Rich Wales:
> On 2020-10-20 06:45, Wietse Venema wrote:
>
> > Extract time stamps for NON-ERROR web server responses, and
> > correlate those time stamnps with activity in Postfix logs.
>
> Working on this now. There are log entries for several GET requests
> asking for nonsensical things like the following:
>
> /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP
Now we're getting somewhere :-)
According to a well-known search engine:
Query: HelloThinkPHP
Result: ThinkPHP Remote Code Execution (RCE) bug
> /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>
Query: HelloThinkCMF
Result: WordPress exploit.
> /index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Another remote code execution exploit.
If any of those got a 200 HHTP response then you have been owned.
Wietse
> A couple of the above are near the dates/times when I was having the
> e-mail problem. But this could just as easily be a coincidence -- and
> as far as I can tell, none of the above would accomplish anything -- the
> supplied parameters are completely different from what the "index.php"
> script in question is expecting. Are these strange GET requests still
> something which I should investigate further?
>
> Some other observations (none apparently pointing to any problem):
>
> My server runs a web site which sells a book on shoemaking which my
> mother wrote long ago. The site uses PHP, plus one JavaScript file.
> There are, however, NO FORMS -- it's all done by clicking buttons, and
> the financial transactions are handled by PayPal. Lots and lots of GETs
> in the log for this site, but no PUTs or POSTs, and the files themselves
> are all read-only, so I can't really see how they could have been
> exploited (though I'm open to enlightenment on this). All of the above
> weird GETs with random options tacked onto the URL were for this site.
> And for what it may be worth, this site consists of raw PHP and JS which
> I wrote from scratch, without using any frameworks or toolkits.
>
> Lots of attempts to GET a script named "wp-login.php" in several
> directories. In fact, there are not (and never have been) ANY
> "wp-login.php files on this server (not running WordPress). Strangely,
> though, many of the GETs return a 200 HTTP status code -- not something
> I would expect when a requested file doesn't exist. Were it not for the
> 200 HTTP status code, I would have just dismissed these as irrelevant.
> In any case, none of these "wp-login.php" attempts correspond to the
> dates when I was having the e-mail problem.
>
> I had a couple of VERY old PHP scripts supporting "Project Honey Pot".
> I've removed them, though, and will review my security before putting
> them back (or, more properly, installing fresh scripts from the
> project). The logs showed about 20 accesses to my honeypot scripts, but
> none around the dates of interest.
>
> And I have still not seen any further instances of the hacker attack in
> the last several days.
>
> Rich Wales
> ri...@richw.org
>
