Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized access attempts to sensitive files (error_log, .env, etc.) across multiple paths #124

Closed
DiegoRatto opened this issue Dec 9, 2024 · 1 comment
Closed

Unauthorized access attempts to sensitive files (error_log, .env, etc.) across multiple paths #124

DiegoRatto opened this issue Dec 9, 2024 · 1 comment
Assignees
@c-bordon
Labels
level/task Task issue type/troubleshooting Troubleshooting issue

Comments

@DiegoRatto
Copy link
Member

DiegoRatto commented Dec 9, 2024
edited
Loading

Description

Performing wazuh/wazuh#27180 (comment) multiple unauthorized access attempts (HTTP error code 401) are being logged for sensitive files, such as error logs (error_log) and configuration files (.env). These attempts include access to common paths and other critical locations, such as /wp-content/, /errors/, and /wp-includes/. The logs indicate that these requests are coming from the same IP address (51.222.26.42) and using an outdated browser Chrome 56.

Dec 09 03:01:45 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:01:45Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/errors/.env","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /errors/.env 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/wp-content/uploads/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":0,"contentLength":9},"message":"GET /wp-content/uploads/error_log 401 0ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /error_log 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/wp-content/plugins/plugin-name/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":0,"contentLength":9},"message":"GET /wp-content/plugins/plugin-name/error_log 401 0ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/logs/wp-content/uploads/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /logs/wp-content/uploads/error_log 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/logs/error.log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":0,"contentLength":9},"message":"GET /logs/error.log 401 0ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/logs/wp-content/themes/theme-name/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /logs/wp-content/themes/theme-name/error_log 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/logs/wp-content/plugins/plugin-name/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /logs/wp-content/plugins/plugin-name/error_log 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/administrator/logs/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /administrator/logs/error_log 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/administrator/logs/error.php","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /administrator/logs/error.php 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/var/logs/error.log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /var/logs/error.log 401 1ms - 9.0B"}

Dec 09 03:03:04 wazuh-server opensearch-dashboards[11129]: {"type":"response","@timestamp":"2024-12-09T03:03:04Z","tags":[],"pid":11129,"method":"get","statusCode":401,"req":{"url":"/sites/default/error_log","method":"get","headers":{"host":"34.207.220.229","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36","accept":"*/*"},"remoteAddress":"51.222.26.42","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /sites/default/error_log 401 1ms - 9.0B"}

Sample Requests

  • /wp-content/error_log - Response 401
  • /wp-content/uploads/error_log - Response 401
  • /wp-content/themes/theme-name/error_log - Response 401
  • /errors/.env - Response 401
  • /error/.env - Response 401

Additional Details:

  • HTTP Method: GET
  • Response Code: 401 (Unauthorized)
  • IP Address: 51.222.26.42
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
  • Response Times: Most requests show very fast response times, indicating little processing or that many requests are being sent in quick succession.
@c-bordon c-bordon self-assigned this Dec 9, 2024
@c-bordon c-bordon added level/task Task issue type/troubleshooting Troubleshooting issue labels Dec 9, 2024
@c-bordon
Copy link
Member

c-bordon commented Dec 9, 2024

These messages are in a way expected, the test machines are exposed to the public network, which means they can receive some attack, the messages indicate a connection attempt with incorrect credentials, and the message is not an error.

This configuration will not be modified from DevOps. The test machines are ephemeral and do not require any additional configuration to avoid this type of behavior at the moment.

@c-bordon c-bordon closed this as not planned Won't fix, can't repro, duplicate, stale Dec 9, 2024
@wazuhci wazuhci moved this to Done in Release 4.10.0 Dec 9, 2024
@damarisg damarisg mentioned this issue Dec 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@c-bordon c-bordon

Labels
level/task Task issue type/troubleshooting Troubleshooting issue
Projects
Release 4.10.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DiegoRatto @c-bordon