Vulnerabilidad ThinkPHP (PHP Remote Code Execution)

Hoy echandole un ojo a los log. Un monton de escaneos iguales desde distintas ips.

149.129.225.177 - - [06/Aug/2019:09:36:52 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.223.242 - - [06/Aug/2019:10:15:57 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
42.200.249.72 - - [06/Aug/2019:10:33:35 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
42.200.249.72 - - [06/Aug/2019:10:33:36 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
36.85.86.187 - - [06/Aug/2019:10:35:30 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.88.105.115 - - [06/Aug/2019:10:46:41 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.148.123 - - [06/Aug/2019:10:52:26 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
109.117.248.204 - - [06/Aug/2019:11:18:20 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
130.25.184.39 - - [06/Aug/2019:12:12:33 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
121.101.129.251 - - [06/Aug/2019:12:43:00 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
196.218.38.2 - - [06/Aug/2019:13:28:40 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.89.208.50 - - [06/Aug/2019:13:31:24 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
85.107.181.18 - - [06/Aug/2019:13:39:24 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.88.192.1 - - [06/Aug/2019:13:39:43 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.74.19.171 - - [06/Aug/2019:13:40:27 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
42.200.249.72 - - [06/Aug/2019:13:53:01 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
42.200.249.72 - - [06/Aug/2019:13:53:02 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.150.124 - - [06/Aug/2019:14:06:10 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
130.25.184.39 - - [06/Aug/2019:14:36:40 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
151.29.175.112 - - [06/Aug/2019:15:10:04 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
112.166.233.213 - - [06/Aug/2019:15:17:32 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.91.44.75 - - [06/Aug/2019:15:18:06 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.74.1.66 - - [06/Aug/2019:15:24:28 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.74.1.66 - - [06/Aug/2019:15:24:29 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.88.34.246 - - [06/Aug/2019:15:31:37 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
107.131.222.116 - - [06/Aug/2019:15:33:41 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
51.223.25.236 - - [06/Aug/2019:15:54:22 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.225.143 - - [06/Aug/2019:15:59:44 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
81.161.67.95 - - [06/Aug/2019:16:01:58 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.91.45.6 - - [06/Aug/2019:16:07:27 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.91.109.240 - - [06/Aug/2019:16:26:34 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
39.107.25.145 - - [06/Aug/2019:16:30:45 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.155.155 - - [06/Aug/2019:16:47:26 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
66.98.7.18 - - [06/Aug/2019:17:20:46 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
66.98.7.18 - - [06/Aug/2019:17:20:55 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
66.98.7.18 - - [06/Aug/2019:17:21:03 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.88.100.171 - - [06/Aug/2019:17:22:08 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.74.9.70 - - [06/Aug/2019:17:28:20 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
86.108.123.4 - - [06/Aug/2019:17:29:06 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.154.206 - - [06/Aug/2019:17:31:11 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.91.40.44 - - [06/Aug/2019:17:44:37 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
14.199.216.96 - - [06/Aug/2019:18:44:52 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.149.213 - - [06/Aug/2019:19:18:47 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
42.233.91.40 - - [06/Aug/2019:19:25:58 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.88.243.211 - - [06/Aug/2019:19:30:15 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.221.6 - - [06/Aug/2019:19:34:34 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.221.6 - - [06/Aug/2019:19:34:37 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.74.8.118 - - [06/Aug/2019:19:44:48 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.89.217.130 - - [06/Aug/2019:19:52:46 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.89.217.130 - - [06/Aug/2019:19:52:49 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
139.224.197.141 - - [06/Aug/2019:20:02:02 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.89.229.239 - - [06/Aug/2019:20:14:45 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.133.48 - - [06/Aug/2019:20:14:46 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.128.134 - - [06/Aug/2019:20:23:23 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
124.82.25.106 - - [06/Aug/2019:20:30:01 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.88.247.209 - - [06/Aug/2019:20:39:03 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.226.207 - - [06/Aug/2019:20:43:25 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.226.207 - - [06/Aug/2019:20:43:27 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.226.207 - - [06/Aug/2019:20:43:32 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
139.224.197.141 - - [06/Aug/2019:20:49:11 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
88.254.194.6 - - [06/Aug/2019:20:52:06 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.128.231 - - [06/Aug/2019:21:00:09 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.153.136 - - [06/Aug/2019:21:01:54 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.74.64.137 - - [06/Aug/2019:21:05:21 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.91.47.93 - - [06/Aug/2019:21:54:19 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
47.254.128.134 - - [06/Aug/2019:22:48:37 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
84.51.62.126 - - [06/Aug/2019:23:01:07 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
45.174.114.110 - - [06/Aug/2019:23:05:13 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.215.204 - - [06/Aug/2019:23:23:10 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"
149.129.225.235 - - [06/Aug/2019:23:47:13 +0200] "GET /index.php?s=/index/ hink" 400 0 "-" "-"

Echando un ojo en google veo varias vulnerabilidades. https://securitynews.sonicwall.com/xmlpost/thinkphp-remote-code-execution-rce-bug-is-actively-being-exploited/

Mas info sobre como filtrar lo logs aqui: https://jejo.es/posts/hardening_comandos/filtrar_ataques_log_http/

Un Comando mas “elaborado” para ver los errores en tiempo real:
tail -f /var/log/apache2/access.log | stdbuf -o0 grep -e "\" 404 " -e "\" 400 "