How to protect Malicious attack on django website

Question

My company's site is hosted on AWS. I have 3 months experience so I don't know what is:

Not Found: //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //beta/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

The problem is the server automatically stopped running. I thought possible reason can be that the code is going inside some loop so I decided to check logs. What I found is:

Not Found: //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //beta/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //lib/phpunit/Util/PHP/eval-stdin.php
Not Found: //lib/phpunit/phpunit/Util/PHP/eval-stdin.php
Not Found: //lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //lib/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Not Found: //phpunit/Util/PHP/eval-stdin.php

I don't know what is this and how to deal with it. I already searched on google I found that it is some kind of malicious attack, I am not sure. I want to know what is this. The site is Django web framework.

Some one might have tried to attack your website assuming it is built using php (did not work atleast according to the logs you are fine). Mostly if you followed good practices your site should be secure (Django makes it hard to built insecure ones). — Abdul Aziz Barkat, Jan 31 '21 at 10:23
@AbdulAzizBarkat but my site was hanged for more than 2 hr. Then I reboot the whole aws instance. It happend multiple times on that day. So definitely something is wrong and I need to fix that. All I want is to know why my site was getting hanged again and again. and I cannot find anything else in logs(which may be reason of getting hang). — Karan Yogi, Jan 31 '21 at 10:27
Your logs only show Not Found, i.e. some url was tried but not found by the server (perhaps eval-stdin.php is some file the attacker can use for malicious purposes in php). It is difficult to know why your site hanged. Perhaps AWS might have detected these unusual activities and tried to prevent it / protect you (so your site didn't work)? — Abdul Aziz Barkat, Jan 31 '21 at 10:32
@AbdulAzizBarkat Yes my site was not working everytime when those logs are there. — Karan Yogi, Jan 31 '21 at 10:43

score 1 · Answer 1 · answered Jan 31 '21 at 11:03

1

If there is some kind of malicious attack happening. There are couple of things you should do

Enable AWS Guard Duty to detect the resources under attack.
Put your web server behind an application loadbalancer and enable waf on alb. This will act as a firewall for your webserver. Make sure you test this solution in your uat environment before implementing it into production

answered Jan 31 '21 at 11:03

Vineet Singh

131
3

1

but first I want to know why site hanged by this attack...? It was not responding, not taking ssh requests...why? I wasn't able to connect through terminal when attack happened. – Karan Yogi Jan 31 '21 at 11:47
Your site was un-responsive and SSH request were denied. SSH request gets denied when either cpu or memory is running very high say more than 90%. To drill down the issue you need to have a monitoring mechanism for memory in place. CPU data is available by default in cloudwatch. Check which parameter is going up at what time. With this time period data you can narrow down your search and check the data in and data out paramter of the instance for the same timeperiod. when you have GuardDuty enabled it will tell you the origin of attack. – Vineet Singh Feb 01 '21 at 11:49
Also you can install AWS inspector agent on your instance and run inspector to get a vulnerability report – Vineet Singh Feb 01 '21 at 11:51

score 0 · Answer 2 · edited Sep 19 '21 at 19:53

0

Maybe your server is a very low EC2 instance, or you have a limited "pay as you go" plan, so this spider that wanted to hack into your server using all the resources.

edited Sep 19 '21 at 19:53

double-beep

5,031
17
33
41

answered Sep 13 '21 at 06:10

Igor

1,384
3
17
34

How to protect Malicious attack on django website

2 Answers2