Evidence of an Attack

Today I went about performing my regular server maintenance update and noticed an IP address 202.107.188.12 hitting my Apache web server. Out of pure curiosity I thought I lookup this IP address. After a quick whois command, I found out it came from Xinjiang Province, China, specifically from the http://www.chinanet-online.com ISP.

After more investigation, I noticed that this particular visitor was attempting a ThinkPHP remote code execution attack. I don’t run the ThinkPHP framework. Below is the log recording its attempt.

202.107.188.12 - - [25/Apr/2020:12:58:01 -0400] "GET /TP/public/index.php HTTP/1.1" 302 499 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
202.107.188.12 - - [25/Apr/2020:12:58:05 -0400] "GET /TP/public/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 HTTP/1.1" 302 695 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
202.107.188.12 - - [25/Apr/2020:12:58:08 -0400] "POST /TP/public/index.php?s=captcha HTTP/1.1" 302 519 "-" "Go-http-client/1.1"
202.107.188.12 - - [25/Apr/2020:12:58:11 -0400] "GET / HTTP/1.1" 302 499 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"

I have always wondered how many bad actors are out there and whether these bad people will end up attacking my stuff. Well now I know, experienced first hand.

It is a scary place out there.

2 thoughts on “Evidence of an Attack”

    1. I think this is just a fact of life when you have a web server that is exposed to the Internet and you want public users to view your content. There is not much we can do about it other than to erect safety measures in our implementation to guard against malicious activities. I was just surprised how I caught one in the act. My past assumptions were that these attacks are infrequent. As it turns out, these attacks are the norm, so beware. One of my former work colleague suggested running a tool call Fail2ban. You can check them out if you are curious.

Leave a Reply

Your email address will not be published. Required fields are marked *