Preface

In order to help everyone understand and master knowledge , Fantasy companies and hackers , The following stories are fictional , any similarity , Purely coincidental .

Honeypot perception

One day I was fishing in the office , Suddenly, I found a scanning perception message on the honeypot platform （192.168.10.78 The host scans other hosts in the same network segment ）, I was shocked , Normal people will not know the address of the honeypot , I won't scan the port of the honeypot .

Log analysis

After talking to the master, I felt more and more wrong , immediately 192.168.10.78 The host is offline isolated , Then get up and go with the master to see the log record of this machine .

The log records found are roughly as follows ：

nginx See the master's article for the log format of ：https://blog.csdn.net/LJFPHP/article/details/78484889

You can roughly read the following information ：
client ip：192.168.10.5
Request mode ：GET
Request path ：/xxx/xxxxxxxx?
Return code ：200
Return packet bytes ：23143
X_Forwarded-For IP Address ：1.2.3.4
The guess of this address is that the hacker is real ip

waf Interception record analysis

See the customer ip yes 192.168.10.5, Guess this is a reverse agent , The hacker hit the machine of reverse proxy , Mapped by reverse proxy to 192.168.10.78 On the machine .

Then go to waf It looks up 192.168.10.5 The record of being attacked , The following example is a waf Interface ( Fictitious ), There are about 2000 records , Various attack methods have been tried ……

The attacker ip And indeed 1.2.3.4

Reverse proxy article ：https://blog.csdn.net/zhanjie2009/article/details/122763758

Attack chain analysis

Hackers found an external service website of the company , Test it , tried 2k After that, I called in according to a loophole recurrence article , Reached the intranet 192.168.10.78 On the machine , Then raise the right 、 Intranet traverse 、 Domain control

Unfortunately, I accidentally swept the honeypot during the traverse of the intranet , Cause to be found