Score:3

Malicious requests from private network (Kubernetes)

tr flag

Recently I'm having many malicious requests to my nginx-ingress pod but I don't understand how's possible they're from a private network. Some examples:

10.114.0.3 - - [11/Oct/2021:09:07:09 +0000] "GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1" 400 158 "-" "-" 94 0.015 [] [] - - - - bea3d4941bd57413fa52e4ff01437067
10.114.0.3 - - [11/Oct/2021:09:07:09 +0000] "\x16\x03\x01\x00\xEE\x01\x00\x00\xEA\x03\x03]\xCDw\x0B\xD4\x92$z\x17\xC4z\xC1s\xFF\x1E\x5C\xE1\xC0\xCE\xEB$<Z\xAB\xC5\xC9L\xB5\xF09-u yd\xD1y\x0Fw\x9A\x94\xB1$\xDC\xC6\xD7\xCB\xE2\xFB\x83\xEEQC*\xBA\xC4E\x0F\xF6\xA6\xFC_a\xB9\x15\x00&\xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x13\xC0\x09\xC0\x14\xC0" 400 158 "-" "-" 0 0.016 [] [] - - - - 0200c3049215e065bc42749fee66654a
10.114.0.3 - - [11/Oct/2021:09:07:09 +0000] "CONNECT leakix.net:443 HTTP/1.1" 400 158 "-" "-" 0 0.017 [] [] - - - - 43ae42d20fa1fa89fcddddd81801b9a2
10.114.0.3 - - [11/Oct/2021:15:32:02 +0000] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 158 "-" "-" 51 0.042 [] [] - - - - 862e8fe41db26a92f8db8dd194184044

I would think one of our droplet is hacked but we don't have any droplet with IP 10.114.0.3, even if we have similar IPs:

  • 10.114.0.2
  • 10.114.0.5
  • 10.114.0.7

any idea?

kupson avatar
cn flag
Do you see real external IP addresses on the legitimate requests from the Internet?
Score:3
us flag

What you see is an attack using an exploit in Apache 2.4.49 (only this version is affected). You can read more about it here CVE-2021-41773.
TLDR: Path traversal allows attacker to remotely execute code, if files are not protected by require all denied configuration.

If you are using any Apache servers upgrade those to, at least, version 2.4.50.
Execute this on your Apache server

curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

If that returns anything other than a 403 error, your server may be vulnerable.


Assuming you are using DigitalOcean - check your account activity, and your team activity, for actions droplet.create and droplet.destroy with suspocious IP.

Check your kube scheduler and controller logs for any suspicious activity.

tr flag
Correct! I see those actions from IP 127.0.0.1 with user "k8saas infrastructure". It's also about a week we get alert of type "15 Minute Load Average is running high"
tr flag
So from IP and username I'd say it's some log of system maintenance but I'd expect to find some documentation about user "k8saas infrastructure", instead I can't find any reference.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.