Amazon EC2 instance is getting spammed with different PHP filenames












3















Our server has been attacked recently and looks something like the following in the logs:



[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/ynm.php' not found or unable to stat

[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/71.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/wadre.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/vm.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/test.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/1q.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/1111.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/errors.php' not found or unable to stat

[Mon Feb 18 09:18:46 2019] [IP_ADDRESS] script '/var/www/q.php' not found or unable to stat


These attacks go on for hours sometimes and freezes the server.



How to protect against this? fail2ban?



Have banned the IP's manually but they change every time.



Thanks!






php amazon-web-services amazon-ec2 apache-2.4







share|improve this question









New contributor




WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1





    fail2ban is appropriate here, but you should probably figure out why a couple of 404s per second (which should consume very minimal resources) crash your server too.

    – ceejayoz
    4 hours ago













  • You could whitelist CloudFront IP ranges in security groups, which enforces requests going through CloudFront. Integrate AWS WAF with CloudFront, which includes AWS Shield, and that may help to reduce this. Custom WAF rules should enhance protection. Use this AWS script to keep the CloudFront IPs up to date.

    – Tim
    22 mins ago


















3















Our server has been attacked recently and looks something like the following in the logs:



[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/ynm.php' not found or unable to stat

[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/71.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/wadre.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/vm.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/test.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/1q.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/1111.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/errors.php' not found or unable to stat

[Mon Feb 18 09:18:46 2019] [IP_ADDRESS] script '/var/www/q.php' not found or unable to stat


These attacks go on for hours sometimes and freezes the server.



How to protect against this? fail2ban?



Have banned the IP's manually but they change every time.



Thanks!






php amazon-web-services amazon-ec2 apache-2.4







share|improve this question









New contributor




WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1





    fail2ban is appropriate here, but you should probably figure out why a couple of 404s per second (which should consume very minimal resources) crash your server too.

    – ceejayoz
    4 hours ago













  • You could whitelist CloudFront IP ranges in security groups, which enforces requests going through CloudFront. Integrate AWS WAF with CloudFront, which includes AWS Shield, and that may help to reduce this. Custom WAF rules should enhance protection. Use this AWS script to keep the CloudFront IPs up to date.

    – Tim
    22 mins ago
















3












3








3








Our server has been attacked recently and looks something like the following in the logs:



[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/ynm.php' not found or unable to stat

[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/71.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/wadre.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/vm.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/test.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/1q.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/1111.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/errors.php' not found or unable to stat

[Mon Feb 18 09:18:46 2019] [IP_ADDRESS] script '/var/www/q.php' not found or unable to stat


These attacks go on for hours sometimes and freezes the server.



How to protect against this? fail2ban?



Have banned the IP's manually but they change every time.



Thanks!






php amazon-web-services amazon-ec2 apache-2.4







share|improve this question









New contributor




WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












Our server has been attacked recently and looks something like the following in the logs:



[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/ynm.php' not found or unable to stat

[Mon Feb 18 09:18:43 2019] [IP_ADDRESS] script '/var/www/71.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/wadre.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/vm.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/test.php' not found or unable to stat

[Mon Feb 18 09:18:44 2019] [IP_ADDRESS] script '/var/www/1q.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/1111.php' not found or unable to stat

[Mon Feb 18 09:18:45 2019] [IP_ADDRESS] script '/var/www/errors.php' not found or unable to stat

[Mon Feb 18 09:18:46 2019] [IP_ADDRESS] script '/var/www/q.php' not found or unable to stat


These attacks go on for hours sometimes and freezes the server.



How to protect against this? fail2ban?



Have banned the IP's manually but they change every time.



Thanks!






php amazon-web-services amazon-ec2 apache-2.4




php amazon-web-services amazon-ec2 apache-2.4






share|improve this question









New contributor




WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 4 hours ago









MLu

8,14212141




8,14212141






New contributor




WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









WKFYWKFY

161




161




New contributor




WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






WKFY is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 1





    fail2ban is appropriate here, but you should probably figure out why a couple of 404s per second (which should consume very minimal resources) crash your server too.

