• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Hack attempts

#1
Hi all,

I have a simple little music composition site up with really nothing valuable on it but with everyone at home all over the world I guess people have a lot of time on their hands.

I am curious about the following activity in our apache log:

5.101.0.209 - - [30/Mar/2020:10:40:11 +0000] "GET /solr/admin/info/system?wt=json HTTP/1.1" 404 196

5.101.0.209 - - [30/Mar/2020:10:55:48 +0000] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 7648

5.101.0.209 - - [30/Mar/2020:10:55:49 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 7635

5.101.0.209 - - [30/Mar/2020:11:03:58 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]
=HelloThinkPHP HTTP/1.1" 200 7678

These clearly look like hacking attempts but it is hard to tell if anything was successful.

This little site is running on an AWS Lightsail instance using PHP 7.1.

I'm wondering what I can do to or if I should try to prevent this kind of access?

I purify all get get on the site and try to use the built in CI SQL substitution when accessing the small database.   Currently the site is not a secure site as I have yet to take the time to get the security cert going and all that.  

Would making the site secure help?

Thanks in advance.  Hope all are being safe!
Reply

#2
What you are seeing is someone trying a bunch of well-known exploits in a brute-force way. They are probing the system to see if they can figure out what software your site is using. In addition to making sure your site is as secure as possible, you can set up Fail2ban. Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

It should be easy to install on your AWS server and there are lots of on-line resources for how to set it up.
Reply

#3
(03-30-2020, 08:41 AM)dave friend Wrote: What you are seeing is someone trying a bunch of well-known exploits in a brute-force way. They are probing the system to see if they can figure out what software your site is using. In addition to making sure your site is as secure as possible, you can set up Fail2ban. Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

It should be easy to install on your AWS server and there are lots of on-line resources for how to set it up.

Thanks for that!  I will look into it!
Reply

#4
If you're interested in light reading:

#1 was looking for holes in Apache Solr: https://www.agarri.fr/blog/archives/2013...index.html

#2 was looking for php code that makes calls to eval(): https://www.exploit-db.com/papers/13694

#3 was looking for holes left in Xdebug by PHPStorm, a PHP IDE: https://paper.seebug.org/992/

#4 was looking for an RCE exploit in ThinkPHP, a PHP-based web framework: https://securitynews.sonicwall.com/xmlpo...exploited/
Reply

#5
If I may ask, how can I check this kind of log in my website?
(I have been away from web development and I am missing a lot of the basics)
Reply

#6
(04-12-2020, 02:06 AM)MoeAmine Wrote: If I may ask, how can I check this kind of log in my website?
(I have been away from web development and I am missing a lot of the basics)

Hi, it's called an Access log. And it's stored in different location depending on software. So you need to google "(Software) access log".
Reply

#7
Use the basic snippet and reset a free music site?
Reply

#8
I recently configured fail2ban so it's still very fresh in my mind, this is the configuration i end up with:

Learn the basics of fail2ban with some tutorials, the one on Debian Wiki are well explained, once setup is done you can add to your jail.local this jail:

Code:
[apache-multi]

enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
# Ban for ever
bantime  = -1
findtime = 1h
maxretry = 1

Create the file /fail2ban/filter.d/apache-multi.conf with

Code:
#
# Various block
#

[Definition]

failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+owa/auth/logon.aspx.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HNAP1.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+remote/fgt_lang.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+cgi-bin/login.cgi.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.env.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.git.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+dns-query.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+shell.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .*(PMA|phpmyadmin|phpMyAdmin|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2).*$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-login.php.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+XDEBUG.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HelloThink.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+nmaplowercheck.+$
            ^<HOST> \- \S+ \[\] \"\\n\".+$


ignoreregex =

datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}




And test this filter on your existing logs with fail2ban-regex.

fail2ban-regex /path/to/your/access_log /path/to/your/fail2ban/filter.d/apache-multi.conf

Comment any line that don't suit your needs and restart fail2ban for the jail to be active.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.