* David C. Rankin <drankinatty@suddenlinkmail.com> [07-21-20 15:46]:
Just a heads up to those running web servers,
May want to check logs for last day or two as there have been a number of attacks in the past few days (may be all days and they just got to me...)
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))}
/index.php/module/action/param1/${@die(sha1(xyzt))}
/index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
Which I'm still working to totally understand, but it is apparently an attempt to provide GET code to enable compromising your site.
As usual RIPE is the prime candidate, with attacks coming from
54.38.81.0/24 54.196.169.0/24
I have only one hit from those ips in the last 65 days, 54.38.81.231, which I have blacklisted. I have 21 from the first two strings and none from the last: 104.244.72.99 104.244.73.193 123.207.226.105 129.226.160.197 134.175.105.150 149.202.238.204 178.32.123.182 182.254.134.77 185.220.103.4 185.232.52.64 193.218.118.80 193.8.82.126 217.12.204.151 36.248.211.71 45.10.172.11 51.15.235.211 51.75.144.58 51.77.135.89 54.38.81.231 82.221.131.71 all blacklisted. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org