[serious] WP getting pwned (maybe) with Cloudflare DDOS Protection turned on. Server-side Apache firewall questions, cowboy coding gone wrong

So, for the past few months I’ve been working on a portfolio WordPress Site. I host and operate this website myself on an Apache2 Server, regular lamp stack. Due to the fact that I am cowboy coding this site, I work both on the front end and the back end. So, when I’m not working on the front end I’m working on the back end and vice versa.

I want to preface this post with the following statement: I’m an idiot, and a semi-noob of sorts.

Recently, after spending a couple weeks working on the front end of the site, I was finishing up a privacy policy and reading over cookie policy requirements for sites due to GDPR etc. When I thought to myself that my site would probably only collect info on IP addresses, date, time, and OS of site visitors through log files. Then I thought to myself, “Hey, wouldn’t it be neat if I checked the log file?.. I’m probably not going to find anything because I have DDOS Protection turned on and I have a site wide privacy page turned on for those who aren’t signed into the site. (everyone except for me)”, oh boy was I wrong! After checking the log file, I realized what I had always known to be true, random bots sending requests to sites constantly. I believe where I had gone wrong in this situation is only using vanilla Cloudflare as a catchall for this type of traffic. Meaning that there is no server-side firewall setup that I know of.

After looking at the access logfile, checking my IP, server IP, and Cloudflare DNS Records that are sent back when the domain is pinged. I was able to somewhat determine which traffic was mine/server traffic vs. bot traffic. After doing so I analyzed the log data, to my current understanding, of get and post requests being sent from what I can only assume are botnets. Some of which used separate IPs, while others just sent the same requests all at once from the same IP within the same minute span seconds apart trying to identify server setup.

Example: Requests that all came from the same ip
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x1 +0000] “GET / HTTP/1.1” 200 xxxx
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x2 +0000] “GET /admin /login.php HTTP/1.1” 200 xxxx
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x3 +0000] “GET /file1.php HTTP/1.1” 200 xxxx
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x4 +0000] “GET /file2.php HTTP/1.1” 200 xxxx
etc.

xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x7 +0000] “POST /file15.php HTTP/1.1” 200 xxxx
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x7 +0000] “POST /file16.php HTTP/1.1” 200 xxxx
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x7 +0000] “POST /file17.php HTTP/1.1” 200 xxxx
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x7 +0000] “POST /file18.php HTTP/1.1” 200 xxxx
etc.

xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x9 +0000] “POST /ajax/ / / HTTP/1.1 ” 200 xxxx
etc.

xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x1 +0000] “POST /cgi-bin/php (long string of percentage
signs and number letter combination) HTTP/1.1” xxx xxxx
xxx.xxx.xxx.xx - - [dd/mm/yy xx:xx:x1 +0000] “POST /cgi-bin/php (long string of percentage
signs and number letter combination) HTTP/1.1” 200 xxxx
etc.

Imagine a string of Get requests for every conceivable php file on the server all seconds apart
right here!
etc.

I cross referenced this exact string of requests with the Cloudflare Firewall and saw nothing
for the time span and date that these requests were made. I don’t recognize the IP. (many of the
strings I may reference aren’t caught by the ddos firewall)

Also, from my understanding of the requests made in the log file the numbers at the end are
the response and the byte size. 200 has been the response for most of the post and get request. Code 200 means OK. MFW I realize.

Other attempts from other IPs include the following requests: GET /muieblackcat HTTP/1.1 200. GET /nmaplowercheck HTTP/1.1 301 & 302. GET /HNAP1 HTTP/1.1 301. GET /solr/admin/info/system?wt=json HTTP/1.1 302. GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1 302. GET/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1 302. GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 302. Get /wp-sitemap.xml HTTP/1.1 200. GET /sitemaps.xml HTTP/1.1" 200. GET /sitemaps.xml HTTP/1.1" 301.

It was over for me after one of the IPs I’d received a get command from found the site map. They proceeded to scrape after that receiving nothing, but 200s the whole way through. I have one of those paid for themes. I’m pretty sure they got that for free including my customization.

From looking at the example string and other strings, I’ve determined, what I could only come to the
conclusion of, attempts at brute forcing command injection (cgi/php string above), and CSRF (maybe). As well as DOS attempt according to Cloudflare. And website scraping. Although, when browsing the site everything seemed pretty normal.

After realizing what was going on I shutdown the server and plan on rebuilding soon.

I was wondering if anyone here has any advice on how to stop this in the future? I’ve found firewall solutions in UFW as well as FAIL2BAN. I was wondering if anyone here is familiar with the two and have any recommendations at rules to set to prevent bots and individuals from carrying out similar payloads in the future. Also, are there any preventative CSRF solutions that I can implement? Also, are there any Clouflare Firewall rules that I set that can help stop this in the future?

Any advice is useful! Also, please do not hesitate to enlighten me if any of my interpretation of logfile data is off.

The info that I found in the log file was around 500 pages long and was only 3 days old :frowning:. If that happened over the span of 3 days what else did I miss?

Additional info:

The reason I believe I’ve been scraped is because the bad actors in the case of the sitemap started to target specific file paths on the server via get requests and received 200 codes as well as byte sizes.

Everything was up to date for the most part apart from 1 plugin. I believe.

I decoded the cgi-php request precent signs, numbers, letters, and can confirm a command injection attempt.

Debian OS

Additional Questions:

Is there anything actually happening during successful post requests other than site traffic slowdown?

Am I wrong about my site getting scraped from the successful get requests to specific file paths?