Weird attack seen

[o8oygil]

We received a lovely resource exhaustion attack recently that got the kernel to oom-kill httpd and mariadb.

174.234.14.5 was seen  hitting include/api.php several dozen times, then we just started getting dozens of requests like this per second:

/?532032828436L177041529901D6592563428112113648105270l
/?547814137113E175763029532Pk69964424675T222557566353v
/?M123582088360Y180256099813pQ107878551710G203209829116j
/?a244859423939u30532293669I3207170765747H125620128932f
/?L54145492010A52335274445E195157445999o128890697040H

There were 158 total IPs involved in the attack.  These ones sent 100 or more requests:

    100 194.5.192.220
    100 66.135.227.181
    115 70.166.167.36
    116 192.252.214.20
    121 192.252.211.197
    124 206.189.158.28
    124 5.187.54.112
    150 192.111.135.18
    168 188.166.242.150
    178 198.8.94.170
    193 165.22.13.68
    217 192.111.129.150
    544 192.252.209.155

Does anyone recognize those uri patterns?  weird that they aren't a consistent length.  What are they trying for?

Here's the lines from apache log:

98.170.57.231 - - [30/Apr/2021:07:14:26 -0500] "GET /?z160873271392m131192422302Jk194614915840F94810224616V HTTP/1.1" 200 1291 "https://soda.demo.socrata.com/resource/4tka-6guv.json?$q=my.companydomain.com/" "Mozilla/5.0 (Linux i686) AppleWebKit/503.0 (KHTML, like Gecko) Chrome/98.0304.128 Safari/503"
198.8.94.170 - - [30/Apr/2021:07:15:12 -0500] "GET /?w214621173792S66737791603wX1734095741784261185553077q HTTP/1.1" 200 1291 "https://vk.com/profile.php?redirect=my.companydomain.com/" "Mozilla/5.0 (Linux x86_64) AppleWebKit/502.0 (KHTML, like Gecko) Chrome/37.01727.175 Safari/502"
192.252.214.20 - - [30/Apr/2021:07:11:59 -0500] "GET /?q768200918449159761116101iA37012355019L263902421878m HTTP/1.1" 200 1291 "https://check-host.net/my.companydomain.com/" "Mozilla/5.0 (68K) AppleWebKit/587.0 (KHTML, like Gecko) Chrome/4.08541.387 Safari/587"
103.21.163.76 - - [30/Apr/2021:07:15:05 -0500] "GET /?J2103941904431270527794842lG256893768579C185413780058c HTTP/1.1" 200 1291 "https://r.search.yahoo.com/my.companydomain.com/" "Mozilla/5.0 (compatible; MSIE 73.0; PPC; Trident/8.0)"
206.189.158.28 - - [30/Apr/2021:07:15:01 -0500] "GET /?W82055082860206983275660hO148797028704L223471474529U HTTP/1.1" 200 1291 "https://www.bing.com/search?q=my.companydomain.com/" "Mozilla/5.0 (compatible; MSIE 30.0; Linux i686; WOW64; Trident/32.0)"
192.252.214.20 - - [30/Apr/2021:07:06:07 -0500] "GET /?j79556142930q250356151205b6203966725300Y156508191570c HTTP/1.1" 200 1291 "https://www.google.co.ao/search?q=my.companydomain.com/" "Mozilla/5.0 (compatible; MSIE 62.0; Linux x86_64; Trident/2.0)"
66.135.227.181 - - [30/Apr/2021:07:07:59 -0500] "GET /?i1704478206151862593309611g9246215085J219971532377F HTTP/1.1" 200 1291 "https://www.cia.gov/index.htmlmy.companydomain.com/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/505.0 (KHTML, like Gecko) Chrome/67.0777.464 Safari/505"
192.252.209.155 - - [30/Apr/2021:07:11:55 -0500] "GET /?Y142985920316D6666204053OF57862779952P105198157657l HTTP/1.1" 200 1291 "https://play.google.com/store/search?q=my.companydomain.com/" "Mozilla/5.0 (68K) AppleWebKit/593.0 (KHTML, like Gecko) Chrome/38.01838.925 Safari/593"

 

How weird that they'd go to the trouble of faking a referrer link like that and not even use plausible referrers.

