New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Got this on my apache log, what does this mean?
Upon checking my apache log, I found this suspicious activity.
[Thu Jan 02 13:20:25.347617 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
[Thu Jan 02 13:20:27.671500 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
[Thu Jan 02 13:20:28.453004 2025] [:error] [pid 20230] [client 117.72.104.80:35812] script '/var/www/index.php' not found or unable to stat
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
sh: 1: -t: not found
Is this the work of script kiddies ? Does this mean the attack failed?
Thanked by 1ralf
Comments
https://chatgpt.com/share/67769f44-c19c-8007-8700-3c7a15adf16c
That’s what ChatGPT is telling me at least
That surely is an attempt to attack.
if ended in error might be fail. how about you install some ids that monitor file change ?
Probably just random probes.
Try reboot
Do you have any script that allows executing a system command?
It's time to audit PHP functions like system, passthru, and popen.
The fact that there's no timestamp at the start plus the fact that it looks like the error has come from
sh
itself, it seems that they have found a working exploit, just not figured out yet a command to run that works.If I were you, I'd shut down that web server if you have others in a load balancer, check for suspicious processes / changed files and make sure everything is patched and up to do.
If they have got as far as getting sh to run a command, they could easily have done a wget and run the downloaded file.
Mentally strong webmaster operations intern restricts outbound connections from the dynamic web server, so that it's impossible to download arbitrary files or make reverse shells.
hello sir or madam
sorry it was me i accidentally spilled energy drink from Billa on my keyboard and I tried wiping it and somehow this happened.
reguards
Your machine got owned via some very shitty php code. Time to reinstall the machine and restore data from backups. You’ll need to restore all code from somewhere trusted, and ideally don’t restore this code at all.
It really is negligent to run php on the Internet without knowing what you’re doing.
Which php version and engine are you using? Didn't php restrict what command can be used by default?
passthru($_GET["a"]);
All bets are off.
For the background: I run a php webapp serving my surrounding community in which they each have an account on the webapp.
Yeah I usually just ignore the
not found or unable to stat
error as imply action of script kiddies, but today I happen to encounter thesh
line, this is telling me they have successfully run a script or something within the shell.I'm sorry for not telling the details, it is a php webapp facing the internet, so it is pretty common to see php attack like this.
But I wouldn't expect they have successfully fire up shell command as the log imply, I take that the command is executed as
www-data
yeah? How they managed to do it?It’s clear.