|
Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to "There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3."[3]
There was some discussion regarding this issue at the end of Sep 2019 that got fixed at the end of Nov 2019 [5] where /hazelcast/rest/cluster HTTP endpoint returns HTTP 500 status. If you are seeing similar discovery scans and when they started, we would like to hear from you. [1] https://docs.hazelcast.org/docs/management-center/3.9.2/manual/html/Clustered_REST_via_Management_Center.html ----------- |
Guy 523 Posts ISC Handler Feb 29th 2020 |
| Thread locked Subscribe |
Feb 29th 2020 2 years ago |
|
I show requests for that URL on Feb 13 and Feb 15
111.206.52.81 - - [13/Feb/2020:19:39:41 +0000] "GET /hazelcast/rest/cluster HTTP/1.0" 302 229 "-" "-" 27.115.124.74 - - [15/Feb/2020:17:58:20 +0000] "GET /hazelcast/rest/cluster HTTP/1.0" 302 239 "-" "-" These requests were directed to port 80 on my server. |
Anonymous |
| Quote |
Feb 29th 2020 2 years ago |
|
Can confirm, starting on Feb 16th with surprising random seeming destination ports: 31472, 9200, 5984, 11211, 2375, 44818, 27017, 8087, 2480 in 9 probes, so not 1 unique destination port. All 9 requests were "GET /hazelcast/rest/cluster".
|
Ron 17 Posts |
| Quote |
Mar 1st 2020 2 years ago |
|
Got here also:
/var/log/apache2/access.log:111.206.250.230 - - - [22/Feb/2020:19:23:55 -0300] "GET /hazelcast/rest/cluster HTTP/1.0" 404 360 "-" "-" |
witz2 4 Posts |
| Quote |
Mar 2nd 2020 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
