Strange connections from nginx to the internet
October 01, 2020 03:45AM
Good morning,

i've notice on my firewall some strange connections (denied) starting from an nginx based reverse proxy located in a dmz.
Connections starts from the machine and point some random ips and port all over the world (on common ports like 21, 6667, 22, etc.).
This nginx is configured only as reverse proxy without any cgi and htdocs installed so can be this an exploit?

Debian 10.6
Nginx 1.18.0 (from the official apt repos)

Thanks in advance for your help
Re: Strange connections from nginx to the internet
October 01, 2020 03:58AM
gibo Wrote:
-------------------------------------------------------
> Good morning,
>
> i've notice on my firewall some strange connections (denied) starting
> from an nginx based reverse proxy located in a dmz.
> Connections starts from the machine and point some random ips and port
> all over the world (on common ports like 21, 6667, 22, etc.).
> This nginx is configured only as reverse proxy without any cgi and
> htdocs installed so can be this an exploit?
>
> Debian 10.6
> Nginx 1.18.0 (from the official apt repos)
>
> Thanks in advance for your help


Obviously i've checked and the connections was mad from an nginx worker process.
Re: Strange connections from nginx to the internet
October 01, 2020 07:12AM
Sounds like a compromised system.

https://debian-handbook.info/browse/stable/sect.dealing-with-compromised-machine.html

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Strange connections from nginx to the internet
October 01, 2020 01:20PM
Yes it is. But the question is: can be compromised by an nginx exploit? It's the only service installed and without any site hosted directly. Only proxied sites.
Re: Strange connections from nginx to the internet
October 01, 2020 03:24PM
Can be anything, least likely nginx itself but more a bad configuration or someone had access and simply changed stuff.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Strange connections from nginx to the internet
October 01, 2020 05:43PM
It's very abnormal. Only public ports are 80 and 443 and checked by an ngf. What bad configuration can set nginx to open connections to ips and ports starting from a request on port 80/443? There's some specific settings i can check?
Re: Strange connections from nginx to the internet
October 02, 2020 03:33AM
Restore from last known good backup or rebuild, it's pointless guessing.

---
nginx for Windows http://nginx-win.ecsds.eu/
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 162
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready