Bezbedan Balkan Bezbednost državnih resursa Kompromitovani resursi v
Kompromitovan parlament.gov.rs | rik.parlament.gov.rs, probarik.esolutions.rs

Threaded Mode
Kompromitovan parlament.gov.rs | rik.parlament.gov.rs, probarik.esolutions.rs
VincaSec Away
Senior Member
****
Posts: 715
Threads: 404
Joined: Oct 2023
Reputation: 162
#1
11-02-2023, 07:09 PM (This post was last modified: 12-16-2023, 06:25 PM by 1van. Edit Reason: Izmenjen naslov. )
Prodaje pristup serveru najvise privilegije parlament.gov.rs


Attached Files Image(s)
           
There is no patch for stupidity - Kevin Mitnick
Find
Reply
milos_rs Offline
Administrator
*******
Posts: 934
Threads: 349
Joined: Sep 2022
Reputation: 306
#2
11-02-2023, 09:15 PM
user ID apache nije baš privilegovan, tipično nema ni shell pristup nego ide na /sbin/nologin ili tako nešto slično

zato se i prodaje ovaj web shell, koji da moram da nagađam je verovatno instaliran preko nekog propusta na samom sajtu koji je dozvolio download fajla sa arbitrarne lokacije u folder sajta kome se onda lako pristupa iz browsera

svakako veoma ozbiljan propust
Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#3
11-03-2023, 08:09 AM
A to verovatno znači i da su ostali na sličan način kompromitovani ili će biti: https://www.esolutions.rs/klijenti/. Ovaj je npr. sigurno njihov isto: https://bezbedanbalkan.net/thread-811-po...la#pid2173.

   
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#4
12-16-2023, 06:25 PM
Ako odemo na https://securitytrails.com/list/apex_dom...ent.gov.rs, vidimo da samo par domena kod Mainstream doo (sa slike gore *m.ha.rs):

rik.parlament.gov.rs, probarik.esolutions.rs, 92.249.52.143
test.rik.parlament.gov.rs, rik.ha.rs 92.249.52.143
www.rik.parlament.gov.rs rik.ha.rs 92.249.52.143
api.rik.parlament.gov.rs rikapi.ha.rs 92.249.52.152
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#5
12-16-2023, 06:43 PM
Ima nekih zanimljivih tragova i ovde: https://platform.socradar.com/app/threat...ent.gov.rs

Infected Device - Accounts for "parlament.gov.rs" were observed for sale on the Russian Market, On May 02, 2023


