Hi community,
I had a server running a while ago and it stopped running suddenly. I observed the logs and suspected somebody is trying to brute force my site by accessing different common WordPress (or something else’s) routes:
===== ALIVE Mon Dec 5 18:59:26 UTC 2022
===== Mon Dec 5 19:09:52 UTC 2022
19:09:52.249 [info] Plug.SSL is redirecting GET /.env to https://mysite.com with status 301
19:09:52.611 [info] Plug.SSL is redirecting GET /conf/.env to https://mysite.com with status 301
19:09:52.960 [info] Plug.SSL is redirecting GET /wp-content/.env to https://mysite.com with status 301
19:09:53.331 [info] Plug.SSL is redirecting GET /wp-admin/.env to https://mysite.com with status 301
19:09:53.682 [info] Plug.SSL is redirecting GET /library/.env to https://mysite.com with status 301
19:09:54.056 [info] Plug.SSL is redirecting GET /new/.env to https://mysite.com with status 301
19:09:54.424 [info] Plug.SSL is redirecting GET /vendor/.env to https://mysite.com with status 301
19:09:54.777 [info] Plug.SSL is redirecting GET /old/.env to https://mysite.com with status 301
19:09:55.160 [info] Plug.SSL is redirecting GET /local/.env to https://mysite.com with status 301
19:09:55.540 [info] Plug.SSL is redirecting GET /api/.env to https://mysite.com with status 301
19:09:55.874 [info] Plug.SSL is redirecting GET /blog/.env to https://mysite.com with status 301
19:09:56.242 [info] Plug.SSL is redirecting GET /crm/.env to https://mysite.com with status 301
19:09:56.609 [info] Plug.SSL is redirecting GET /admin/.env to https://mysite.com with status 301
19:09:56.962 [info] Plug.SSL is redirecting GET /laravel/.env to https://mysite.com with status 301
19:09:57.311 [info] Plug.SSL is redirecting GET /app/.env to https://mysite.com with status 301
19:09:57.648 [info] Plug.SSL is redirecting GET /app/config/.env to https://mysite.com with status 301
19:09:58.003 [info] Plug.SSL is redirecting GET /apps/.env to https://mysite.com with status 301
19:09:58.381 [info] Plug.SSL is redirecting GET /audio/.env to https://mysite.com with status 301
19:09:58.728 [info] Plug.SSL is redirecting GET /cgi-bin/.env to https://mysite.com with status 301
19:09:59.079 [info] Plug.SSL is redirecting GET /backend/.env to https://mysite.com with status 301
19:09:59.455 [info] Plug.SSL is redirecting GET /src/.env to https://mysite.com with status 301
19:09:59.829 [info] Plug.SSL is redirecting GET /base/.env to https://mysite.com with status 301
19:10:00.186 [info] Plug.SSL is redirecting GET /core/.env to https://mysite.com with status 301
19:10:00.551 [info] Plug.SSL is redirecting GET /vendor/laravel/.env to https://mysite.com with status 301
19:10:00.891 [info] Plug.SSL is redirecting GET /storage/.env to https://mysite.com with status 301
19:10:01.234 [info] Plug.SSL is redirecting GET /protected/.env to https://mysite.com with status 301
19:10:01.562 [info] Plug.SSL is redirecting GET /newsite/.env to https://mysite.com with status 301
19:10:01.904 [info] Plug.SSL is redirecting GET /www/.env to https://mysite.com with status 301
19:10:02.263 [info] Plug.SSL is redirecting GET /sites/all/libraries/mailchimp/.env to https://mysite.com with status 301
19:10:02.607 [info] Plug.SSL is redirecting GET /database/.env to https://mysite.com with status 301
19:10:02.952 [info] Plug.SSL is redirecting GET /public/.env to https://mysite.com with status 301
19:10:03.352 [info] Plug.SSL is redirecting GET /ec2-18-142-114-116.ap-southeast-1.compute.amazonaws.com/.env to https://mysite.com with status 301
