Suspicious HTTP Requests in my logs

Question

I'm running a PHP application with a user management system called userspice. It basically allows you to include the userspice PHP file and then control access to a certain PHP page.

As I have seen some spikes in my log management about 404 requests I was getting curious and decided to look at the apache logs directly.

I found a couple of suspicious HTTP requests in my access.log. There are POST and GET requests, coming from a Russian IP:

45.146.165.157 - - [24/Mar/2021:13:59:19 +0100] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 302 30929 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:19 +0100] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 302 31045 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:20 +0100] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 3660 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:20 +0100] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 3660 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:21 +0100] "POST /api/jsonws/invoke HTTP/1.1" 404 3660 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:22 +0100] "POST /mifs/.;/services/LogService HTTP/1.1" 404 3660 "https://194.191.321.193:443" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:23 +0100] "GET /console/ HTTP/1.1" 404 3660 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:27 +0100] "GET /_ignition/execute-solution HTTP/1.1" 404 3660 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:28 +0100] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 404 3660 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:28 +0100] "GET /users/login.php?dest=index.php&redirect=https%3A%2F%2F194.191.321.193%3A443%2Findex.php%3Fs%3D%2FIndex%2F%5Cthink%5Capp%2Finvokefunction%26function%3Dcall_user_func_array%26vars%5B0%5D%3Dmd5%26vars%5B1%5D%5B%5D%3DHelloThinkPHP21 HTTP/1.1" 200 10621 "https://194.191.321.193:443/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:29 +0100] "GET /users/login.php?dest=index.php&redirect=https%3A%2F%2F194.191.321.193%3A443%2F%3FXDEBUG_SESSION_START%3Dphpstorm HTTP/1.1" 200 10577 "https://194.191.321.193:443/?XDEBUG_SESSION_START=phpstorm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.157 - - [24/Mar/2021:13:59:29 +0100] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 404 3660 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

(I changed the last two blocks of the redirecting IP starting with 194xxxxx to hide my service/website, the datadog line is )

These seem to me like somebody wants to run their own PHP code on my website and probably get a reverse connection out of this. Most of the requests didn't go through, code 404, but I'm still wondering what's behind it.

I tried the Requests out myself and didn't get much of an output just redirects to the index site...

Maybe someone knows what's going on?

Thanks for your help, just tell me if you need more information.

Answer 1

There were times that this would be a reason to investigate (20-25 years ago). At some point in time, it became so common that I put up a static page with insults at http://<my ip address>/phpmyadmin. Now, it is just something you need to learn to live with.

These are more or less standard attacks for badly configured (or still default configured) servers. It is more or less considered as a simple probe to see if you have done any security measure at all. If you have, they'll move on to the next server. Only to be followed by the next script-kid that discovered nikto or something like that. It is the background noise that you have to suffer.

This is the reason why many owners of web servers do a simple pentest on their web site. Running such a simple scan from time to time with updated tools will keep you reasonably safe from these kind of script kiddies.

Now, if your logging suggests that the attacks really get out of hand, that would mean some investigation. But with a low-key personal website on a Pi at home in my cupboard that I fondly call "MER" or "entry room", I get get such scans about once every 5 or 10 seconds. If you're in that kind of numbers, you should not worry too much.