Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New, unidentified probes #8

Open
gwillem opened this issue Dec 24, 2018 · 7 comments
Open

New, unidentified probes #8

gwillem opened this issue Dec 24, 2018 · 7 comments

Comments

@gwillem
Copy link
Collaborator

gwillem commented Dec 24, 2018

Probably a load more vulnerable extensions, should figure out what they are. All requested by 185.254.120.74 (LT), 185.153.197.28 (RU), 185.176.27.162 (BG) and 84.54.36.12 (NL, Worldstream).

They hit 404 on this particular site, so cannot tell what they were looking for..

User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

/advancednewsletter/index/test
/advancedreviews/Product/post/
/ajaxreviews/index/getReviews/
/autocompleteplus/Products/checkinstall
/blog/2013/04/09/spring-2013-market-price-check-ipod-touch-4th-generation/
/brand/
/bulk/kit-iphone-6-small-parts
/careers.html
/clearance/clearance-tools/gtool/icorner/gtool-icorner-corner-tool-head-set-for-ipod-touch-5-gh1225-strong-font-color-ed1d24-new-font-strong
/clnews
/consultants/
/donate/donation
/econt/ajax/street
//.env
/freight/index/row
//helper/constants.js
/index.php/abandonedorder/index/key/
/index.php/adjcartalert/adminhtml_cartalert/index/key/
/index.php/admin_awautorelated/adminhtml_blocksgrid/
/index.php/admin_reviewcomment/adminhtml_reviewcomment/
/index.php/adminseoslider/adminhtml_seoslider/index/key/
/index.php/admin_shipment/adminhtml_shipmentbackend/index/
/index.php/advancednewsletter/adminhtml_automanagement/index/key/
/index.php/advancedreports/adminhtml_advancedreports/
/index.php/advancedreports_admin/standardsales/
/index.php/advancedreviews_admin/adminhtml_abuse/index/
/index.php/AdvancedStock_Misc/MassStockEditor/key/
/index.php/AdvancedStock/Products/Grid/
/index.php/affiliate/adminhtml_affiliatewithdrawnpending/
/index.php/auction/adminhtml_auction/index/
/index.php/awall_admin/additional/index/
/index.php/awcore/viewlog/index/
/index.php/bc_en/rss/order/new/
/index.php/blog/index/list/tag/
/index.php/brand/adminhtml_brand/index/
/index.php/ecc/admin/index/
/index.php/everypay/everypay/callback?orderNoField=asdas&nonce=*&order_reference=huyvam&hmac=2064bf1399b38edf62f71b671b3bf961b71c9a3a&api_username=
/index.php/ExtensionConflict/Admin/List/index/
/index.php/fancycheckout/Instantcheckout/showinstantcheckoutfirst?isAjax=1
/index.php/faq/adminhtml_faq/index/
/index.php/faq/adminhtml_faq_list/index/
/index.php/faq/index/result/?cat_id=2&keyword=1
/index.php/faqs/adminhtml_categories/index/key/
/index.php/forum/adminhtml_forumbackend/index/
/index.php/freetextsearch/search/result?keyword=1
/index.php/galleryvideo/index?gallery=1*
/index.php/giftlist/adminhtml_manageList/index/
/index.php/inquiry/adminhtml_inquiry/index/
/index.php/InventorySold/index/key/
/index.php/M2ePro/adminhtml_common_listing/index/
/index.php/M2ePro/adminhtml_ebay_listing/
/index.php/marketplace/adminhtml_seller/index/
/index.php/megamenu/adminhtml_menugroup/index/
/index.php/offinews/adminhtml_category/index/
/index.php/Organizer/Task/List/
/index.php/productattachments/adminhtml_productattachments/index/key/
/index.php/productquestions/adminhtml_answers/index/
/index.php/questionanswer/adminhtml_questionanswer/index/
/index.php/quickshop/adminhtml_quickshop/index/
/index.php/Scanner/index/index/
/index.php/Scanner_index/index/key/
/index.php/storelocator/adminhtml_storelocator/index/
/index.php/ticketsystem/adminhtml_ticketsystem/index/
/index.php/UrlRedirector/Admin/Grid/
/index.php/webforms/index/iframe/
/intl/authors
/js/advancednewsletter/advancednewsletter.js
/js/advancedreviews/ajax-reviews.js
/js/em_layerednavigation/slider.js
/js/magestore/auction.php
/komfortkasse/main?action=init&o=1&accesscode=1&store_id=1&test=2&accesscode_hash=c4ca4238a0b923820dcc509a6f75849b&testBase64Enc=Q2FuIHlvdSBoZWFyIG1lPw==
/mobileassistant/index/testModule
/order/trackorder
/outofstocknotification
/process/licenselookup.php
/productquestions/adminhtml_answers/index/
/psp-playstation-portable-battery-cover
/questionanswer/adminhtml_questionanswer/index/
/recommender/index/orderitem/
/securepay/sfdirectpost/start
/skin/frontend/base/default/advancedreviews/css/advancedreviews.css
/skin/frontend/base/default/Loginradius/Sociallogin/js/LoginRadiusSDK.js
/skin/frontend/default/default/sns/quickview/css/quickview.css
/skin/frontend/default/default/sns/quickview/js/quickview.js
/skin/frontend/enterprise/default/css/aw_zblocks.css
/storelocator/index/
/storelocator/index/loadstore/
/testimonials/index
/index.php/magenotification/adminhtml_feedback/index/
/index.php/affiliateplusadmin/adminhtml_banner/index/key/
@gwillem gwillem changed the title marketplace probe? New, unidentified probes Dec 24, 2018
@jeroenvermeulen
Copy link
Collaborator