Code:
{
    "country": "RS",
    "date": "2023.04.25",
    "files": "archive.zip",
    "id": "10632084",
    "isp": "Sat-Trakt D.O.O.",
    "links": [
        "10.117.108.20",
        "10.117.2.1",
        "10.117.2.21",
        "10.117.2.211",
        "10.117.2.23",
        "10.117.2.253",
        "10.117.2.26",
        "10.117.2.5",
        "127.0.0.1",
        "188.93.126.42",
        "192.168.0.1",
        "192.168.0.106",
        "192.168.0.11",
        "192.168.0.2",
        "192.168.0.21",
        "192.168.0.3",
        "192.168.0.5",
        "192.168.0.50",
        "192.168.1.1",
        "192.168.1.10",
        "192.168.1.100",
        "192.168.1.2",
        "192.168.10.208",
        "192.168.101.1",
        "192.168.11.3",
        "192.168.111.1",
        "192.168.2.1",
        "192.168.2.21",
        "192.168.2.253",
        "192.168.2.26",
        "192.168.2.40",
        "192.168.2.41",
        "192.168.2.5",
        "192.168.200.1",
        "192.168.44.1",
        "192.168.44.11",
        "192.168.44.2",
        "192.168.44.222",
        "192.168.44.226",
        "192.168.44.227",
        "192.168.44.3",
        "192.168.44.6",
        "192.168.44.91",
        "192.168.45.1",
        "192.168.45.15",
        "1fichier.com",
        "212.200.91.145",
        "2baksa.net",
        "5kforchange.org",
        "87.237.205.155",
        "87.237.205.239",
        "91.102.231.142",
        "a1.rs",
        "account.booking.com",
        "account.live.com",
        "account.nexiuslearning.com",
        "account.protonvpn.com",
        "account.qnap.com",
        "account.samsung.com",
        "accounts.alluc.ee",
        "accounts.google.com",
        "accounts.lidl.com",
        "accounts.spotify.com",
        "activate.hbomax.com",
        "airdroid.sand.com",
        "aliexpress.com",
        "aliexpresshd.alibaba.com",
        "app.plex.tv",
        "apps.spiceworks.com",
        "appsrviti-pri",
        "asmp.a1.rs",
        "astroconquest.com",
        "auth.dpass.us.deloitte.com",
        "auth.wetransfer.com",
        "balkandownload.org",
        "becej.rs",
        "best.aliexpress.com",
        "bithorlo.info",
        "bl.flirthits.com",
        "buyspotify.net",
        "cert.rs",
        "coursehero.com",
        "cp10.cpanelhosting.rs",
        "cpanel.pikbecej.mycpanel.rs",
        "crm.lpa.gov.rs",
        "crm.mi-system.co.rs",
        "crowarez.org",
        "customerconnect.vmware.com",
        "deezer.com",
        "demonoid.info",
        "demonoid.is",
        "demos.telerik.com",
        "discord.com",
        "dl.reg.163.com",
        "domaci.de",
        "dropbox.com",
        "ecd.rs",
        "edit.duplexiptv.com",
        "edit.duplexplay.com",
        "elms.ftn.uns.ac.rs",
        "english-online.rs",
        "englishclass101.com",
        "eon.tv",
        "erofishki.cc",
        "ers.alsu.gov.rs",
        "esalter.rgz.gov.rs",
        "etarskaibiljnaulja.rs",
        "euprava.gov.rs",
        "eventim.rs",
        "exchange.ecd.rs",
        "facebook.com",
        "filmezz.co",
        "filmezz.eu",
        "findmymobile.samsung.com",
        "fitpro.xiaofengkj.cn",
        "forum.benchmark.rs",
        "forum.iptvsmarters.com",
        "forum.titlovi.com",
        "forums.mydigitallife.net",
        "freelancer.com",
        "freetvall.com",
        "gateway.hbogo.rs",
        "github.com",
        "global.bittrex.com",
        "gpspower.net",
        "gpsurl.com",
        "grammarly.com",
        "hbomax.com",
        "helpdesk.pksca.rs",
        "herba-srbija.com",
        "herbalfun.net",
        "hungarianpod101.com",
        "i.btc.com",
        "ibm.com",
        "id7.cloud.huawei.com",
        "ims.bentley.com",
        "informator.eu.meteorapp.com",
        "informator.poverenik.rs",
        "instagram.com",
        "istcapi.stat.gov.rs",
        "jnportal.ujn.gov.rs",
        "katana.facebook.com",
        "kinozal.tv",
        "knjigoteka.org",
        "kupujemprodajem.com",
        "lexonline.paragraf.rs",
