October 10 2016: Manchester BarCamp and tracking intrusions on uWSGI

BradLUG (Bradford GNU/Linux Users Group) A self-help group for GNU/Linux, Open Source and Free Software users in and around the Bradford District, West Yorkshire

Home About Meetings FOSS

October 10 2016: Manchester BarCamp and tracking intrusions on uWSGI

John R Hudson

Posted on November 07, 2016

( 2 minute read )

As no-one had prepared anything specially for the meeting and David S was occupied trying to get Adobe Flash to work on John W’s computer, we chatted among ourselves with Brian and Ash sharing their experiences of Manchester BarCamp. The arrangements had been better this year with half a dozen lecture rooms available. Brian had given his IoT talk which he had tried out on us the previous month and they had enjoyed sessions on Hacker Packet Radio and Git.

David S then managed to share with us an episode at work when a colleague had alerted him to a message via Sentry.

`InvalidSchema: No connection adapters were found for 'file:///etc/passwd'`

Because they use Apache with a reverse proxy, namely, uWSGI, David had to trawl through the uWSGI server’s logs, finding a wide range of attempts to crack the server leading up to the attempt which had prompted the warning at 10.40 am on 3 October.

A look in AbuseIPDB showed that the IP address from which these attempts were being made was in Ukraine though the actual attacked could have been in another country and it appeared they were using the acunetix web scanner.

As one of their customers had been involved in an anti-bribery initiative in Ukraine, one line of enquiry was that this might be an attempt at a revenge attack. However, analysis of the logs showed that servers related to other customers, in one particular data centr’’s netblock, had previously been gently probed by the same netblock in Ukraine, suggesting that the attack wasn’t targeted at the specific customer but just a coincidence.

David had ended up editing IP tables as Fail2ban will not work with the uWSGI logs. [The is a more detailed account of this incident on the Idelmoor Technical Blog.]

This led into a discussion of how the organisation’s servers are managed and David said they used SALT partly because they can do everything using SSL. SALT uses ZeroMQ for messaging and YAML for scripting.

After this brief introduction, David was press-ganged into doing a more detailed presentation next month.

Past Meetings