/537.36\nMozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/89.0.4389.128 Safari\/537.36 Edg\/89.0.774.77\nMozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/87.0.4280.141 Safari\/537.36 Edg\/87.0.664.75\nMozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/88.0.4324.190 Safari\/537.36\nMozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/89.0.4389.72 Safari\/537.36<\/code><\/pre>\n\n\n\n
Tehdy jsme poprv\u00e9 uvid\u011bli rozsah \u00fatoku. I p\u0159es obrovsk\u00e9 mno\u017estv\u00ed request\u016f \u0161lo z jedn\u00e9 IP adresy jen jednotky a\u017e ni\u017e\u0161\u00ed des\u00edtky reuquest\u016f za hodinu. A to st\u00edhaly pos\u00edlat p\u0159es 700 tis\u00edc po\u017eadavk\u016f za hodinu na n\u011bjak\u00fdch 143 tis\u00edc (sub)dom\u00e9n.  Pokud bychom ze v\u0161ech na\u0161ich  server\u016f v re\u00e1ln\u00e9m \u010dase nestahovali access logy na jedno centr\u00e1ln\u00ed m\u00edsto a nevyhodnocovali, nem\u011bli bychom \u0161anci n\u011bco takov\u00e9ho dohledat. <\/p>\n\n\n\n
Takto rozlo\u017een\u00fd \u00fatok jako spr\u00e1vce jednoho webu nem\u00e1te \u0161anci poznat a popravd\u011b se proti n\u011bmu ani br\u00e1nit, proto\u017ee poka\u017ed\u00e9 p\u0159ijde request z jin\u00e9 IP.<\/p>\n\n\n\n
Vzhledem k tomu, \u017ee weby z\u00e1kazn\u00edk\u016f nepadaly ani nebyly nijak v\u00fdznamn\u011b zpomalen\u00e9, nebylo nutn\u00e9 nijak ukvapen\u011b jednat. Rozd\u011blili jsme si proto pr\u00e1ci.<\/p>\n\n\n\n