        "lilplay.com",
        "listing.telekom.rs",
        "livesports-pass.com",
        "livetv.sx",
        "localhost",
        "login.aliexpress.com",
        "login.live.com",
        "login.microsoftonline.com",
        "login.opendns.com",
        "login.oracle.com",
        "login.skype.com",
        "login.teamviewer.com",
        "login.tidal.com",
        "login.yahoo.com",
        "lutrija.rs",
        "m.facebook.com",
        "mail.mk-group.org",
        "mega.nz",
        "megasrbija.com",
        "mkonekt.mk-group.org",
        "mobile.support.huawei.com",
        "moj.mts.rs",
        "moj.stcable.net",
        "mojsbb.rs",
        "mojtv.net",
        "mojvip2.vipmobile.rs",
        "morahalomkartya.hu",
        "mts.rs",
        "music.spotify.com",
        "my.anydesk.com",
        "my.eunet.rs",
        "my.eunethosting.com",
        "my.vmware.com",
        "myaccount.google.com",
        "myqnapcloud.com",
        "ncore.cc",
        "ncore.pro",
        "netacademia.hu",
        "netflix.com",
        "netiks.rs",
        "nitro.download",
        "nitroflare.com",
        "noip.com",
        "novinarnica.net",
        "novinarnica.plus",
        "nulled.ch",
        "nulledbb.com",
        "online-prodaja.ribbon-cms.com",
        "opensubtitles.org",
        "opinionstage.com",
        "ottplayer.tv",
        "outlook.office.microsoft.com",
        "panel.paragraf.rs",
        "passport.alibaba.com",
        "passport.aliexpress.com",
        "performancemanager.successfactors.eu",
        "plagiarisma.net",
        "play.hbomax.com",
        "pod2.stat.gov.rs",
        "portal.mcloud.rs",
        "pos.ite.gov.rs",
        "potisje-becej.rs",
        "prijemni.ftn.uns.ac.rs",
        "privreda.becej.rs",
        "profile.oracle.com",
        "propissoft.profisistem.rs",
        "prva.rs",
        "radiobalkanmusic.com",
        "radiosumadinac.org",
        "realfishki.net",
        "redmine.mk-group.org",
        "reid.apr.gov.rs",
        "rik.parlament.gov.rs",
        "rookplay.com",
        "rs.jooble.org",
        "rtsplaneta.rs",
        "rutracker.org",
        "sap.com",
        "sapgw.mk-group.org",
        "satelitskiforum.com",
        "sbb.rs",
        "scribd.com",
        "secure.sorbs.net",
        "serbianforum.org",
        "serije.online",
        "servisi.pio.rs",
        "shoppingcart.aliexpress.com",
        "signup.liltmedia.com",
        "signup.live.com",
        "signup.lunemedia.com",
        "signup.opendns.com",
        "skupstina.becej.rs",
        "skyshowtime.com",
        "smboemi.com",
        "sorozatbarat.online",
        "speedtest.net",
        "sportsaccess.se",
        "spotify.com",
        "sr-rs.facebook.com",
        "ssluzba.ftn.uns.ac.rs",
        "sso.blic.rs",
        "stamparijapokloni.com",
        "stripotekaforum.com",
        "sts.mk-group.org",
        "sttv.stcable.net",
        "support.smart.rs",
        "surveys.kornferry.com",
        "test.becej.rs",
        "thetradersden.org",
        "thirdparty.aliexpress.com",
        "timetracking.oblaci.rs",
        "tmkeep.mk-group.org",
        "tncore.com",
        "tobecej1.mycpanel.rs"
        "tobecej1.mycpanel.rs",
        "torrenthr.org",
        "trakt.tv",
        "trust.zone",
        "turbobit.net",
        "twirpx.com",
        "ucinak.skgo.org",
        "uk-it.us",
        "uniportal.huawei.com",
        "uploadable.ch",
        "uptobox.com",
        "us04web.zoom.us",
        "users.iptvsmarters.com",
        "vidbliss.com",
        "videohouse.me",
        "vk.com",
        "vsetutonline.com",
        "warez-bb.org",
        "warezhr.org",
        "webapi1.srbvoz.rs",
        "webmail.becej.rs",
        "webmail.eunet.rs",
        "webmail.stcable.net",
        "webmail.yunet.rs",
        "webplayer.stcable.tv",
        "winwin.rs",
        "wp.2baksa.net",
        "yts.lt",
        "yts.mx",
        "yubraca.net",
        "zeroboard.org",
        "zoom.us",
        "ztracker.org",
       "192.168.0.1",

