Urgent assistance required: My server is receiving attack traffic that should have

1209157727 · July 9, 2024, 4:29pm

What is the name of the domain?

www.meoai.net

What is the error number?

N/A (not applicable, as this is a security configuration issue, not an error)

What is the error message?

No specific error message, but the WAF is not blocking detected attack patterns as expected

What is the issue you’re encountering

I have configured WAF rules to block specific attack vectors, but my server is still logging these requests, indicating that the WAF is not effectively blocking them

What steps have you taken to resolve the issue?

Reviewed and updated WAF rules to cover known attack patterns, cleared CDN cache, and ensured rules are active. However, the issue persists

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

Screenshot of the error

cloonan · July 9, 2024, 7:03pm

That answers this

You are seeing the attack in your server logs, after you enable SSL/TLS are you seeing it in your WAF events? https://dash.cloudflare.com/?to=/:account/:zone/security/events

1209157727 · July 10, 2024, 1:34am

SSL/TLS setting is on

1209157727 · July 10, 2024, 1:35am

I didn’t see it in WAF events, I saw the attacks in my server logs.
And my website is https://www.meoai.net/

1209157727 · July 10, 2024, 1:38am

Here are parts of my server logs

14.161.32.124 - - [09/Jul/2024:17:02:36 +0800] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-"
118.69.77.143 - - [09/Jul/2024:17:02:41 +0800] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 150 "-" "-"
118.69.77.143 - - [09/Jul/2024:17:02:46 +0800] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:47 +0800] "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:50 +0800] "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:51 +0800] "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:54 +0800] "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:56 +0800] "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:59 +0800] "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:02 +0800] "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:05 +0800] "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:07 +0800] "GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:10 +0800] "GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:12 +0800] "GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:15 +0800] "GET /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:18 +0800] "GET /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:20 +0800] "GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:23 +0800] "GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:24 +0800] "GET /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:27 +0800] "GET /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:30 +0800] "GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:32 +0800] "GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:36 +0800] "GET /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:37 +0800] "GET /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:40 +0800] "GET /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:43 +0800] "GET /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:45 +0800] "GET /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:48 +0800] "GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:50 +0800] "GET /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:53 +0800] "GET /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:54 +0800] "GET /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:56 +0800] "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:00 +0800] "GET /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:02 +0800] "GET /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:05 +0800] "GET /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:08 +0800] "GET /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:09 +0800] "GET /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:13 +0800] "GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:15 +0800] "GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:19 +0800] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 200 59658 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:25 +0800] "GET /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:27 +0800] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 301 5 "-" "Custom-AsyncHttpClient"
14.161.32.124 - - [09/Jul/2024:17:04:32 +0800] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 301 5 "-" "Custom-AsyncHttpClient"
14.161.32.124 - - [09/Jul/2024:17:04:33 +0800] "GET /index.php?lang=../../../../../../../../tmp/index1 HTTP/1.1" 301 5 "-" "Custom-AsyncHttpClient"

1209157727 · July 10, 2024, 1:42am

if the attackers know the IP source address of my server, will they bypass the CDN, so I will see these logs on my server

epic.network · July 10, 2024, 12:53pm

You can secure your origin to prevent direct access. I like the firewall method when possible. Authenticated Origin Pulls with your own certificate are also very effective.

1209157727 · July 11, 2024, 8:21am

before I encountered the attacks, I had set up proxied (orange-clouded) DNS records. And I don’t have mail infrastructure, existing DNS-only records (SPF , TXT , and more) do not contain origin IP information.

system · July 27, 2024, 1:34pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare waf blocked all of my request to my server Security	8	398	December 9, 2024
HTTP DDoS (false positive) Security	3	70	December 20, 2024
Cloudflare blocks all access to my website Security	2	69	January 2, 2025
Attack vector breaking 80/443 port listener on the server Security Center	7	60	February 15, 2025
Attacks not being stopped by the WAF Security	4	3581	October 18, 2020