ThinkPHP: remote code execution?
 

Hello all.
I have a “little home server” in my home (call me crazy). It’s a LAMP with Slackware 14.1. and I serve my blog from it. I know, I need to upgrade, but I have no time.
I have several doubts (I am thinking now, if it is necessary I can open one thread for each of them).
First, a little view to my server:
My first doudt:

The server was off over a year, because problems with my ISP (I live in a little willage in the North of Spain, in the mountains, and here we only can hire ADSL with one ISP, no rivalry, the prices are excessivelly expensive, and the provided services are minimal, so I declined the contract). I renewed it recently, and server is “on the air” again.
Since I turned it on, I am seeing lines like this in the apache log:

Lines like this are now usual in my apache access_log.
I read some things about the thinkphp web attack, but I can understand (in my bad english comprehension) that it consists in a remote code execution vulnerability in ThinkPHP, and I am not using the thinkPHP framework in my server, I think (Slack does not install it neither in a full install, and I didn’t installed it):

But I can see the 200 response in my access_log, and I read in that lines things like:

I am sure they are playing with my server in a bad way. Are they really doing it? Are they executing code here in the mountains? Because I have not installed thinkPHP… We have only trees, wolfs here, and a bad sysadmin (edit: we have a forest guard fighting with LAMP, and He usually loses the battle, He is only a luser).

I have read too (important, I know) that this vulnerability is patched (versions affected are thinkPHP ThinkPHP 5.0 and 5.1) but I have not installed it, theither other versions…

So, what’s is happening? How can I defend my machine from this?

I tried to edit my .htaccess file (I did it for a lot of times, I can’t remember, a lot less I can transcibe those attemps here), in order to filter the “thinkphp” match, and I tried searching how to do it with apache too, but my attemps are being unsuccessful (a bad sysadmin, remember)

What can I do?

I think perhaps you need more information about my system, like outputs of httpd -L, php -option, or whatever thing else… But that outputs are large, and you can help me with grep or similar to searching for relevant info.

Note I need a temporary solution, because I know I must upgrade the system, apache, php, etc. I need to implement SSL and HTTPS too (I read a good manual from AlienBob, great!)… And I have a lot less time I would like, and I’m sure I’ll crash something during the process (It is possible that the best way to do all is going to reinstall and reconfigure all, but I’ll try to upgrade and to learn a lot during the process first), so I think all these tasks are going to extend over the time.

My second doubt:
My domain has been blacklisted in Sorbs Duhl and in Spamhaus ZEN. It is possible that exists a relation between the blacklist and my vulnerability?
Thank you very much, and sorry my bad English.

If you're not running thinkphp, there is no need to worry about that. What you see are script kiddies trying to find a vulnerable server. I see this all the time in my servers' logs.

You don't have a vulnerability because you're not running the vulnerable app. So I guess blacklisting is due to something else.
It could be that your IP was used previously to spam, or your ISP has a bad reputation in general regarding spam.

Sorbs DUHL (Dynamic User and Host List) is an RBL that block dynamic IP addresses. I infer that your host is running on a dynamic address, so that would be why it's listed there. http://sorbs.net
Same is probably true of the ZEN list, although that list includes all of the Spamhaus RBLs, so it's hard to be certain. Still, one of those is also a dynamic IP address list. https://www.spamhaus.org/

Both of those would only affect email being sent from your server to another server that uses those RBLs -- they wouldn't have any effect on attempts to hack your server....which is probably not happening, as bathory said.

First of all, tahnk you very much for your anwser, bathory. This seems a topical, but some of us, not proffesional workers, need this anwsers to sleep peacefully.
what took my sleep away was the 200 response... I thought that queries were writen in the error_log, like a "client denied by server configuration" or similar. (Another pending task: learnig a lot of apache directives, configurations, messages,...)
Another thing I though (because thinkphp not installed) was that I had a vulnerability that allowed attakers to use my machine like a zombie, running the script to another hosts.
Esta noche voy a dormir a pierna suelta, we say in Spanish Language: This night I'm going to sleep soundly.
Thank you very much!!

In the same way, thank you very much for your clarifications, scasey.
I remember that I configured sendmail in my server before to put it in the internet, but when I put it "in produccion" I was blacklisted right away. I was read a lot of them at that time (year 2015, I think), and who to solve it, because I wished to implement mail acounts in my site: I knew that dynamic IPs are blacklisted by default.
Your infer is right: my host is running on a dynamic address. It is redirected to my domain with a program suministred by my domain provider.
What I did not know was that this "would only affect email being sent from your server to another server that uses those RBLs". So I'm thinking I perhaps run sendmail again (another task... I have a lot of work!!) :D
I'll start upgrading my system and implementing SSL much quieter.

Question solved: thank you very much again, Bathory & Scasey.