Don't understand phpdotenv errors in php_error log caused during brute force attack

the_lar · August 25, 2020, 10:10am

Hi,

My site is built using Sage 9 and Bedrock. We use Woocommerce and Wordfence for security.

Last Friday the 21st we had a prolonged period where the site was unavailable giving 500 error responses, and upon talking to the our server host support was informed that we had what appeared to be a large scale ‘brute force’ attack.

During the 1 and a half hours the attack was going on, the php_error log grew to around 5mb and all of the entries for the period are similar if not identical to this:

[21-Aug-2020 20:06:47 Europe/London] PHP Warning:  file_exists() expects parameter 1 to be a valid path, string given in /home/myroot/public_html/app/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 439
[21-Aug-2020 20:06:47 Europe/London] PHP Warning:  file_exists() expects parameter 1 to be a valid path, string given in /home/myroot/public_html/app/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 439
[21-Aug-2020 20:06:47 Europe/London] Unable to open 
[21-Aug-2020 20:06:47 Europe/London] PHP Fatal error:  Uncaught Dotenv\Exception\InvalidFileException: Failed to parse dotenv file due to an invalid name. Failed at [¸÷òeá in /home/myroot/vendor/vlucas/phpdotenv/src/Parser.php:73
Stack trace:
#0 /home/myroot/vendor/vlucas/phpdotenv/src/Parser.php(29): Dotenv\Parser::parseName('\xB8\xF7\xF2\e\xE1\x7F\x00\x00\x06\x00\x00\x00\x00\x00\x00...')
#1 /home/myroot/vendor/vlucas/phpdotenv/src/Loader.php(169): Dotenv\Parser::parse('')
#2 /home/myroot/vendor/vlucas/phpdotenv/src/Loader.php(107): Dotenv\Loader->processEntries(Array)
#3 /home/myroot/vendor/vlucas/phpdotenv/src/Loader.php(91): Dotenv\Loader->loadDirect('DB_NAME=mydb...')
#4 /home/myroot/vendor/vlucas/phpdotenv/src/Dotenv.php(123): Dotenv\Loader->load()
#5 /home/myroot/vendor/vlucas/phpdotenv/src/Dotenv.php(80): Dotenv\Dotenv->loadData()
#6 /home/myroot/config/application.php(29): Dotenv\Dotenv->load()
#7 /home/myroot/public_html/wp-config.php(8): require_once('/home/myroot...')
#8 /home/myroot/public_html/wp/wp-load.php(42): in /home/myroot/vendor/vlucas/phpdotenv/src/Parser.php on line 73

I’m just trying to understand how a brute force attack would result in the above errors - or is something else going on here maybe??

Thanks in advance
Kevin

ben · September 1, 2020, 1:20am

That’s odd! Do you know if the .env value had different values than it currently does during the time of attack? Do you happen to have any of the webserver access logs from around this time as well, to see which URLs were getting hit?

the_lar · September 1, 2020, 9:20am

Sure, here’s a tiny extract from the time which shows that both /xmlrpc.php and /wp-login.php were being hit:

103.74.229.190 - - [21/Aug/2020:19:16:39 +0100] "POST /xmlrpc.php HTTP/1.1" 403 698 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
66.249.92.65 - - [21/Aug/2020:19:16:39 +0100] "GET /product/235-60-18-michelin-latitude-tour-hp-103v/ HTTP/1.1" 500 0 "-" "AdsBot-Google (+http://www.google.com/adsbot.html)"
103.74.229.190 - - [21/Aug/2020:19:16:39 +0100] "POST /wp-login.php HTTP/1.1" 500 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
66.249.66.128 - - [21/Aug/2020:19:16:40 +0100] "GET /product/265-60-18-radar-renegade-r-t-119-116q/ HTTP/1.1" 500 0 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.92 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.79.146 - - [21/Aug/2020:19:16:48 +0100] "GET /lassa?tl=464 HTTP/1.1" 500 0 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.92 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.92.65 - - [21/Aug/2020:19:16:49 +0100] "GET /product/235-60-18-michelin-latitude-tour-hp-103v/ HTTP/1.1" 500 0 "-" "AdsBot-Google (+http://www.google.com/adsbot.html)"
66.249.66.128 - - [21/Aug/2020:19:16:50 +0100] "GET /product/245-70-16-insa-turbo-dakar-mud-terrain-107q/ HTTP/1.1" 500 0 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.92 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.92.65 - - [21/Aug/2020:19:16:50 +0100] "GET /product/235-60-18-michelin-latitude-tour-hp-103v/ HTTP/1.1" 500 0 "-" "AdsBot-Google (+http://www.google.com/adsbot.html)"
66.249.66.128 - - [21/Aug/2020:19:16:51 +0100] "GET /product/245-70-16-insa-turbo-dakar-mud-terrain-107q/ HTTP/1.1" 500 0 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.92.65 - - [21/Aug/2020:19:16:53 +0100] "GET /product/33-12-50-20-comforser-cf3000-left-114q/ HTTP/1.1" 500 0 "-" "AdsBot-Google (+http://www.google.com/adsbot.html)"

And no, the .env file hasn’t changed at all. It’s all a bit of a mystery!

system · October 6, 2020, 10:24am

This topic was automatically closed after 42 days. New replies are no longer allowed.