    ],
    "outlook": "-",
    "price": "10.00",
    "province": "Vojvodina",
    "size": "0.17Mb",
    "stealer": "Racoon ",
    "vendor": "M5####te bronze"
}

{
    "country": "RS",
    "date": "2023.04.28",
    "files": "archive.zip",
    "id": "10598929",
    "isp": "CETIN Ltd. Belgrade",
    "links": [
        "aleksinac.org",
        "rik.parlament.gov.rs",
        "pod2.stat.gov.rs",
        "pod2.stat.gov.rs",
        "aleksinac.org",
        "192.168.0.1",
        "192.168.20.27",
        "lokalnesamouprave.abs.gov.rs",
        "aleksinac.org",
        "telenor.rs"
    ],
    "outlook": "-",
    "price": "10.00",
    "province": "Nisava",
    "size": "0.31Mb",
    "stealer": "Racoon ",
    "vendor": "Mo####yf [Diamond]"
}
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#6
12-16-2023, 07:03 PM
Da li je ovo neki razvojni server RIK-a (Republička Izborna Komisija)?

   
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#7
12-16-2023, 07:47 PM (This post was last modified: 12-17-2023, 08:41 PM by 1van. Edit Reason: Ubačeni detalji. )
Na SOCRadar za esolutions.rs: https://platform.socradar.com/app/threat...lutions.rs

Infected Device - Accounts for "esolutions.rs" were observed for sale on the Russian Market, On Jul 03, 2023

Code:
{
    "country": "RS",
    "date": "2023.07.02",
    "files": "archive.zip",
    "id": "11455914",
    "isp": "Telenor d.o.o Beograd",
    "links": [
        "lms.napa.gov.rs",
        "pn2.propisi.net",
        "prijava.aul.gov.rs",
        "login.microsoftonline.com",
        "mre.esolutions.rs",
        "mre.esolutions.rs",
        "mre.esolutions.rs"
    ],
    "outlook": "-",
    "price": "10.00",
    "province": "Belgrade",
    "size": "0.05Mb",
    "stealer": "Racoon ",
    "vendor": "Mo####yf [Diamond]"
}

mre.esolutions.rs => 79.101.42.217 (lan01-telekom.esolutions.rs, riktest.parlament.gov.rs)
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#8
12-17-2023, 07:13 PM
Izvor: https://platform.socradar.com/app/threat...ent.gov.rs

Infected Device - Accounts for "parlament.gov.rs" were observed for sale on the Russian Market, On Oct 06, 2023

Code:
{
    "country": "RS",
    "date": "2023.10.04",
    "files": "archive.zip",
    "id": "12546808",
    "isp": "TELEKOM SRBIJA a.d.",
    "links": [
        "192.168.5.37",
        "ljubovija.rs",
        "informator.poverenik.rs",
        "canva.com",
        "accounts.spreadshirt.com",
        "teepublic.com",
        "redbubble.com",
        "pinterest.com",
        "mojaadresa.geosrbija.rs",
        "teespring.com",
        "auth0.openai.com",
        "facebook.com",
        "printify.com",
        "192.168.5.37",
        "auth.linktr.ee",
        "rik.parlament.gov.rs",
        "rik.parlament.gov.rs",
        "instagram.com",
        "teepublic.com",
        "zazzle.com",
        "accounts.amaze.co",
        "redbubble.com",
        "redbubble.com",
        "redbubble.com",
        "pinterest.com",
        "teepublic.com",
        "twitter.com"
    ],
    "outlook": "-",
    "price": "10.00",
    "province": "Macva",
    "size": "0.53Mb",
    "stealer": "risepro ",
    "vendor": "Observer [platinum]"
}


Infected Device - Accounts for "parlament.gov.rs" were observed for sale on the Russian Market, On Oct 04, 2023

Code:
{
    "country": "RS",
    "date": "2023.10.04",
    "files": "archive.zip",
    "id": "12519313",
    "isp": "TELEKOM SRBIJA a.d.",
    "links": [
        "192.168.5.37",
        "ljubovija.rs",
        "informator.poverenik.rs",
        "canva.com",
        "accounts.spreadshirt.com",
        "teepublic.com",
        "redbubble.com",
        "pinterest.com",
        "mojaadresa.geosrbija.rs",
        "teespring.com",
        "auth0.openai.com",
        "facebook.com",
        "printify.com",
        "192.168.5.37",
        "auth.linktr.ee",
        "rik.parlament.gov.rs",
        "rik.parlament.gov.rs",
        "instagram.com",
        "teepublic.com",
        "zazzle.com",
        "accounts.amaze.co",
        "redbubble.com",
        "redbubble.com",
        "redbubble.com",
        "pinterest.com",
        "teepublic.com",
        "twitter.com"
    ],
    "outlook": "-",
    "price": "10.00",
    "province": "Macva",
    "size": "0.33Mb",
    "stealer": "Redline ",
    "vendor": "sm####ez [platinum]"
}


Infected Device - Accounts for "rik.parlament.gov.rs" were observed for sale on the Russian Market, On May 28, 2023

Code:
{
    "country": "RS",
    "date": "2023.05.26",
    "files": "archive.zip",
    "id": "11031096",
    "isp": "TELEKOM-SRBIJA",
    "links": [
        "gpspower.net",
        "serbianforum.org",
        "gpsurl.com",
        "informator.poverenik.rs",
        "informator.poverenik.rs",
        "informator.poverenik.rs",
        "novi.kupujemprodajem.com",
        "accounts.google.com",
        "plan.acas.rs",
        "publicapp.acas.rs",
        "accounts.google.com",
        "rik.parlament.gov.rs",
        "rik.parlament.gov.rs",
        "mojsbb.rs"
    ],
    "outlook": "-",
    "price": "10.00",
    "province": "Belgrade",
    "size": "0.16Mb",
    "stealer": "Racoon ",
    "vendor": "Mo####yf [Diamond]"
}


Infected Device - Accounts for "rik.parlament.gov.rs" were observed for sale on the Russian Market, On Jan 19, 2023

