3

Recently I'm having many malicious requests to my nginx-ingress pod but I don't understand how's possible they're from a private network. Some examples:

10.114.0.3 - - [11/Oct/2021:09:07:09 +0000] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 158 "-" "-" 94 0.015 [] [] - - - - bea3d4941bd57413fa52e4ff01437067
10.114.0.3 - - [11/Oct/2021:09:07:09 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03]\xCDw\x0B\xD4\x92$z\x17\xC4z\xC1s\xFF\x1E\x5C\xE1\xC0\xCE\xEB$<Z\xAB\xC5\xC9L\xB5\xF09-u yd\xD1y\x0Fw\x9A\x94\xB1$\xDC\xC6\xD7\xCB\xE2\xFB\x83\xEEQC*\xBA\xC4E\x0F\xF6\xA6\xFC_a\xB9\x15\x00&\xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0" 400 158 "-" "-" 0 0.016 [] [] - - - - 0200c3049215e065bc42749fee66654a
10.114.0.3 - - [11/Oct/2021:09:07:09 +0000] "CONNECT leakix.net:443 HTTP/1.1" 400 158 "-" "-" 0 0.017 [] [] - - - - 43ae42d20fa1fa89fcddddd81801b9a2
10.114.0.3 - - [11/Oct/2021:15:32:02 +0000] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 158 "-" "-" 51 0.042 [] [] - - - - 862e8fe41db26a92f8db8dd194184044

I would think one of our droplet is hacked but we don't have any droplet with IP 10.114.0.3, even if we have similar IPs:

  • 10.114.0.2
  • 10.114.0.5
  • 10.114.0.7

any idea?

Darko Romanov
  • 135
  • 2
  • 10

1 Answers1

3

What you see is an attack using an exploit in Apache 2.4.49 (only this version is affected). You can read more about it here CVE-2021-41773.
TLDR: Path traversal allows attacker to remotely execute code, if files are not protected by require all denied configuration.

If you are using any Apache servers upgrade those to, at least, version 2.4.50.
Execute this on your Apache server

curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

If that returns anything other than a 403 error, your server may be vulnerable.

Assuming you are using DigitalOcean - check your account activity, and your team activity, for actions droplet.create and droplet.destroy with suspocious IP.

Check your kube scheduler and controller logs for any suspicious activity.

p10l
  • 386
  • 1
  • 7
  • Correct! I see those actions from IP 127.0.0.1 with user "k8saas infrastructure". It's also about a week we get alert of type "15 Minute Load Average is running high" – Darko Romanov Oct 12 '21 at 18:51
  • So from IP and username I'd say it's some log of system maintenance but I'd expect to find some documentation about user "k8saas infrastructure", instead I can't find any reference. – Darko Romanov Oct 13 '21 at 07:54