(minipost) Analyzing my webserver's logs


So today I was a little bit bored, so I did what any normal person would do and I started playing with journald and specifically my website's logs. Now unfortunately I just moved my server to another VPS a little more than a month ago, so there aren't that many logs. But I still found some Moderately Amusing Stuff™.

I had to filter some of the logs out, so I wrote this beauty:

blacklist = [...]
for line in logfile:
    blacklisted = False
    for string in blacklist:
        blacklisted |= string in line
    blacklisted |= line[:4] != '2019'
    if not blacklisted:
        outfile.write(line)

Yes, Python has bitwise assignment operators. Don't @ me.

Also, 24 people (or bots, more likely) tried to do SQL injection, which surprisingly didn't work. More interestingly, two people tried to exploit an RCE vulnerability in ThinkPHP (which, for the record, I don't even use) to download an executable. I got really excited and wanted to analyze the malware, but unfortunately the sites hosting it were already offline. Perhaps I can find another sample somewhere online.

The Alibaba Security Team has a pretty good writeup on the malware, which is apparently a cryptocurrency miner (XMRig). It's actually pretty cool because it uses four other exploits to spread. The exploits are all from 2017 though, so if you get hacked by this thing you deserve it to be honest.

Paulkimayong from Juniper Threat Labs has a more detailed writeup describing exactly how the malware works.

Apart from that there are of course a couple of crawlers. One of which, Bytespider, apparently doesn't respect robots.txt, dick move. And the usual script kiddies trying to hack my /wp-login.php, which shockingly does not exist on a Django website. I had hoped for more weird stuff, but the ThinkPHP vuln was pretty entertaining.