As a temporary stopgap, reduce the attack surface of the 2.2.22 installation:
The mod_proxy family (mod_proxy_ajp, mod_proxy_http2, etc.) continues to be a source of vulnerabilities: apache httpd 2222 exploit
Configure firewall rules to limit connections from suspicious IPs. As a temporary stopgap, reduce the attack surface of the 2
By extracting source code, attackers may find credentials that allow them to log into database servers or administrative panels, leading to full system compromise. Apache will return a header like Server: Apache/2
The attacker sends a basic request to see what replies. Apache will return a header like Server: Apache/2.4.X .
| Service on Port 2222 | Real Associated Risks | Common Exploits | |----------------------|------------------------|------------------| | DirectAdmin Control Panel | Brute-force login attacks, default credentials, CSRF, XSS | Credential stuffing, CVE-2019-16759 (vBulletin, but often conflated), session hijacking | | Alternative SSH daemon | Password brute-forcing, SSH key theft, CVE-2023-38408 (SSH agent forwarding) | Hydra, Medusa, SSHocean scans | | Reverse-proxied Apache | HTTP request smuggling, mod_cgi exploitation, log spoofing | Shellshock (if old CGI enabled), Log4j (if Apache proxying to vulnerable app) | | Malicious Honeypot (fake Apache) | Attackers may set up a fake Apache on 2222 to log exploit attempts | Not a risk to you, but indicates reconnaissance |
I can provide the exact commands needed to patch or isolate your system. Share public link