Abuse report from AWS, /vendor/spatie?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Russ
    Senior Member
    • Feb 2022
    • 426

    Abuse report from AWS, /vendor/spatie?

    Hey guys, just got a message from AWS,

    The following of your IPs are taking part in Layer 7 DDoS against us and creating thousands of requests, mostly between 20:10 and 21:30 today (13 April 2023).

    2023-04-13 20:22:06.000 n095177 haproxy[30305]: 34.219.156.153:59648 [13/Apr/2023:20:18:24.023] genfrontend_24010-bmzin_prod_www~ genfrontend_24010-bmzin_prod_www/<NOSRV> 222498/-1/-1/-1/222498 403 192 - - PR-- 149478/145473/0/0/0 0/0 {www.ukraine-wiederaufbauen.de|Mozilla/5.0 (Linux; Android 10; LM-Q710(FGN)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.79 Mobile Safari/537.36|https://www.ukraine-wiederaufbauen.de/|221.101.98.41|||d2800626d3336a5322c2041f32b807cc| |id-ecPublicKey} OPTIONS https://www.ukraine-wiederaufbauen.de/ HTTP/2.0​




    This machine is a backup of the CRM, that was active for completely other purposes, I logged in and it shows it had these connections, and this process running. This server has an ESPO-CRM only (apache/php/mariadb)

    I moved it to a "quarantine", but now I have to figure out what actually happened, any advice?

    Last edited by Russ; 04-15-2023, 07:02 PM.
  • Russ
    Senior Member
    • Feb 2022
    • 426

    #2
    What this composer package is doing? We need for the CRM?
    vendor/spatie/async/src/Runtime/ChildRuntime.php
    Do you think this package could be the main troyan?

    Comment

    • yuri
      Member
      • Mar 2014
      • 8453

      #3
      Hi,

      This library is utilized to execute jobs in parallel processes. It's unlikely to contain troyan. Spatie is quite reputable vendor. Could be that your instance is making these requests using cron somehow.
      If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

      Comment

      • yuri
        Member
        • Mar 2014
        • 8453

        #4
        Or something else is making requests. You see ChildRuntime.php because it's doing its job – running multiple jobs.
        If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

        Comment

        • Russ
          Senior Member
          • Feb 2022
          • 426

          #5
          I checked crontab, and nothing except the CRM and a certbot, well, this will remain unknown, for now

          Comment

          • Russ
            Senior Member
            • Feb 2022
            • 426

            #6
            thanks

            Comment

            Working...