Code:
{
    "country": "RS",
    "date": "2023.01.18",
    "files": "archive.zip",
    "id": "7995179",
    "isp": "TELEKOM SRBIJA a.d.",
    "links": [
        "192.168.1.218",
        "pixplus.ucloudcam.com",
        "asmp.a1.rs",
        "hiseese.ucloudcam.com",
        "rik.parlament.gov.rs",
        "jkpmilosmitrovic.rs",
        "asmp.a1.rs",
        "rik.parlament.gov.rs",
        "moj.esdnevnik.rs",
        "login.yahoo.com",
        "kupujemprodajem.com",
        "a41a.myqnapcloud.com",
        "petlja.org",
        "192.168.2.225",
        "192.168.2.41",
        "prijava.eid.gov.rs",
        "a21a.myqnapcloud.com",
        "velikaplana.rs",
        "reid.apr.gov.rs",
        "account.qnap.com",
        "demarkobend.com",
        "loopia.rs",
        "novi.kupujemprodajem.com",
        "signup.gmx.com",
        "spotify.com",
        "ecommerce.otpbanka.rs",
        "m.facebook.com",
        "192.168.2.100",
        "a11a.myqnapcloud.com",
        "accounts.google.com",
        "jkpmilosmitrovic.rs",
        "warez-v3.org",
        "mojsbb.rs",
        "account.box.com",
        "accounts.google.com",
        "mega.nz",
        "en.wikipedia.org",
        "accounts.google.com",
        "login.live.com",
        "teamos-hkrg.com",
        "teamos.xyz",
        "rutracker.org",
        "idmsa.apple.com",
        "forum.gsmhosting.com",
        "terabox.com",
        "account.live.com",
        "warez-bb.org",
        "puzo.org",
        "instagram.com",
        "eon.tv",
        "asmp.vipmobile.rs",
        "warez-v3.org",
        "192.168.2.234",
        "limundo.com",
        "rutracker.org",
        "appleid.apple.com",
        "sasomange.rs",
        "teamos.xyz",
        "help.steampowered.com",
        "teamos.xyz",
        "mega.nz",
        "forum.mobilism.org",
        "profile.oracle.com",
        "192.168.1.126",
        "mega.nz",
        "accounts.google.com",
        "192.168.2.1",
        "192.168.10.7",
        "192.168.1.230",
        "192.168.2.234",
        "192.168.2.158",
        "petlja.org",
        "192.168.1.216",
        "192.168.2.230",
        "192.168.2.114",
        "192.168.2.91",
        "accounts.google.com",
        "xmeye.net",
        "sr-rs.facebook.com",
        "facebook.com",
        "192.168.1.218",
        "pixplus.ucloudcam.com",
        "asmp.a1.rs",
        "hiseese.ucloudcam.com",
        "rik.parlament.gov.rs",
        "jkpmilosmitrovic.rs",
        "asmp.a1.rs",
        "rik.parlament.gov.rs",
        "moj.esdnevnik.rs",
        "login.yahoo.com",
        "kupujemprodajem.com",
        "a41a.myqnapcloud.com",
        "petlja.org",
        "192.168.2.225",
        "prijava.eid.gov.rs",
        "a21a.myqnapcloud.com",
        "velikaplana.rs",
        "reid.apr.gov.rs",
        "account.qnap.com",
        "demarkobend.com",
        "loopia.rs",
        "novi.kupujemprodajem.com"
    ],
    "outlook": "-",
    "price": "10.00",
    "province": "Rasina",
    "size": "0.12Mb",
    "stealer": "Racoon ",
    "vendor": "Mo####yf [Diamond]"
}
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#9
12-17-2023, 07:25 PM
Host lms.rik.parlament.gov.rs ima kombinaciju RedHat/Apache, IP: 212.200.91.146, provajder Telekom, https://www.shodan.io/host/212.200.91.146

Plus sa SOCRadar: https://platform.socradar.com/app/threat...ent.gov.rs

   
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply
1van Offline
Posting Freak
*****
Posts: 1,729
Threads: 665
Joined: Sep 2022
Reputation: 127
#10
12-17-2023, 07:37 PM
Zanimljivi podaci sa https://securitytrails.com/domain/lms.ri.../history/a.

Malo posle objave incidenta promenjen je IP, prethodni 212.200.91.140 je bio Ubuntu/Apache: https://www.shodan.io/host/212.200.91.140

   
“If you think you are too small to make a difference, try sleeping with a mosquito.” - Dalai Lama XIV
Website Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)