-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New, unidentified probes #8
Comments
@Rolandwalraven Can you share the IP blacklist we use? Can you request to add these IPs? |
No worries, I am maintaining an internal blacklist too, but still undecided whether I should use single IPs, class C netblocks or AS numbers. For OVH, a single IP is probably the best, but for Worldstream, I don't trust the whole ASN. |
The IP blacklist we use is |
And more probes, all from
|
With #23 being merged, should we consider expanding the list with any of those probes that are likely to be module routes and are not already covered? It'll make for noise on the list that isn't necessarily actually a vulnerable module--but that's probably preferable to things slipping through the cracks. We can fill the info in if/when we do hear from people using them. I'll prep a PR with them at some point, if so. |
I scanned all our customers Magento shops for the routes listed by @gwillem. All the matches that I found are pointing to a vulnerability in the sense that they lead to the Magento admin panel without knowing the url of the admin panel. This vulnerability should be fixed by the SUPEE-6788 Patch, but because this feature is disabled by default (and a lot of owners leave it this way because modules stop working after they enable it) this can be used to track down the admin url for many installations. I don't know if we have to add those modules to the list because it is just a first step to get into the admin panel. After finding the admin url they still have to guess or bruteforce the user credentials. If you think we should add those modules I can make a PR with modules that we know of having this problem (there are a lot more then just the url's mentioned here). If not, I think you can can excluded the following url's from this list because they don't have another vulnerability as far as I can tell (or at least in the versions we have):
|
I agree with @AlterWeb to not add modules to the vulnerability list that are merely exposing the admin frontname. |
Probably a load more vulnerable extensions, should figure out what they are. All requested by 185.254.120.74 (LT), 185.153.197.28 (RU), 185.176.27.162 (BG) and 84.54.36.12 (NL, Worldstream).
They hit 404 on this particular site, so cannot tell what they were looking for..
User agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
The text was updated successfully, but these errors were encountered: