I have become aware of a repeat attack attempt on my web server which attempts to run cryptomining installer scripts directly from github servers.
The following screenshot of an apache log shows one of said attacks:
The attacker is setting the referrer and the user agent to a log4j script, attempting to abuse the well-known Log4J exploit to run a base64 obfuscated chunk of code, which, when decoded, resolves to a script hosted at https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh
I have become aware of a repeat attack attempt on my web server which attempts to run cryptomining installer scripts directly from github servers.
The following screenshot of an apache log shows one of said attacks:
The attacker is setting the referrer and the user agent to a log4j script, attempting to abuse the well-known Log4J exploit to run a base64 obfuscated chunk of code, which, when decoded, resolves to a script hosted at https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh