Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Got this on my apache log, what does this mean?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Got this on my apache log, what does this mean?

LisoLiso Member

Upon checking my apache log, I found this suspicious activity.

[Thu Jan 02 13:20:25.347617 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
[Thu Jan 02 13:20:27.671500 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
[Thu Jan 02 13:20:28.453004 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found

Is this the work of script kiddies ? Does this mean the attack failed?

Thanked by 1ralf

Comments

  • sanvitsanvit Member

    https://chatgpt.com/share/67769f44-c19c-8007-8700-3c7a15adf16c

    That’s what ChatGPT is telling me at least :(

  • That surely is an attempt to attack.

  • tenjitenji Member

    if ended in error might be fail. how about you install some ids that monitor file change ?

  • Probably just random probes.

  • Try reboot

  • yoursunnyyoursunny Member, IPv6 Advocate

    Do you have any script that allows executing a system command?
    It's time to audit PHP functions like system, passthru, and popen.

    Thanked by 1ariq01
  • ralfralf Member

    @Liso said:
    Upon checking my apache log, I found this suspicious activity.

    [Thu Jan 02 13:20:25.347617 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
    [Thu Jan 02 13:20:27.671500 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
    [Thu Jan 02 13:20:28.453004 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    

    Is this the work of script kiddies ? Does this mean the attack failed?

    The fact that there's no timestamp at the start plus the fact that it looks like the error has come from sh itself, it seems that they have found a working exploit, just not figured out yet a command to run that works.

    If I were you, I'd shut down that web server if you have others in a load balancer, check for suspicious processes / changed files and make sure everything is patched and up to do.

    If they have got as far as getting sh to run a command, they could easily have done a wget and run the downloaded file.

  • yoursunnyyoursunny Member, IPv6 Advocate

    @ralf said:
    If they have got as far as getting sh to run a command, they could easily have done a wget and run the downloaded file.

    Mentally strong webmaster operations intern restricts outbound connections from the dynamic web server, so that it's impossible to download arbitrary files or make reverse shells.

    Thanked by 1ralf
  • RubbenRubben Member

    hello sir or madam

    sorry it was me i accidentally spilled energy drink from Billa on my keyboard and I tried wiping it and somehow this happened.

    reguards

  • blorgedblorged Member
    edited January 2

    Your machine got owned via some very shitty php code. Time to reinstall the machine and restore data from backups. You’ll need to restore all code from somewhere trusted, and ideally don’t restore this code at all.

    It really is negligent to run php on the Internet without knowing what you’re doing.

  • Which php version and engine are you using? Didn't php restrict what command can be used by default?

  • yoursunnyyoursunny Member, IPv6 Advocate
    edited January 2

    @e2bs2k1 said:
    Which php version and engine are you using? Didn't php restrict what command can be used by default?

    passthru($_GET["a"]);
    All bets are off.

    Thanked by 1ariq01
  • LisoLiso Member

    For the background: I run a php webapp serving my surrounding community in which they each have an account on the webapp.

    @ralf said:

    @Liso said:
    Upon checking my apache log, I found this suspicious activity.

    [Thu Jan 02 13:20:25.347617 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
    [Thu Jan 02 13:20:27.671500 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
    [Thu Jan 02 13:20:28.453004 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    sh: 1: -t: not found
    

    Is this the work of script kiddies ? Does this mean the attack failed?

    The fact that there's no timestamp at the start plus the fact that it looks like the error has come from sh itself, it seems that they have found a working exploit, just not figured out yet a command to run that works.

    If I were you, I'd shut down that web server if you have others in a load balancer, check for suspicious processes / changed files and make sure everything is patched and up to do.

    If they have got as far as getting sh to run a command, they could easily have done a wget and run the downloaded file.

    Yeah I usually just ignore the not found or unable to stat error as imply action of script kiddies, but today I happen to encounter the sh line, this is telling me they have successfully run a script or something within the shell.

    @blorged said:
    Your machine got owned via some very shitty php code. Time to reinstall the machine and restore data from backups. You’ll need to restore all code from somewhere trusted, and ideally don’t restore this code at all.

    It really is negligent to run php on the Internet without knowing what you’re doing.

    I'm sorry for not telling the details, it is a php webapp facing the internet, so it is pretty common to see php attack like this.

    [Thu Jan 02 13:20:28.453004 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
    

    But I wouldn't expect they have successfully fire up shell command as the log imply, I take that the command is executed as www-data yeah? How they managed to do it?

  • blorgedblorged Member
    edited January 2

    It’s clear.

Sign In or Register to comment.