Tweet
Hey guys, just got a message from AWS,
The following of your IPs are taking part in Layer 7 DDoS against us and creating thousands of requests, mostly between 20:10 and 21:30 today (13 April 2023).
2023-04-13 20:22:06.000 n095177 haproxy[30305]: 34.219.156.153:59648 [13/Apr/2023:20:18:24.023] genfrontend_24010-bmzin_prod_www~ genfrontend_24010-bmzin_prod_www/<NOSRV> 222498/-1/-1/-1/222498 403 192 - - PR-- 149478/145473/0/0/0 0/0 {www.ukraine-wiederaufbauen.de|Mozilla/5.0 (Linux; Android 10; LM-Q710(FGN)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.79 Mobile Safari/537.36|https://www.ukraine-wiederaufbauen.de/|221.101.98.41|||d2800626d3336a5322c2041f32b807cc| |id-ecPublicKey} OPTIONS https://www.ukraine-wiederaufbauen.de/ HTTP/2.0
This machine is a backup of the CRM, that was active for completely other purposes, I logged in and it shows it had these connections, and this process running. This server has an ESPO-CRM only (apache/php/mariadb)
I moved it to a "quarantine", but now I have to figure out what actually happened, any advice?
The following of your IPs are taking part in Layer 7 DDoS against us and creating thousands of requests, mostly between 20:10 and 21:30 today (13 April 2023).
2023-04-13 20:22:06.000 n095177 haproxy[30305]: 34.219.156.153:59648 [13/Apr/2023:20:18:24.023] genfrontend_24010-bmzin_prod_www~ genfrontend_24010-bmzin_prod_www/<NOSRV> 222498/-1/-1/-1/222498 403 192 - - PR-- 149478/145473/0/0/0 0/0 {www.ukraine-wiederaufbauen.de|Mozilla/5.0 (Linux; Android 10; LM-Q710(FGN)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.79 Mobile Safari/537.36|https://www.ukraine-wiederaufbauen.de/|221.101.98.41|||d2800626d3336a5322c2041f32b807cc| |id-ecPublicKey} OPTIONS https://www.ukraine-wiederaufbauen.de/ HTTP/2.0
This machine is a backup of the CRM, that was active for completely other purposes, I logged in and it shows it had these connections, and this process running. This server has an ESPO-CRM only (apache/php/mariadb)
I moved it to a "quarantine", but now I have to figure out what actually happened, any advice?
Comment