    – ceejayoz
    4 hours ago













  • You could whitelist CloudFront IP ranges in security groups, which enforces requests going through CloudFront. Integrate AWS WAF with CloudFront, which includes AWS Shield, and that may help to reduce this. Custom WAF rules should enhance protection. Use this AWS script to keep the CloudFront IPs up to date.

    – Tim
    22 mins ago
















  • 1





    fail2ban is appropriate here, but you should probably figure out why a couple of 404s per second (which should consume very minimal resources) crash your server too.

    – ceejayoz
    4 hours ago













  • You could whitelist CloudFront IP ranges in security groups, which enforces requests going through CloudFront. Integrate AWS WAF with CloudFront, which includes AWS Shield, and that may help to reduce this. Custom WAF rules should enhance protection. Use this AWS script to keep the CloudFront IPs up to date.

    – Tim
    22 mins ago










1




1





fail2ban is appropriate here, but you should probably figure out why a couple of 404s per second (which should consume very minimal resources) crash your server too.

– ceejayoz
4 hours ago







fail2ban is appropriate here, but you should probably figure out why a couple of 404s per second (which should consume very minimal resources) crash your server too.

– ceejayoz
4 hours ago















You could whitelist CloudFront IP ranges in security groups, which enforces requests going through CloudFront. Integrate AWS WAF with CloudFront, which includes AWS Shield, and that may help to reduce this. Custom WAF rules should enhance protection. Use this AWS script to keep the CloudFront IPs up to date.

– Tim
22 mins ago







You could whitelist CloudFront IP ranges in security groups, which enforces requests going through CloudFront. Integrate AWS WAF with CloudFront, which includes AWS Shield, and that may help to reduce this. Custom WAF rules should enhance protection. Use this AWS script to keep the CloudFront IPs up to date.

– Tim
22 mins ago












2 Answers
2






active

oldest

votes


















2














These are common occurrences. Robots try to find insecure scripts and exploit them. You can't really avoid it, once you've got a web server on the Internet you'll see scans like this.



However since you're running on AWS EC2 you've got a number of options:




  1. Use AWS WAF (Web Application Firewall) to protect your site against malicious attacks.


  2. Use AWS Shield - managed DDoS protection. Free.


  3. Etc...



In any case being scanned like this shouldn't freeze your server. That freezing is likely being caused by something else - maybe a DDoS (hint: use AWS Shield) or some successful exploit of one of your PHP scripts that consumes the instance memory.



Hope that helps :)






share|improve this answer































    0














    You can use this app, it's very useful to me. It's Fail2ban integration for AWS
    ACL.



    https://www.cloudar.be/integrating-fail2ban-with-aws-network-acls/






    share|improve this answer








    New contributor




    Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















    • This may not work for long. AWS ACLs have a default limit of 20, and a maximum limit of 40 rules. docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html Most of the server logs I've seen of public instances would hit that limit in minutes.

      – ceejayoz
      3 hours ago













    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "2"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    WKFY is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f954559%2famazon-ec2-instance-is-getting-spammed-with-different-php-filenames%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    These are common occurrences. Robots try to find insecure scripts and exploit them. You can't really avoid it, once you've got a web server on the Internet you'll see scans like this.



    However since you're running on AWS EC2 you've got a number of options:




    1. Use AWS WAF (Web Application Firewall) to protect your site against malicious attacks.


    2. Use AWS Shield - managed DDoS protection. Free.


    3. Etc...



    In any case being scanned like this shouldn't freeze your server. That freezing is likely being caused by something else - maybe a DDoS (hint: use AWS Shield) or some successful exploit of one of your PHP scripts that consumes the instance memory.



    Hope that helps :)






    share|improve this answer




























      2














      These are common occurrences. Robots try to find insecure scripts and exploit them. You can't really avoid it, once you've got a web server on the Internet you'll see scans like this.



