Found someone hacking in my LAMP server centos 7 using GET request with WGET

Question

This is a bit confusing and I think I was hit by a shellshock, by the way I'm not a sysadmin and only know a little bit about handling a linux. I'm running a website (LAMP) and hosting it in Digital Ocean. The server is centos 7 and installed a few security like fail2ban. I frequently check the error logs and request logs, just yesterday I saw a few disturbing request here it is:

Error Logs

[Tue Aug 25 09:48:39.688528 2015] [core:error] [pid 24312] [client 64.15.155.177:33663] AH00126: Invalid URI in request GET HTTP/1.1 HTTP/1.1

[Tue Aug 25 09:48:40.877570 2015] [cgi:error] [pid 24306] [client 64.15.155.177:35398] script not found or unable to stat: /var/www/cgi-bin/report.cgi

[Tue Aug 25 09:48:41.042423 2015] [cgi:error] [pid 24331] [client 64.15.155.177:35687] script not found or unable to stat: /var/www/cgi-bin/webmap.cgi

[Tue Aug 25 09:48:41.206167 2015] [cgi:error] [pid 24351] [client 64.15.155.177:35888] script not found or unable to stat: /var/www/cgi-bin/whois.cgi

[Tue Aug 25 09:48:42.543500 2015] [cgi:error] [pid 24186] [client 64.15.155.177:36531] script not found or unable to stat: /var/www/cgi-bin/register.cgi

[Tue Aug 25 09:48:42.880804 2015] [cgi:error] [pid 24306] [client 64.15.155.177:38036] script not found or unable to stat: /var/www/cgi-bin/download.cgi

[Tue Aug 25 09:48:43.047761 2015] [cgi:error] [pid 24331] [client 64.15.155.177:38502] script not found or unable to stat: /var/www/cgi-bin/shop.cgi

[Tue Aug 25 09:48:43.503216 2015] [cgi:error] [pid 24353] [client 64.15.155.177:39001] script not found or unable to stat: /var/www/cgi-bin/profile.cgi

[Tue Aug 25 09:48:43.671687 2015] [cgi:error] [pid 24358] [client 64.15.155.177:39387] script not found or unable to stat: /var/www/cgi-bin/about_us.cgi

[Tue Aug 25 09:48:43.835678 2015] [cgi:error] [pid 24359] [client 64.15.155.177:39632] script not found or unable to stat: /var/www/cgi-bin/php.fcgi

[Tue Aug 25 09:48:44.002389 2015] [cgi:error] [pid 24361] [client 64.15.155.177:39862] script not found or unable to stat: /var/www/cgi-bin/calendar.cgi

[Tue Aug 25 09:48:44.774084 2015] [cgi:error] [pid 24362] [client 64.15.155.177:40930] script not found or unable to stat: /var/www/cgi-bin/download.cgi

[Tue Aug 25 09:48:44.942337 2015] [cgi:error] [pid 24363] [client 64.15.155.177:41177] script not found or unable to stat: /var/www/cgi-bin/light_board.cgi

[Tue Aug 25 09:48:45.108830 2015] [cgi:error] [pid 24365] [client 64.15.155.177:41430] script not found or unable to stat: /var/www/cgi-bin/main.cgi

[Tue Aug 25 09:48:45.291641 2015] [cgi:error] [pid 24283] [client 64.15.155.177:41677] script not found or unable to stat: /var/www/cgi-bin/search.cgi

Request Logs

Please view it here at paste bin because it's too long: http://pastebin.com/5kWB6X05

My question is:

Does the hacker is trying to plant the virus file name "a2.png" to my /tmp folder? and does the hacker succeed planting it?
If the hacker succeed, How should I know if the virus is now running in my server?
What's the better way or recommendation to secure a web server? From any attacks.

So far I can't see that the file name exist in my tmp folder.

The website I'm handling is on virtual host and I'm using a framework to make it more secure. I'm not just sure If I'm on the right track securing my web server, I only installed fail2ban for the logged-in attempt.

He is just trying many different exploits for software you don't even have on your server. Nothing has been successful. — Michael Hampton, Aug 27 '15 at 05:14
@MichaelHampton you're the mod so you know best but isn't that probably worth making an answer so OP can close this? — Michael Bailey, Aug 27 '15 at 06:36
@MichaelBailey If only moderators wrote answers, this would be a very small site indeed. My role as a moderator [goes beyond simply answering questions](http://serverfault.com/help/site-moderators) (and like everyone else I might not have the ability or the time to construct a full answer). — Michael Hampton, Aug 27 '15 at 06:55
That's totally fine. Makes sense. I'll construct an answer to the best of my ability shortly. — Michael Bailey, Aug 27 '15 at 06:59

LScarpinati · Answer 1 · 2015-09-28T09:00:25.707

Regarding your log and your pastebin, it seems to be an automated attempt to test for remote code execution vulnerability.

1) The file a2.png may not be a malware. The hacker want only test if he can access the folder and upload in it a file. If successful, this can signify the hacker that he can execute code and traverse the system folders.

2) Your log show that the attempt was not succesful. But the problem is that you actually can not deduce that there exists no other vlnerability in your system. To be sure it requires a complete test on other hacking techniques.

3) It is a very large question as the techniques and vulnerabilities are countless.

But in the precise case. You can be sure that this attempt was not successful.

Found someone hacking in my LAMP server centos 7 using GET request with WGET

1 Answers1