dpeca wrote: ↑Sun Sep 30, 2018 6:41 pm
OK, please check.
I just checked two compromised servers, they have new version of api.php .
I was wrong. The new version did not have these codes.
In addition, I look at log nginx-access.log, and I feel suspicious in some records.
118.139.177.119 - - [25/Jun/2018:13:49:41 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
149.202.38.124 - - [25/Jun/2018:23:42:08 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
27.153.182.98 - - [26/Jun/2018:10:49:08 +0200] QUIT "400" 166 "-" "-" "-"
193.70.85.110 - - [30/Jun/2018:18:25:43 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.8.18.77 - - [30/Jun/2018:20:08:54 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
193.70.85.110 - - [01/Jul/2018:08:04:33 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.135.150.73 - - [16/Jul/2018:20:44:45 +0200] GET /Blog/wp-login.php HTTP/1.1 "302" 154 "-" "Python-urllib/2.6" "-"
5.135.150.73 - - [16/Jul/2018:20:44:47 +0200] GET /Blog/wp-login.php HTTP/1.1 "404" 1254 "-" "Python-urllib/2.6" "-"
185.209.0.23 - - [16/Jul/2018:21:42:54 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:29 +0200] GET / HTTP/1.1 "302" 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
71.6.135.131 - - [17/Jul/2018:00:11:29 +0200] GET /login/ HTTP/1.1 "200" 4152 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
71.6.135.131 - - [17/Jul/2018:00:11:31 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:32 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:33 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:34 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:38 +0200] quit "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:14:13:53 +0200] CONNECT
www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:14:13:54 +0200] CONNECT
www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:14:13:55 +0200] CONNECT
www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:19 +0200] GET / HTTP/1.1 "302" 154 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" "-"
103.63.2.223 - - [23/Aug/2018:18:43:26 +0200] CONNECT
www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:27 +0200] CONNECT
www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:27 +0200] CONNECT
www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
78.128.112.22 - - [26/Sep/2018:06:38:11 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
193.70.85.110 - - [26/Sep/2018:15:36:30 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.101.40.34 - - [26/Sep/2018:20:44:10 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
118.139.177.119 - - [27/Sep/2018:13:06:34 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
80.82.77.67 - - [27/Sep/2018:23:30:58 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
118.139.177.119 - - [28/Sep/2018:10:08:26 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:01:59 +0200] GET / HTTP/1.1 "502" 568 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:03 +0200] quit "400" 166 "-" "-" "-"