      However since you're running on AWS EC2 you've got a number of options:




      1. Use AWS WAF (Web Application Firewall) to protect your site against malicious attacks.


      2. Use AWS Shield - managed DDoS protection. Free.


      3. Etc...



      In any case being scanned like this shouldn't freeze your server. That freezing is likely being caused by something else - maybe a DDoS (hint: use AWS Shield) or some successful exploit of one of your PHP scripts that consumes the instance memory.



      Hope that helps :)






      share|improve this answer


























        2












        2








        2







        These are common occurrences. Robots try to find insecure scripts and exploit them. You can't really avoid it, once you've got a web server on the Internet you'll see scans like this.



        However since you're running on AWS EC2 you've got a number of options:




        1. Use AWS WAF (Web Application Firewall) to protect your site against malicious attacks.


        2. Use AWS Shield - managed DDoS protection. Free.


        3. Etc...



        In any case being scanned like this shouldn't freeze your server. That freezing is likely being caused by something else - maybe a DDoS (hint: use AWS Shield) or some successful exploit of one of your PHP scripts that consumes the instance memory.



        Hope that helps :)






        share|improve this answer













        These are common occurrences. Robots try to find insecure scripts and exploit them. You can't really avoid it, once you've got a web server on the Internet you'll see scans like this.



        However since you're running on AWS EC2 you've got a number of options:




        1. Use AWS WAF (Web Application Firewall) to protect your site against malicious attacks.


        2. Use AWS Shield - managed DDoS protection. Free.


        3. Etc...



        In any case being scanned like this shouldn't freeze your server. That freezing is likely being caused by something else - maybe a DDoS (hint: use AWS Shield) or some successful exploit of one of your PHP scripts that consumes the instance memory.



        Hope that helps :)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 4 hours ago









        MLuMLu

        8,14212141




        8,14212141

























            0














            You can use this app, it's very useful to me. It's Fail2ban integration for AWS
            ACL.



            https://www.cloudar.be/integrating-fail2ban-with-aws-network-acls/






            share|improve this answer








            New contributor




            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















            • This may not work for long. AWS ACLs have a default limit of 20, and a maximum limit of 40 rules. docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html Most of the server logs I've seen of public instances would hit that limit in minutes.

              – ceejayoz
              3 hours ago


















            0














            You can use this app, it's very useful to me. It's Fail2ban integration for AWS
            ACL.



            https://www.cloudar.be/integrating-fail2ban-with-aws-network-acls/






            share|improve this answer








            New contributor




            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















            • This may not work for long. AWS ACLs have a default limit of 20, and a maximum limit of 40 rules. docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html Most of the server logs I've seen of public instances would hit that limit in minutes.

              – ceejayoz
              3 hours ago
















            0












            0








            0







            You can use this app, it's very useful to me. It's Fail2ban integration for AWS
            ACL.



            https://www.cloudar.be/integrating-fail2ban-with-aws-network-acls/






            share|improve this answer








            New contributor




            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.










            You can use this app, it's very useful to me. It's Fail2ban integration for AWS
            ACL.



            https://www.cloudar.be/integrating-fail2ban-with-aws-network-acls/







            share|improve this answer








            New contributor




            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            share|improve this answer



            share|improve this answer






            New contributor




            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            answered 4 hours ago









            PserrPserr

            363




            363




            New contributor




            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





            New contributor





            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.






            Pserr is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.













            • This may not work for long. AWS ACLs have a default limit of 20, and a maximum limit of 40 rules. docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html Most of the server logs I've seen of public instances would hit that limit in minutes.

              – ceejayoz
              3 hours ago





















            • This may not work for long. AWS ACLs have a default limit of 20, and a maximum limit of 40 rules. docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html Most of the server logs I've seen of public instances would hit that limit in minutes.

              – ceejayoz
              3 hours ago



















            This may not work for long. AWS ACLs have a default limit of 20, and a maximum limit of 40 rules. docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html Most of the server logs I've seen of public instances would hit that limit in minutes.

