sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Just coincidence or targeted attack?

From: Tobias Frei
Subject: Re: [Sks-devel] Just coincidence or targeted attack?
Date: Mon, 19 May 2014 19:12:32 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

running "tail -f db.log" gave me weird requests like these:

user-agent:Java/1.7.0_51]): No keys found
2014-05-19 18:35:40 No results for request
(GET,/pks/lookup?op=get&search=0x9ECA6FE8,[
accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
cache-control:no-cache
connection:close
host:127.0.0.1:11372
pragma:no-cache
user-agent:Java/1.7.0_51]): No keys found
2014-05-19 18:35:57 Error handling request (POST,/pks/add,[
accept:*/*
connection:close
content-length:82
content-type:application/x-www-form-urlencoded
host:127.0.0.1:11372]): Failure("Error while decoding ascii-armored
key: text terminated before beginning of ascii block")
2014-05-19 18:36:01 Page not found:
/pks/lookup/undefined1<ScRiPt>prompt('CVE-2014-3207')</ScRiPt>
2014-05-19 18:36:38 No results for request
(GET,/pks/lookup?op=get&options=mr&search=0x21A61B02BF9ACCCF,[
accept:*/*
cache-control:no-cache
connection:close
host:127.0.0.1:11372
pragma:no-cache]): No keys found

...about every five seconds. The connections appear to come from
127.0.0.1 because of the reverse proxying; nginx's access logs are
disabled for this host and I don't think that enabling them will help
here at all. All I could get is a list of abusive IP addresses, which
might change frequently - and these requests don't cause any trouble
for me anyway. The logs are rotated and compressed automatically, so
I'll just ignore these requests.

Best regards,
Tobias Frei



Am 18.05.2014 22:34, schrieb Jeremy T. Bouse:
> Has anyone else noticed an increase in exploitation attempts
> against your SKS server(s) or am I just looking at pure coincidence
> that I've had all 3 of my SKS nodes have an increasing rise in
> attack vectors coming from the China and Indonesia blocks of
> 222.184.0.0/13 and 203.81.248.0/22 over the past 24 hours. The rest
> of my servers haven't been receiving the same attack vectors so it
> appears targeted at SKS directly.
> 
> I've checked on my servers and they are still secure and my 
> countermeasures and detection methods have been successful thus
> far. Right now the only accessible ports on these machines are SSH
> and SKS that is reverse proxied through nginx so they have limited
> angles to attack. I've had over half the attempts made this month
> made in the past 24 hour period so far.
> 
> 
> 
> _______________________________________________ Sks-devel mailing
> list address@hidden 
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTejt5AAoJEOaAxTHjKzK7GHMP/j1pZ+dconMaQH+YWw1TLzbv
Kk/KoNWcqYubO7PPmHdUwWQqyKz9sln9yPo5j9pqTcIH221FjPdIO/un8I3UmDJ1
lj7FcxmMkOW7LfsVaxabs+oWfiMgQGKE0rlUfnmbqF58dgoTXvhWD/hirel75xfb
hfCV/Jn9E8+nEgjz97m2bzi9bwAGYK50dGb2P+nxXiavMoW1oe6PNyA45e98jdPk
xMkZW4acVJW8AKbLc6JYgpqUktj3iSe1yHjSRW+ZO7Otk7b+xiF3u7hkN3kKK7V0
i83zILiuiVKo5StKalCiPzDJAviCov8+a95lQJ3+umkF05IWD0VNfONmuCuoDMLE
xasz4Jja36FRVgn2dFmosiXZFp7l0+LX52nd/o0V63sBkmQOfuscToMo62q5y9Cn
qjm0jTMf1eq9NGtEf5gs4Jj3/QRnGbrG3gfN9CK9cl75AVkzlt7NDzpWKpLPGJnR
/fkgjhywvwIATnQxz2deTSoQCLV72YFLuTGW9bMt81K6xj3zAjWxSYjwfSsZ22sM
CwJ4lTtgHEzDtwJjzqPtO4A2hOK1z1Yal3Jnyv9xkhthbxrx+s8gcy29OnqU5xJe
Vrry9rzw7087FfPstCdBaX+KDY9xd9PpKzooawSMT/kqVL82ty1XHBroAPpWtW57
UawYV4/BHRk35f6yVpWx
=jTab
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]