Edited April 30, 2021 by o8oygil

[o8oygil]

This has progressed. @AdminIEH

I'm gonna say this is a serious vulnerability in WHMCS.  How can urls so simplelooking cause so much disk IO that it takes our instance offline?

3.19.64.178 - - [02/May/2021:08:26:17 -0500] "GET /index.php?rp=/store/dedicated-servers&1231632727578d212339109207JB25844879183671492447410134 HTTP/1.1" 200 41449 "https://www.google.ae/search?q=my.site.net/index.php?rp=/store/dedicated-servers" "Mozilla/5.0 (compatible; MSIE 2.0; Windows NT 6.0; Win64; x64; Trident/53.0)"
13.124.135.66 - - [02/May/2021:08:11:47 -0500] "GET /index.php?rp=/store/dedicated-servers&I224325592840c143217971517If91286831598G255811891874c HTTP/1.1" 200 41423 "https://www.google.com.ai/search?q=my.site.net/index.php?rp=/store/dedicated-servers" "Mozilla/5.0 (compatible; MSIE 88.0; PPC; Trident/38.0)"
138.201.117.24 - - [02/May/2021:08:23:11 -0500] "GET /index.php?rp=/store/dedicated-servers&c49755278706F157748775380f9109315863663E162487572843P HTTP/1.1" 200 41423 "https://www.google.com/search?q=my.site.net/index.php?rp=/store/dedicated-servers" "Mozilla/5.0 (compatible; MSIE 78.0; 68K; Trident/99.0)"
77.88.5.87 - - [02/May/2021:08:42:02 -0500] "GET /robots.txt HTTP/1.1" 404 18495 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
103.240.161.101 - - [02/May/2021:08:32:51 -0500] "GET /index.php?rp=/store/dedicated-servers&e19426282234a1601407523593Z1020367333926149328134251O HTTP/1.1" 200 41423 "https://www.fbi.com/my.site.net/index.php?rp=/store/dedicated-servers" "Mozilla/5.0 (compatible; MSIE 83.0; PPC; WOW64; Trident/57.0)"
3.19.64.178 - - [02/May/2021:08:32:56 -0500] "GET /index.php?rp=/store/dedicated-servers&Y2201274199705311289552573j166765281259e255684910597L HTTP/1.1" 200 41423 "https://www.google.com.ai/search?q=my.site.net/index.php?rp=/store/dedicated-servers" "Mozilla/5.0 (compatible; MSIE 69.0; Win 9x 4.90; Trident/41.0)"
112.53.83.102 - - [02/May/2021:08:31:53 -0500] "GET /index.php?rp=/store/dedicated-servers&G459646097847174831425725NW234419483973V96726866762S HTTP/1.1" 200 41397 "https://www.usatoday.com/search/results?q=my.site.net/index.php?rp=/store/dedicated-servers" "Mozilla/5.0 (68K; rv:31.0) Gecko/20201001 Firefox/31.0"
104.238.111.167 - - [02/May/2021:08:26:16 -0500] "GET /index.php?rp=/store/dedicated-servers&U267302979935t5748224641qO186530242887x129117737929K HTTP/1.1" 200 41397 "https://www.ted.com/search?q=my.site.net/index.php?rp=/store/dedicated-servers" "Mozilla/5.0 (Linux x86_64) AppleWebKit/526.0 (KHTML, like Gecko) Chrome/66.0119
6.924 Safari/526"

 

[WHMCS John]

Hello,

Based on this information supplied here, I suspect you'll observe the same behaviour if you were to make a similar number of requests to a similar PHP/MySQL script (Wordpress, Magento etc.) hosted on your environment.

Interpreting the parameters being passed in the requests as being impactful or in some way manipulating WHMCS to behave differently are  a red-herring. Most likely it's an attempt by the bots to make the requests appear unique and trick any DDoS mitigation/firewall rules which may be in place.

A good way to confirm this as an environment specific issue is to:

1. Make a fresh installation of Wordpress,
2. Create a simple bash script to send ~20 curl requests per second to the Wordpress index.php page (without any query string).
3. Execute the bash script
4. Observe how your webserver behaves.

If you see the same unresponsive behaviour after excluding WHMCS in this way, I'd suggest investigating the options available to optimise your server configuration to handle this level of traffic, or leverage WAF services (such as Cloudfront) which might help to reduce levels of malicious traffic to your site.