Announcement

Collapse
No announcement yet.

Abuse report from AWS, /vendor/spatie?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Abuse report from AWS, /vendor/spatie?

    Hey guys, just got a message from AWS,

    The following of your IPs are taking part in Layer 7 DDoS against us and creating thousands of requests, mostly between 20:10 and 21:30 today (13 April 2023).

    2023-04-13 20:22:06.000 n095177 haproxy[30305]: 34.219.156.153:59648 [13/Apr/2023:20:18:24.023] genfrontend_24010-bmzin_prod_www~ genfrontend_24010-bmzin_prod_www/<NOSRV> 222498/-1/-1/-1/222498 403 192 - - PR-- 149478/145473/0/0/0 0/0 {www.ukraine-wiederaufbauen.de|Mozilla/5.0 (Linux; Android 10; LM-Q710(FGN)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.79 Mobile Safari/537.36|https://www.ukraine-wiederaufbauen.de/|221.101.98.41|||d2800626d3336a5322c2041f32b807cc| |id-ecPublicKey} OPTIONS https://www.ukraine-wiederaufbauen.de/ HTTP/2.0​




    This machine is a backup of the CRM, that was active for completely other purposes, I logged in and it shows it had these connections, and this process running. This server has an ESPO-CRM only (apache/php/mariadb)

    I moved it to a "quarantine", but now I have to figure out what actually happened, any advice?

    Last edited by Russ; 04-15-2023, 07:02 PM.

  • #2
    What this composer package is doing? We need for the CRM?
    vendor/spatie/async/src/Runtime/ChildRuntime.php
    Do you think this package could be the main troyan?

    Comment


    • #3
      Hi,

      This library is utilized to execute jobs in parallel processes. It's unlikely to contain troyan. Spatie is quite reputable vendor. Could be that your instance is making these requests using cron somehow.

      Comment


      • #4
        Or something else is making requests. You see ChildRuntime.php because it's doing its job – running multiple jobs.

        Comment


        • #5
          I checked crontab, and nothing except the CRM and a certbot, well, this will remain unknown, for now

          Comment


          • #6
            thanks

            Comment

            Working...
            X