Hundreds of those hack attempts

[Aficionado]

Hi,

Yesterday all my Osclass sites (4 now) were extremely slow, dead slow that is. Looking at the logs, i found hundreds of those in all sites (with different cookie values in each):

27/Sep/17 20:28:17  #2282169  critical   256  144.76.159.106   GET /index.php - SQL injection - [COOKIE:osclass = noun318iu4s1b2eoovoh9v3uq4' and 3>'1] - www . website . eu
27/Sep/17 20:28:17  #4975402  critical   256  144.76.159.106   GET /index.php - SQL injection - [COOKIE:osclass = noun318iu4s1b2eoovoh9v3uq4' and 3>'4] - www . website . eu
27/Sep/17 20:28:23  #5947452  critical   256  144.76.159.106   GET /index.php - SQL injection - [COOKIE:osclass = noun318iu4s1b2eoovoh9v3uq4" and 3>"1] - www . website . eu
27/Sep/17 20:28:24  #6065584  critical   256  144.76.159.106   GET /index.php - SQL injection - [COOKIE:osclass = noun318iu4s1b2eoovoh9v3uq4" and 3>"4] - www . website . eu

All came from 144.76.159 - your-server.de - Germany - Hetzner group.

Today the attack doesn't seem to happen.

Any ideas what those are ? What is that "cookie" thing ?

Thanks

[Aficionado]

At the same time, also hundreds of those:

27/Sep/17 04:43:18  #1618427  critical     -  189.90.46.118    POST /index.php - BASE64-encoded injection - [POST:filter = cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0wKTsgICAgI
CAgICAgICAgICAgU0VUIEBTQUxUID0gJ3JwJzsgICAgICAgICAgICAgICAgU0VUIEBQQVNTID0gQ09OQ0FUKE1ENShDT05DQV...] - www  . website . com

From Brazil.

Both attacks seem blocked from our firewall, still it seems strange to have several attacks yesterday after a long time.

[_CONEJO]

seems to me like random/generic attacks to see if your website or server is vulnerable (server itself or php version). They don't seems to be targeted toward osclass code itself.

[Aficionado]

seems to me like random/generic attacks to see if your website or server is vulnerable (server itself or php version). They don't seems to be targeted toward osclass code itself.

Thanks, nice to know that. As i said, both were 100% blocked, it was the COOKIE OSCLASS that made me worry.

[Aficionado]

I'm constantly receiving attacks today, coordinated in all my Osclass sites (strange since they are split in two hostings).

Same attacks (non-Osclass specific), with seconds difference from different IPs, proxies, TOR, Romania and Russia mainly.

Blocked i hope (from what i see but .... are they all ?), still i wonder if anyone else is seeing anything like it.

[marius-ciclistu]

I just checked a few minutes ago in raw access. In my case those kind of attempts  don't apear.

[Aficionado]

I wrote above that the attacks are not Osclass specific, meaning that i don't see any paths or files that belong to Osclass.

BUT since in both my hosting plans (2) i also run a couple of Wordpress sites, those sites don't seem to suffer from any such attacks.

So they are only targeting my Osclass sites.

[Aficionado]

I just checked a few minutes ago in raw access. In my case those kind of attempts  don't apear.

I have hundreds of COORDINATED Directory traversal attempts mainly.

[mrtsoftware]

I am also receiving similar spam bot visits every minutes for all Osclass webs, I am blocking IP BLOCKS numbers into HTACCESS .
As you say, Hertzner Germany IP blocks are used for this mostly...I have totally blocked all IP block of HERTZNER.