+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: Hack attempts (/showthread.php?tid=75932)
Hack attempts - MarkWS7M - 03-30-2020
Hi all,
I have a simple little music composition site up with really nothing valuable on it but with everyone at home all over the world I guess people have a lot of time on their hands.
I am curious about the following activity in our apache log:
5.101.0.209 - - [30/Mar/2020:10:40:11 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 404 196
5.101.0.209 - - [30/Mar/2020:10:55:48 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 7648
5.101.0.209 - - [30/Mar/2020:10:55:49 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 7635
5.101.0.209 - - [30/Mar/2020:11:03:58 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]
=HelloThinkPHP HTTP/1.1" 200 7678
These clearly look like hacking attempts but it is hard to tell if anything was successful.
This little site is running on an AWS Lightsail instance using PHP 7.1.
I'm wondering what I can do to or if I should try to prevent this kind of access?
I purify all get get on the site and try to use the built in CI SQL substitution when accessing the small database. Currently the site is not a secure site as I have yet to take the time to get the security cert going and all that.
Would making the site secure help?
Thanks in advance. Hope all are being safe!
RE: Hack attempts - dave friend - 03-30-2020
What you are seeing is someone trying a bunch of well-known exploits in a brute-force way. They are probing the system to see if they can figure out what software your site is using. In addition to making sure your site is as secure as possible, you can set up Fail2ban. Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.
It should be easy to install on your AWS server and there are lots of on-line resources for how to set it up.
RE: Hack attempts - MarkWS7M - 03-30-2020
(03-30-2020, 08:41 AM)dave friend Wrote: What you are seeing is someone trying a bunch of well-known exploits in a brute-force way. They are probing the system to see if they can figure out what software your site is using. In addition to making sure your site is as secure as possible, you can set up Fail2ban. Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.
It should be easy to install on your AWS server and there are lots of on-line resources for how to set it up.
Thanks for that! I will look into it!
RE: Hack attempts - schertt - 03-31-2020
If you're interested in light reading:
#1 was looking for holes in Apache Solr: https://www.agarri.fr/blog/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html
#2 was looking for php code that makes calls to eval(): https://www.exploit-db.com/papers/13694
#3 was looking for holes left in Xdebug by PHPStorm, a PHP IDE: https://paper.seebug.org/992/
#4 was looking for an RCE exploit in ThinkPHP, a PHP-based web framework: https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/
RE: Hack attempts - MoeAmine - 04-12-2020
If I may ask, how can I check this kind of log in my website?
(I have been away from web development and I am missing a lot of the basics)
RE: Hack attempts - jreklund - 04-12-2020
(04-12-2020, 02:06 AM)MoeAmine Wrote: If I may ask, how can I check this kind of log in my website?
(I have been away from web development and I am missing a lot of the basics)
Hi, it's called an Access log. And it's stored in different location depending on software. So you need to google "(Software) access log".
RE: Hack attempts - JezebelKerenza - 03-02-2021
Use the basic snippet and reset a free music site?
RE: Hack attempts - eelisland - 03-05-2021
I recently configured fail2ban so it's still very fresh in my mind, this is the configuration i end up with:
Learn the basics of fail2ban with some tutorials, the one on Debian Wiki are well explained, once setup is done you can add to your jail.local this jail:
Code:
[apache-multi]
enabled = true
port = http,https
logpath = %(apache_access_log)s
# Ban for ever
bantime = -1
findtime = 1h
maxretry = 1Create the file /fail2ban/filter.d/apache-multi.conf with
Code:
#
# Various block
#
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+owa/auth/logon.aspx.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HNAP1.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+remote/fgt_lang.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+cgi-bin/login.cgi.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.env.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.git.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+dns-query.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+shell.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .*(PMA|phpmyadmin|phpMyAdmin|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2).*$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-login.php.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+XDEBUG.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HelloThink.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+nmaplowercheck.+$
^<HOST> \- \S+ \[\] \"\\n\".+$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}And test this filter on your existing logs with fail2ban-regex.
fail2ban-regex /path/to/your/access_log /path/to/your/fail2ban/filter.d/apache-multi.conf
Comment any line that don't suit your needs and restart fail2ban for the jail to be active.