jeroenvermeulen commented Dec 24, 2018

@Rolandwalraven Can you share the IP blacklist we use? Can you request to add these IPs?
(sorry a bit offtopic)

@gwillem
Copy link
Collaborator Author

gwillem commented Dec 24, 2018

No worries, I am maintaining an internal blacklist too, but still undecided whether I should use single IPs, class C netblocks or AS numbers. For OVH, a single IP is probably the best, but for Worldstream, I don't trust the whole ASN.

@jeroenvermeulen
Copy link
Collaborator

The IP blacklist we use is dnsbl.dronebl.org, more info https://dronebl.org/
Did find no easy way to add those IPs to that blacklist.

@gwillem
Copy link
Collaborator Author

gwillem commented Jan 7, 2019

And more probes, all from 137.74.21.194 who started probing in May 2018 and continued to Dec 2018.

/advancedreports/chart/tunnel
/ajaxproducts/index/index
/campaigner/abandoned/restore
/comm/message/crqu
/comm/returns/configureproduct
/customerconnect/rfqs/configureproduct
/emaildirect/abandoned/restore
/freegift/cart/gurlgift
/index.php/advancedreports/chart/tunnel
/index.php/ajaxproducts/index/index
/index.php/campaigner/abandoned/restore
/index.php/comm/message/crqu
/index.php/comm/returns/configureproduct
/index.php/customerconnect/rfqs/configureproduct
/index.php/emaildirect/abandoned/restore
/index.php/freegift/cart/gurlgift
/index.php/madecache/varnish/esi
/index.php/qquoteadv/download/downloadCustomOption
/index.php/simplebundle/Cart/add
/index.php/supplierconnect/orders/update
/index.php/supplierconnect/rfq/update
/index.php/vendors/credit/withdraw/review
/madecache/varnish/esi
/qquoteadv/download/downloadCustomOption
/simplebundle/Cart/add
/supplierconnect/orders/update
/supplierconnect/rfq/update
/vendors/credit/withdraw/review
/webgility1234/webgility-magento.php
/webgility123/webgility-magento.php
/webgility_12/webgility-magento.php
/webgility_13/webgility-magento.php
/webgility_1/webgility-magento.php
/webgility1/webgility-magento.php
/webgility_2/webgility-magento.php
/webgility2/webgility-magento.php
/webgility_3/webgility-magento.php
/webgility3/webgility-magento.php
/webgility_bk/webgility-magento.php
/webgility_dev/webgility-magento.php
/webgilitydev/webgility-magento.php
/webgility/webgility-magento.php

@rhoerr
Copy link
Collaborator

rhoerr commented Mar 7, 2019

With #23 being merged, should we consider expanding the list with any of those probes that are likely to be module routes and are not already covered?

It'll make for noise on the list that isn't necessarily actually a vulnerable module--but that's probably preferable to things slipping through the cracks. We can fill the info in if/when we do hear from people using them.

I'll prep a PR with them at some point, if so.

@AlterWeb
Copy link
Collaborator

I scanned all our customers Magento shops for the routes listed by @gwillem. All the matches that I found are pointing to a vulnerability in the sense that they lead to the Magento admin panel without knowing the url of the admin panel. This vulnerability should be fixed by the SUPEE-6788 Patch, but because this feature is disabled by default (and a lot of owners leave it this way because modules stop working after they enable it) this can be used to track down the admin url for many installations.

I don't know if we have to add those modules to the list because it is just a first step to get into the admin panel. After finding the admin url they still have to guess or bruteforce the user credentials. If you think we should add those modules I can make a PR with modules that we know of having this problem (there are a lot more then just the url's mentioned here). If not, I think you can can excluded the following url's from this list because they don't have another vulnerability as far as I can tell (or at least in the versions we have):

/index.php/admin_awautorelated/adminhtml_blocksgrid/
/index.php/Organizer/Task/List/
/index.php/ExtensionConflict/Admin/List/index/
/index.php/awall_admin/additional/index/
/index.php/AdvancedStock_Misc/MassStockEditor/key/
/index.php/AdvancedStock/Products/Grid/
/index.php/Scanner/index/index/

@gwillem
Copy link
Collaborator Author

gwillem commented Mar 21, 2019

I agree with @AlterWeb to not add modules to the vulnerability list that are merely exposing the admin frontname.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants