How do I handle this scan attack?

I’m pretty much a newbie at this so hoping I can get some help.

While randomly looking through my swag/nginx access log, I saw this, on a handful of my subdomains:

10.0.0.2 [27/Feb/2022:02:23:05 -0600]"GET /shell4.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:11 -0600]"GET /ups.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:19 -0600]"GET /ru.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /if.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /vuln.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /fw.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:26 -0600]"GET /skipper.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:26 -0600]"GET /skippershell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:36 -0600]"GET /tttt.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:41 -0600]"GET /tshop.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:57 -0600]"GET /alfa.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:58 -0600]"GET /shell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:58 -0600]"GET /inje3ctor.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:01 -0600]"GET /saudi.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:18 -0600]"GET /wso.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:20 -0600]"GET /alfashell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:22 -0600]"GET /my_alfa.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:37 -0600]"GET /uploader.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:44 -0600]"GET /up.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:58 -0600]"GET /hacked.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:59 -0600]"GET /c99.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001" "0.010"
10.0.0.2 [27/Feb/2022:02:25:05 -0600]"GET /priv8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:06 -0600]"GET /Navir.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:16 -0600]"GET /cmd13.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:18 -0600]"GET /inc20k1.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:19 -0600]"GET /1index.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:23 -0600]"GET /404.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:25 -0600]"GET /swm.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:29 -0600]"GET /wp.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:39 -0600]"GET /doc.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:41 -0600]"GET /shx.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001" "0.010"
10.0.0.2 [27/Feb/2022:02:25:47 -0600]"GET /ws.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:25:48 -0600]"GET /m.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:55 -0600]"GET /edit-form.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:57 -0600]"GET /LEAF.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:57 -0600]"GET /leafmailer.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:26:01 -0600]"GET /mailer.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:26:13 -0600]"GET /leafmailer2.8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:25 -0600]"GET /Leaf.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:34 -0600]"GET /leaf.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:26:43 -0600]"GET /priv8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:59 -0600]"GET /owl.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:27:16 -0600]"GET /1.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.003"

It appears they’re using some sort of scan bot to see if any known vulnerable pages exist on the server. Fortunately, they all ended in 404.

How can I prevent this? My uneducated guess is to use the fail2ban feature, but I really have NO idea what to enter into it to stop this specific type of attack?

And also, being inside a container, would it work anyway, since it shows the IP as all coming from one of the IP’s of my docker network?

Can anyone help?

1 Like

you are right! this is the perfect job for fail2ban, which as you know is installed in the SWAG container.
you do not have to come up with a regex for those lines, since you are a newbie, but a simple web search suggests possible filters. e.g.:

once you get the filter saved to a file, I strongly encourage you to test it out using the fail2ban-regex command to verify that everything goes according to plan, depending on your threat model and.
if you are the only user in your system you can easily unban yourself if the regex triggers too often, but if you have many users you should really test this out before deploying the new jail.

then, follow the tutorial and teach your fail2ban daemon to patrol the NGINX access.log logfile for repeated 404 errors.
remember to restart your service and test such changes from an IP which is not whitelisted.

good luck! cheers.

EDIT: with respect to the source IP, I’m not sure I understand… in my SWAG container I get real source IPs, not a private 10.x.x.x IP over and over again. maybe someone else can comment on that.

1 Like

@piramiday TYVM for the help. I got it installed, but haven’t tested it yet. The IP thing is what again, is making me wonder if it’ll work.

every single IP in my nginx accesslog is the same one, which is an IP given to the container by docker. I have the same IP issue when using something like Pi Hole or Ad Guard; they can only show me stats by which container names connected, rather than any individual actual external IP. It’s been pretty frustrating. I don’t know how to fix that.

I’ve added another post (here) if it helps?