33 lines
5.0 KiB
Markdown
33 lines
5.0 KiB
Markdown
---
|
|
title: Lousy Wordpress Hacking Attempts detected
|
|
subtitle: Spotted in nginx error logs
|
|
date: 2021-03-29
|
|
---
|
|
|
|
My Dutch bread baking blog, [redzuurdesem.be](https://redzuurdesem.be), was migrated from Wordpress to Hugo years ago. During the transition, I came up with a bunch of shoddy scripts that did the job adequately: copying over `/wp-content/` to the `/static/` directory in order to preserve relative image locations.
|
|
|
|
Wodpress-enabled sites are _very_ easy to spot: just look for `wp-` anything in the source, or try out the location `/wp-admin` if you fancy a brute-force attack. Naturally, some pages of my site still comply to this rule, because of the archived image folder. Some Russian malicious IP, [45.146.165.157](https://www.abuseipdb.com/check/45.146.165.157), that has been reported numerous times before at abuseipdb.com, tried the following today:
|
|
|
|
```
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179870 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179871 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /solr/admin/info/system?wt=json HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179872 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /console/ HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179873 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /Autodiscover/Autodiscover.xml HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179874 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179875 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179876 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179877 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:47 [error] 162453#162453: *179878 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:48 [error] 162453#162453: *179879 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "POST /api/jsonws/invoke HTTP/1.1", host: "146.59.146.120:80"
|
|
2021/03/29 09:57:48 [error] 162453#162453: *179880 open() "/var/www/html/404.html" failed (2: No such file or directory), client: 45.146.165.157, server: _, request: "GET /_ignition/execute-solution HTTP/1.1", host: "146.59.146.120:80"
|
|
```
|
|
|
|
I mean, really? `<?php>die(@md5(HelloThinkCMF))</php>`? Are servers that badly managed that any GET parameter is dynamically evaluated on the server?
|
|
|
|
You might notice a repeating pattern in the above log: when setting up the new server (the previous one [got up in flames](/post/2021/03/always-have-a-disaster-recovery-plan/) a couple of weeks ago), I forgot to add the classic 404 page - which results in an error entry in the nginx log. To be honest, I never check those logs. I happened to be looking for something else and got curious.
|
|
|
|
Now, what to do? Well, nothing. Smile. It's all static. Still, it's very sad to see these pathetic attempts, and it makes me angry because years ago, a Wordpress site of mine _was_ effectively hacked because I did not upgrade the instance in due time. If those guys are any good at coding, their skills could have been used for good instead of bullying people.
|
|
|
|
Time to test out the [Fail2ban jail config](https://www.thegeekstuff.com/2010/07/fail2ban-howto/)... I guess I need to keep an eye out for malicious behavior in the future, 'cause I do have some dynamic stuff running on there. Wait, no, let Fail2ban monitor your nginx error/access logs automatically and [decide what to do with it](https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04)!
|
|
|
|
Hope you Russians are reading this and saying вызов принят (challenge accepted)! |