            – ceejayoz
            3 hours ago







            This may not work for long. AWS ACLs have a default limit of 20, and a maximum limit of 40 rules. docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html Most of the server logs I've seen of public instances would hit that limit in minutes.

            – ceejayoz
            3 hours ago












            WKFY is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            WKFY is a new contributor. Be nice, and check out our Code of Conduct.













            WKFY is a new contributor. Be nice, and check out our Code of Conduct.












            WKFY is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f954559%2famazon-ec2-instance-is-getting-spammed-with-different-php-filenames%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Alcázar de San Juan

            Image
            Alcázar de San Juan Flago Blazono Administrado Lando Hispanio Ŝtato Hispanio Regiono Kastilio-Manĉo Provinco Ciudad Real (Reĝurbo) Distrikto Kamparo de Sankta Johano Komarko Manĉa Centro Patrono Kronita Virgulino de la Rozario Poŝtkodo 13600 [+] Retpaĝaro [1] Politiko Loka registaro PP ( Popola Partio ) Urbestro Diego Ortega Abengózar Demografio Loĝantaro 29,693 (en 2 010) Loĝdenso 44,53 loĝ./km² Geografio Koordinatoj 39°23′25″N 3°12′20″U   /   39.39028°N , 3.20556°U  / 39.39028; -3.20556  ( Alcázar de San Juan ) Alto 644 m Ŝablono:Informkesto urbo/zorgado/numero Areo 666.78 km² Ŝablono:Informkesto urbo/zorgado/numero Horzono UTC+01:00 [+] DMS Alcázar de San Juan Alia projekto Vikimedia Komunejo Alcázar de San Juan [+] v   •   d   •   r Urbodomo Statuo de Cervantes Preĝejo de San...
            Read more

            Griza ansero

            Image
            Griza ansero Okcidenta griza ansero ( Anser anser anser ) Biologia klasado Regno: Bestoj Animalia Filumo: Ĥorduloj Chordata Klaso: Birdoj Aves Ordo: Anseroformaj Anseriformes Familio: Anasedoj Anatidae Genro: Ansero Dunomo Anser anser (Linnaeus, 1758) Konserva statuso Konserva statuso: Malplej zorgiga Subspecioj A. a. anser Okcidenta griza ansero A. a. rubrirostris Orienta griza ansero A. a. domesticus Endomigita ansero Aliaj Vikimediaj projektoj Sistematiko en Vikispecioj Komunejo pri Griza ansero v   •   d   •   r La Griza ansero ( Anser anser ) estas granda birdo (75–89 cm) el la familio de Anasedoj, kun ampleksa teritorio en la Malnova Mondo. Ĝi estas la tipa specio de la genro Anser . Ĝi estis en antaŭ-Linea tempo konata kiel Natura ansero ("Anser ferus"). Ĉefe tiu specio estas praulo de la Bredansero en Eŭropo kaj Nordameriko, iel ku...
            Read more

            Heinkel He 51

            Image
            He 51B de la Bulgara Aerarmeo He 51C de la 3/J 88 Adolf Galland -Legión Cóndor- en la Hispana Enlanda Milito. La Heinkel He 51 (He 51) estas biplana ĉasaviadilo de Heinkel, kiu servis en la Germana Aerarmeo (Luftwaffe) meze de la 1930-aj jaroj. La totala produktado de la He 51, en ĉiuj versioj, estas de ĉirkaŭ 800 aparatoj konstruitaj de Heinkel, Arado, Erla kaj Fieseler. Post malmulte da tempo la He 51 iĝis eksmodaj, kaj inter 1937 kaj 1938 ili estis retirataj de la Jagdgeschwader (ĉasaviadilgrupoj) de la Luftwaffe kaj estis uzataj nur por taskoj de trejnado dum granda parto de la Dua Mondmilito. La last versio laŭnombre grava estis la He 51C-1 , destinata al misioj de atako al grundo, por kio ĝi alportis ŝarĝeton de bomboj. This page is only for reference, If you need detailed information, please check here
            Read more