Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is someone trying to Hack? Receiving Suspicious Requests on my Apache2 Ubuntu 18.04 server

Tags:

security

php

laravel

ubuntu-18.04

apache2

Suspicious request payload

Today I was checking my server logs then I noticed some requests which I think is that someone is trying to get into my server. I am hosting PHP Laravel (6) based admin panel and API's on it. I have also checked my public routes and permissions of the files. Can someone figure out what else should I do to prevent something disastrous thing to happen? Thanks in advance.

Here are some other suspicious requests :

  • /hudson
  • /cgi-bin/mainfunction.cgi
  • /?XDEBUG_SESSION_START=phpstorm
  • /solr/admin/info/system?wt=json
  • /?-a=fetch&content=%3Cphp%3Edie%28%40md5%28HelloThinkCMF%29%29%3C%2Fphp%3E
  • /api/jsonws/invoke
  • /azenv.php?a=PSCMN&auth=159175997367&i=2650084793&p=80
  • ?function=call_user_func_array&s=%2FIndex%2F%5Cthink%5Capp%2Finvokefunction&vars%5B0%5D=md5&vars%5B1%5D%5B0%5D=HelloThinkPHP
  • /.well-known/security.txt
  • /sitemap.xml
  • /TP/index.php
  • /TP/public/index.php
  • /ip.ws.126.net:443
  • /nmaplowercheck1591708572
  • /evox/about
  • /MAPI/API
  • /evox/about
  • /owa/auth/logon.aspx?url=https%3A%2F%2F1%2Fecp%2F
  • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
like image 204
faizan.sh Avatar asked Jun 10 '20 08:06

faizan.sh

People also ask

What to do after suspicion of a hacker attack?

First thing to do after suspicion of a hacker attack is to setup an IDS (Intrusion Detection System) to detect anomalies in the network traffic. After an attack has taken place the compromised device may become an automated zombie at the hacker service.

How to check Bash history for malicious activity in Linux?

If you suspect about malicious activity by a specific user you can check the bash history, log in as the user you want to investigate and run the command history as in the following example: Above you can see the commands history, this commands works by reading the file ~/.bash_history located in the users home:

How do I know if my account has been hacked?

If you find an unexpected successful login, then your account has been hacked and if you are still able to, change your account password immediately. Also, would recommend enabling 2 factor authentication if it isn't already

What to do if you suspect your computer has been hacked?

If you suspect you were hacked the first step is to make sure the intruder isn’t logged into your system, you can achieve it using commands “ w ” or “ who ”, the first one contains additional information: Note: commands “w” and “who” may not show users logged from pseudo terminals like Xfce terminal or MATE terminal.

1 Answers

These are among many bots that are constantly trying to break into servers or gain unauthorized access on your web app. You can read more about them here. This happens to all servers, regardless of which service provider you're using AWS / DigitalOcean / Linode or whatever other options.

Most commonly, they'll try generic login urls and bruteforce them with default or common username/passwords. They're always there, but you probably did not notice until you started checking the log files.

While we're on this topic, there are also SSH worms that are constantly trying to bruteforce SSH into your server. This is why it's important to use good passwords, or better yet, disable password entry into your server and only allow SSH. That will greatly improve security but still will not stop their efforts.

What you can do to protect your server:

  • Like mentioned above, disabled password login and only allow SSH
  • Enable firewall and setup the firewall rules accordingly
  • Ensure the packages that you use always have the latest security patches
  • Use tools like Fail2Ban which will ban an IP if SSH attempts failed more than a set amount of time. You can configure Fail2Ban to do more, do explore the docs
like image 196
Mysterywood Avatar answered Oct 19 '22 03:10

Mysterywood
Sign in to Comment

Related questions

Fastest way to update a MySQL table if row exists else insert. More than 2 non-unique keys
PHP mysqli - return an associative array from a prepared statement
PHP- file_get_contents failed to open stream: Connection refused
PHP sorting array_intersect_key() results by second array
Why does Symfony reload the User from the database on each request?
Magento Sort Attribute by Decimal not Alphanumerically
How to get users of a specefic role in Yii2 and DbManager?
Eager loading with parameters - laravel
nginx configuration for a RESTful API
PHP7 language support for PhpStorm
How to stop jQuery ajax from adding slashes to JSON string?
Laravel timestamps to show milliseconds
When to use belongsTo() and when hasOne() in laravel?
AWS-CloudWatch: InvalidSequenceTokenException
Can I safely use a utf8mb4 connection with utf8 columns?
PhpStorm not recognising core PHP
Can php have a mixed type hinting?
How to dynamically set table name in Eloquent Model
Creating an edit modal in Laravel 5
net::ERR_CONNECTION_RESET when large file takes longer than a minute

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!