May 06, 2017

DocumentRoot and Private Keys

In the last few days I’ve noticed a few unusual GET requests for supposedly exposed SSH private keys. All requests are following the same pattern:

185.129.62.62 - - [05/May/2017] "GET /id_rsa HTTP/1.1"
185.129.62.62 - - [05/May/2017] "GET /.ssh/id_rsa HTTP/1.1"
192.42.116.16 - - [05/May/2017] "GET /id_rsa HTTP/1.1"
192.42.116.16 - - [05/May/2017] "GET /.ssh/id_rsa HTTP/1.1"

Most (if not all) requests I’ve seen have originated from Tor exit nodes. Should there be an actual vulnerability related to these scans, then I really wonder what kind of build system would be responsible for exposing private keys in this way. Oh well, I guess there is a package manager for that.

#DevOops