Just a heads up to those running web servers,
May want to check logs for last day or two as there have been a number of attacks in the past few days (may be all days and they just got to me...)
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))}
/index.php/module/action/param1/${@die(sha1(xyzt))}
/index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
Which I'm still working to totally understand, but it is apparently an attempt to provide GET code to enable compromising your site.
As usual RIPE is the prime candidate, with attacks coming from
54.38.81.0/24 54.196.169.0/24
Just something to keep an eye on.
* David C. Rankin drankinatty@suddenlinkmail.com [07-21-20 15:46]:
Just a heads up to those running web servers,
May want to check logs for last day or two as there have been a number of attacks in the past few days (may be all days and they just got to me...)
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))}
/index.php/module/action/param1/${@die(sha1(xyzt))}
/index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
Which I'm still working to totally understand, but it is apparently an attempt to provide GET code to enable compromising your site.
As usual RIPE is the prime candidate, with attacks coming from
54.38.81.0/24 54.196.169.0/24
I have only one hit from those ips in the last 65 days, 54.38.81.231, which I have blacklisted.
I have 21 from the first two strings and none from the last: 104.244.72.99 104.244.73.193 123.207.226.105 129.226.160.197 134.175.105.150 149.202.238.204 178.32.123.182 182.254.134.77 185.220.103.4 185.232.52.64 193.218.118.80 193.8.82.126 217.12.204.151 36.248.211.71 45.10.172.11 51.15.235.211 51.75.144.58 51.77.135.89 54.38.81.231 82.221.131.71
all blacklisted.
On 2020-07-21 20:45, David C. Rankin wrote:
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))} /index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
(Oops, just noticed I accidentally replied to David Rankin directly; I meant to reply to the list.)
Presumably both of these are being used on the assumption that some well known / frequently-used code, often in sites' index.php files (maybe for something that lots of people use like blogging or BB software) will directly use the contents of var "s", or parse something out of it and use that, without checking what it is before use?
/index.php/module/action/param1/${@die(sha1(xyzt))}
What would a malformed URL like that do?
* Jeremy Nicoll - ml openSUSE jn.ml.ops.785@wingsandbeaks.org.uk [07-23-20 04:26]:
On 2020-07-21 20:45, David C. Rankin wrote:
Look for attempts with:
/index.php?s=/module/action/param1/${@die(sha1(xyzt))} /index.php?s=/Index/x5Cthinkx5Capp/invokefunction&function=call_user_func_array&vars[0]=sha1&vars[1][]=xyzt
(Oops, just noticed I accidentally replied to David Rankin directly; I meant to reply to the list.)
Presumably both of these are being used on the assumption that some well known / frequently-used code, often in sites' index.php files (maybe for something that lots of people use like blogging or BB software) will directly use the contents of var "s", or parse something out of it and use that, without checking what it is before use?
/index.php/module/action/param1/${@die(sha1(xyzt))}
What would a malformed URL like that do?
It is probably checking for existence of a particular string of code which it can exploit and when not finding, doesn't bother anymore.
-
David C. Rankin -
Jeremy Nicoll - ml openSUSE -
Patrick Shanahan