19:10:03.701 [info] Plug.SSL is redirecting POST / to https://mysite.com with status 307
19:10:04.047 [info] Plug.SSL is redirecting GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php to https://mysite.com with status 301
19:11:01.689 [notice] TLS :server: In state :hello at tls_handshake.erl:346 generated SERVER ALERT: Fatal - Insufficient Security
- :no_suitable_ciphers
19:11:30.675 [info] Plug.SSL is redirecting GET /.env to https://mysite.com with status 301
19:11:31.519 [info] Plug.SSL is redirecting POST / to https://mysite.com with status 307
19:14:56.662 [info] Plug.SSL is redirecting GET / to https://mysite.com with status 301
19:14:56.725 [info] Plug.SSL is redirecting GET / to https://mysite.com with status 301
19:14:58.158 request_id=Fy37nzyNa_Qcb7QAASix [info] GET /
19:14:58.159 request_id=Fy37nzyNa_Qcb7QAASix [info] Sent 200 in 952µs
19:14:59.746 request_id=Fy37n5svCSUZSNUAASkB [info] GET /
19:14:59.746 request_id=Fy37n5svCSUZSNUAASkB [info] Sent 200 in 496µs
===== ALIVE Mon Dec 5 19:29:59 UTC 2022
===== Mon Dec 5 19:42:04 UTC 2022
19:42:04.508 [info] CONNECTED TO Phoenix.LiveView.Socket in 36µs
Transport: :websocket
Serializer: Phoenix.Socket.V2.JSONSerializer
Parameters: %{"_csrf_token" => "LD8vAQUbQgAJJCkbXSBYLQx7W1s6QW58oyBDKoqo1WJphU7Uf3bowvCQ", "_mounts" => "11", "_timezone" => "Asia/Singapore", "_track_static" => %{"0" => "https://mysite.com/assets/app-6676b9997926b9d99094855080ac6f52.css?vsn=d", "1" => "https://mysite.com/assets/app-f7aa12f5be2e70bd89dc872c8be91fc8.js?vsn=d"}, "vsn" => "2.0.0"}
19:45:43.028 [info] Plug.SSL is redirecting GET /.env to https://mysite.com with status 301
19:45:43.550 [info] Plug.SSL is redirecting POST / to https://mysite.com with status 307
19:45:44.615 request_id=Fy39TSXxcXD4KfIAASmR [info] GET /.env
19:45:44.615 request_id=Fy39TSXxcXD4KfIAASmR [info] Sent 404 in 293µs
19:45:45.754 request_id=Fy39TWnTBiF_6BMAASnB [info] POST /
19:45:45.754 request_id=Fy39TWnTBiF_6BMAASnB [info] Sent 404 in 312µs
===== Mon Dec 5 19:56:59 UTC 2022
19:56:59.333 [info] Plug.SSL is redirecting POST / to https://mysite.com with status 307
19:56:59.814 [info] Plug.SSL is redirecting GET /.env to https://mysite.com with status 301
20:01:54.022 [info] Plug.SSL is redirecting GET / to https://mysite.com with status 301
20:01:54.752 request_id=Fy3-Lwaf8LFiPlIAASnx [info] GET /
20:01:54.752 request_id=Fy3-Lwaf8LFiPlIAASnx [info] Sent 200 in 506µs
20:01:55.574 [notice] TLS :server: In state :hello at tls_handshake.erl:364 generated SERVER ALERT: Fatal - Protocol Version
20:01:55.900 [notice] TLS :server: In state :hello at tls_handshake.erl:364 generated SERVER ALERT: Fatal - Protocol Version
20:01:56.238 [notice] TLS :server: In state :hello at tls_handshake.erl:364 generated SERVER ALERT: Fatal - Protocol Version
20:01:56.571 [notice] TLS :server: In state :hello at tls_record.erl:564 generated SERVER ALERT: Fatal - Unexpected Message
- {:unsupported_record_type, 128}
20:01:58.052 [notice] TLS :server: In state :hello at tls_handshake.erl:346 generated SERVER ALERT: Fatal - Insufficient Security
- :no_suitable_ciphers
20:01:58.881 [notice] TLS :server: In state :hello at tls_handshake.erl:346 generated SERVER ALERT: Fatal - Insufficient Security
- :no_suitable_ciphers
I am here to ask for help on why a GET & POST would trigger such errors and why would it break the whole site (stopped completely).
Thank you so much in advance!
Best wishes,
Jing Hui PANG