What are some ways to check for data leaks on a server

Eric Brown

11/7/23, 8:41 PM

I have a site that is being protected by Cloudflare and recently, Cloudflare has been blocking requests being made to the admin panel from another country where no one should have access to the admin. The admin URLs contain security keys that can be linked back to numerous workers who do have admin access to the site, so these are not random attempts to connect to the admin, they are targeted requests. They are somehow getting these URLs, but I can't figure out where the leak is coming from. I have logged all requests made to the site using NGINX logging as well as logging any outbound traffic using tcpdump, but none of them have logged any traffic coming from or going to any of the IP addresses that are being blocked that are trying to make these illegitimate requests, though for tcpdump at least, a lot of the traffic is encrypted, so I'm not 100% sure of that.

I've also scanned the site for malware using clamav and sitelock, neither of which have logged any malware.

The admin panel is whitelisted, so only a handful of sites can access the admin, mainly the main office and the owner's house. The office itself has pretty strong security in place, including scanning for viruses and malware daily along with a firewall appliance, so I'm not convinced the leak is coming from any of the computers at the office, I'm pretty sure it's coming from the server, but I can't figure out where it could be coming from.

Is there anything else I can try to figure out where this leak is coming from? No data has been changed on the admin panel, but I still don't like that there is a leak somewhere on the site with no apparent source.

131

0 + 9

ubuntu

nginx

anx

12/1/23, 5:01 AM

What sort of URL, just confirming you use specific software, or impossible to guess without knowing a legitimate users browsing history? Also, what makes you think its the *server* leaking the URLs? Could also be one of your users exfiltrating data after setting his profile pic to `funny.svg` in a web application with poor security design, or using one of a bazillion compromised browser addons while viewing your site, right?

anx

12/1/23, 5:03 AM

*Content Security Policy* would be one easy mechanism to learn of a few commonly exploited XSS mechanisms, provided your application does not mix dynamic content types.

Eric Brown

12/1/23, 5:28 AM

@anx The software is Magento 2 with all the latest updates. The admin URL has a custom front name, so it's not anything like mysite.com/admin. Also, all Admin URLs have a security key in it that is unique for each admin session for each user. These exact URLs are the ones being blocked, security key and all. It's also not something like setting a profile pic, as I also have access to the admin and when I login on a fresh browser with no extensions, the same thing still happens.

Eric Brown

12/1/23, 5:31 AM

@anx I can check out CSP. I don't currently have it enabled on the site, so I can see if that solves anything.

anx

12/1/23, 5:36 AM

So far sounds like less concerning explanations like "legitimate user makes unintentional request through open browser tabs after joining VPN" are not ruled out either. If it was something about individual computers, it would probably only affect some not all users, so have you made a list: tokens associated with which users are seen from unusual networks, and which users appear unaffected?

Eric Brown

12/1/23, 5:50 AM

The problem is it does affect all users. Every url from every admin URL gets blocked from other countries. I can create a new admin user then access that admin user on a fresh browser install and a couple minutes later cloudflare blocks that exact url from another country.

Gerald Schneider

12/1/23, 8:50 AM

I once encountered an antivirus solution (don't remember which one though) that mirrored every URL I visited through their cloud services. I noticed that while monitoring access logs on one of my servers, every time I clicked on a link on the site, the same request was immediately repeated by another IP. If these security keys belong to a small number of admins it might be worth checking out what malware solution they use.

OldFart

12/7/23, 9:20 AM

i would definately check the workers systems, too

OldFart

12/7/23, 10:10 AM

Browser extensions such as the Wayback Machine or similar automatic website archival could potentially, also, be something to look out for. No idea where all the servers are located but... Any odd user-agents in there?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What are some ways to check for data leaks on a server

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.