Encore une attaque de la Russie, il me faudrait bloquer toutes les IP des Russes ….
Type d’attaque :
GET /?XDEBUG_SESSION_START=phpstorm
GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1
GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1
GET /wp-content/plugins/wp-file-manager/readme.txt
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
GET /_ignition/execute-solution HTTP/1.1"
GET /solr/admin/info/system?wt=json HTTP/1.1
GET /console/ HTTP/1.1
POST /api/jsonws/invoke HTTP/1.1
GET /index.php?r=user%2Fauth%2Flogin HTTP/1.1
Quand je fais une recherche c’est pas la seule IP :
# zgrep "HelloThinkCMF" /var/log/apache2/access.humhub.log.*.gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq -c
20 45.146.164.125
2 45.146.164.131
2 45.155.205.109
4 45.155.205.181
4 45.155.205.196
1 123.58.4.233
Bilan :
iptables -A INPUT -s 45.146.164.125 -j DROP iptables -A INPUT -s 45.146.164.131 -j DROP iptables -A INPUT -s 45.155.205.109 -j DROP iptables -A INPUT -s 45.155.205.181 -j DROP iptables -A INPUT -s 45.155.205.196 -j DROP iptables -A INPUT -s 123.58.4.233 -j DROP iptables-save > /etc/iptables/rules.v4
Misère.
# grep « HelloThinkPHP21 » /var/log/apache2/access.*.log
195.54.160.149 – – [13/Dec/2021:00:49:15 +0100] « GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1 » 302 406 « – » « Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 »
195.54.160.149 – – [13/Dec/2021:00:49:16 +0100] « GET /user/auth/login HTTP/1.1 » 200 8198 « http://80.15.48.50:80/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 » « Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 »
195.54.160.149 – – [13/Dec/2021:08:59:58 +0100] « GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1 » 302 5557 « – » « Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 »
195.54.160.149 – – [13/Dec/2021:08:59:59 +0100] « GET /user/auth/login HTTP/1.1 » 200 13392 « https://80.15.48.50:443/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 » « Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 »
# iptables -A INPUT -s 195.54.160.149 -j DROP
# /usr/sbin/iptables-save > /etc/iptables/rules.v4