As cybercriminals are exploiting weaknesses in Centreon monitoring software and our customers may be at risk, we thought it would be a good idea to give some details on how to detect this software Internet exposure using our data. Let’s dive into different options for doing so.
Identifying Centreon patterns using the data field
The data field is a full-text search field. That means you can search using words or phrases within raw data responses from our application probes. This field is available in most of our different categories of information (see standard information categories and entreprise information categories). For this post, we will focus on the datascan category.
Centreon software has different patterns we can use to accurately identify it. We can use 2 different patterns for doing so:
category:datascan data:"<img src=\"img/centreon.png\" alt=\"Centreon Logo\" title=\"Centreon Logo\" />" category:datascan data:"<a href=\"mailto:firstname.lastname@example.org\">Centreon</a>"
If you use this query with our beta Web site, you will have such a result:
With this pattern, we identify 570 exposed devices. Using the second pattern, we identify 400 devices.
Another way is using app.http.title field
The app.http.title field is also a full-text search field. But we can use it to match against a complete phrase if we want to. This is the data you get in the title HTML tag:
category:datascan app.http.title:"Centreon - IT & Network Monitoring"
This time, we identify 601 devices. But as we have analyzed our data, we know that the “Centreon” string may differ as it may be customized. So let’s rewrite our search using less words like this:
category:datascan app.http.title:"IT & Network Monitoring"
612 devices are now found.
Using an OR query to combine them all
Now, that would be great to perform an OR query. It is, in fact, a new feature of our language currently in beta and only available on https://beta.onyphe.io. This is part of our advanced query language functions available to “Lion View” and “Eagle View (unlimited)” subscriptions. The OR query is usable by preceding the wanted field by a question mark (? character).
The new language performs a search against datascan category by default, so you can skip the category:datascan part:
?app.http.title:"Centreon - IT & Network Monitoring" ?data:"<a href=\"mailto:email@example.com\">Centreon</a>" ?data:"<img src=\"img/centreon.png\" alt=\"Centreon Logo\" title=\"Centreon Logo\" />"
Which gives us 623 results.
But there are more ways of finding them
Maybe these patterns are not enough as the patterns were not available at the time of scanning, for instance. So we can search against 2 more fields: url and host.
A standard way of exposing a software on a Web site is to give it a base URL with the name of the software you want to give access to. By using a wildcard query against the url field, you can find potentially more exposed devices:
More than 1,400 devices exposed.
When we perform DNS resolutions (forward and reverse), we split the fields into different other fields to make it easy to search using them. These fields are not subject to full-text searches, we can only use them in wildcard queries or exact match queries.
When we take a fully-qualified domain name (FQDN), we split it into the following new fields:
- host: the hostname part
- domain: the domain name
- subdomains: one or more subdomains
- tld: the top-level domain
Another standard practice is to name a computer based on its usage. For Centreon software, we could find exposed devices by using a host:centreon filter:
This yields us 2,276 devices.
Of course, you can combine all these filters and adding an orwildcard function to also match optionally against URLs:
?host:centreon -orwildcard:url,*centreon* ?app.http.title:"IT & Network Monitoring" ?data:"<a href=\"mailto:firstname.lastname@example.org\">Centreon</a>" ?data:"<img src=\"img/centreon.png\" alt=\"Centreon Logo\" title=\"Centreon Logo\" />"
We have a grand final result of 3,653 exposed devices.
Identification of assets made even easier
Of course, as data patterns are now identified, we have added them to our identification patterns to make it easier to search for next times. That is, we have added the Centreon product to assets we identify using others specific fields: device.class and app.http.component.product.
We believe asset categorization is a must have on any Internet exposed devices scanner and we use the device.class field for doing so. Knowing you have “VPN Server” or “Monitoring” device classes exposed is something you should really pay attention to.
As we have seen, we have accurate data and many specific fields to make it easy for you to find your Internet exposed devices. We hope you won’t be the next to fall for an unpatched system. Subscribe to one of our offers and quickly dive into your exposed devices.