Is someone trying to Hack? Receiving Suspicious Requests on my Apache2 Ubuntu 18.04 server

Question

Today I was checking my server logs then I noticed some requests which I think is that someone is trying to get into my server. I am hosting PHP Laravel (6) based admin panel and API's on it. I have also checked my public routes and permissions of the files. Can someone figure out what else should I do to prevent something disastrous thing to happen? Thanks in advance.

Here are some other suspicious requests :

• /hudson
• /cgi-bin/mainfunction.cgi
• /?XDEBUG_SESSION_START=phpstorm
• /solr/admin/info/system?wt=json
• /?-a=fetch&content=%3Cphp%3Edie%28%40md5%28HelloThinkCMF%29%29%3C%2Fphp%3E
• /api/jsonws/invoke
• /azenv.php?a=PSCMN&auth=159175997367&i=2650084793&p=80
• ?function=call_user_func_array&s=%2FIndex%2F%5Cthink%5Capp%2Finvokefunction&vars%5B0%5D=md5&vars%5B1%5D%5B0%5D=HelloThinkPHP
• /.well-known/security.txt
• /sitemap.xml
• /TP/index.php
• /TP/public/index.php
• /ip.ws.126.net:443
• /nmaplowercheck1591708572
• /evox/about
• /MAPI/API
• /evox/about
• /owa/auth/logon.aspx?url=https%3A%2F%2F1%2Fecp%2F
• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Answer 1

These are among many bots that are constantly trying to break into servers or gain unauthorized access on your web app. You can read more about them here. This happens to all servers, regardless of which service provider you're using AWS / DigitalOcean / Linode or whatever other options.

Most commonly, they'll try generic login urls and bruteforce them with default or common username/passwords. They're always there, but you probably did not notice until you started checking the log files.

While we're on this topic, there are also SSH worms that are constantly trying to bruteforce SSH into your server. This is why it's important to use good passwords, or better yet, disable password entry into your server and only allow SSH. That will greatly improve security but still will not stop their efforts.

What you can do to protect your server:

• Like mentioned above, disabled password login and only allow SSH
• Enable firewall and setup the firewall rules accordingly
• Ensure the packages that you use always have the latest security patches
• Use tools like Fail2Ban which will ban an IP if SSH attempts failed more than a set amount of time. You can configure Fail2Ban to do more, do explore the docs

Answer 2

Welcome to the internet.

The last time I bothered to look it took around 10 minutes after plugging a device into a public IP address which had been unused for over 6 months before the first attack. What you can do about it is:

• Ensure you keep your OS and any third party libs/applications are patched and up to date
• Ensure that the uid running your PHP code can only write to specific locations outside the document root (preferable nowhere on the filesystem)
• Ensure that the uid running your PHP code cannot read your weblogs
• write secure code
• Take regular backups
• Run a host based IDS

Answer 3

This might just be an automated bot searching for certain files/urls on the webserver. Make sure all your environment files are not accessible (using htaccess) and you have the latest security patches of Laravel.