I’m pretty much a newbie at this so hoping I can get some help.
While randomly looking through my swag/nginx access log, I saw this, on a handful of my subdomains:
10.0.0.2 [27/Feb/2022:02:23:05 -0600]"GET /shell4.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:11 -0600]"GET /ups.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:19 -0600]"GET /ru.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /if.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /vuln.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:24 -0600]"GET /fw.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:26 -0600]"GET /skipper.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:26 -0600]"GET /skippershell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:23:36 -0600]"GET /tttt.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:23:41 -0600]"GET /tshop.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:57 -0600]"GET /alfa.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:58 -0600]"GET /shell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:23:58 -0600]"GET /inje3ctor.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:01 -0600]"GET /saudi.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:18 -0600]"GET /wso.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:20 -0600]"GET /alfashell.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:22 -0600]"GET /my_alfa.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:37 -0600]"GET /uploader.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:44 -0600]"GET /up.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:58 -0600]"GET /hacked.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:24:59 -0600]"GET /c99.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001" "0.010"
10.0.0.2 [27/Feb/2022:02:25:05 -0600]"GET /priv8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:06 -0600]"GET /Navir.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:16 -0600]"GET /cmd13.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:18 -0600]"GET /inc20k1.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:19 -0600]"GET /1index.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:23 -0600]"GET /404.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:25 -0600]"GET /swm.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:29 -0600]"GET /wp.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:39 -0600]"GET /doc.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:25:41 -0600]"GET /shx.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001" "0.010"
10.0.0.2 [27/Feb/2022:02:25:47 -0600]"GET /ws.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:25:48 -0600]"GET /m.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:55 -0600]"GET /edit-form.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:57 -0600]"GET /LEAF.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:25:57 -0600]"GET /leafmailer.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:26:01 -0600]"GET /mailer.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.001"
10.0.0.2 [27/Feb/2022:02:26:13 -0600]"GET /leafmailer2.8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:25 -0600]"GET /Leaf.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:34 -0600]"GET /leaf.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.002"
10.0.0.2 [27/Feb/2022:02:26:43 -0600]"GET /priv8.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:26:59 -0600]"GET /owl.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.000"
10.0.0.2 [27/Feb/2022:02:27:16 -0600]"GET /1.php HTTP/2.0" 404 gotify.my.domain "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36""0.003"
It appears they’re using some sort of scan bot to see if any known vulnerable pages exist on the server. Fortunately, they all ended in 404.
How can I prevent this? My uneducated guess is to use the fail2ban feature, but I really have NO idea what to enter into it to stop this specific type of attack?
And also, being inside a container, would it work anyway, since it shows the IP as all coming from one of the IP’s of my docker network?
Can anyone help?